所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 安全加固 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
带外网管

带外网管

管理口绑定VPN

组网需求

三面隔离的组网图,如图7-11所示。

图7-11  三面隔离示意图
配置思路

管理网口和管理用Loopback接口绑定特定的管理VPN,业务口配置其他的VPN。业务口的VPN和管理VPN不能互访。

数据准备

操作步骤
  1. 创建管理VPN

    <HUAWEI> system-view
    [~HUAWEI] ip vpn-instance management
    [*HUAWEI-vpn-instance-management] ipv4-family
    [*HUAWEI-vpn-instance-management] commit
    [~HUAWEI-vpn-instance-management-af-ipv4] quit
    [~HUAWEI-vpn-instance-management] display this 
    #                                                                               
    ip vpn-instance management                                                      
     ipv4-family                                                                    
    #                                                                               
    return  
    [~HUAWEI-vpn-instance-management] quit
    
  2. 在管理接口和管理用Loopback接口绑定VPN
    [~HUAWEI] interface GigabitEthernet1/0/0
    [~HUAWEI-GigabitEthernet1/0/0] ip binding vpn-instance management
    [*HUAWEI-GigabitEthernet1/0/0] commit
    [~HUAWEI-GigabitEthernet1/0/0] quit 
    [~HUAWEI] interface LoopBack0
    [~HUAWEI-LoopBack0] ip binding vpn-instance management
    [*HUAWEI-LoopBack0] commit
    [~HUAWEI-LoopBack0] quit
    
  3. 在管理接口和管理用Loopback接口下配置IP地址
    [~HUAWEI] interface GigabitEthernet1/0/0
    [~HUAWEI-GigabitEthernet1/0/0] ip address 10.10.11.100 24
    [*HUAWEI-GigabitEthernet1/0/0] commit
    [~HUAWEI-GigabitEthernet1/0/0] display this
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip binding vpn-instance management
     ip address 10.10.11.100 255.255.255.0
    #
    [~HUAWEI] interface LoopBack0
    [~HUAWEI-LoopBack0] ip address 1.1.1.1 32
    [*HUAWEI-LoopBack0] commit
    [~HUAWEI-LoopBack0] display this
    #
    interface LoopBack0
     ip binding vpn-instance management
     ip address 1.1.1.1 255.255.255.255
    #
    return
    [~HUAWEI-LoopBack0] quit
  4. 可以通过查看路由表检验管理平面路由是否与控制平面路由隔离
    [~HUAWEI] display ip routing-table
    Route Flags: R - relay, D - download
    to fib, T - to vpn-instance, B - black hole route
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 2        Routes : 2
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    
    [~HUAWEI] display ip routing-table vpn-instance management
    Route Flags: R - relay, D - download
    to fib, T - to vpn-instance, B - black hole route
    ------------------------------------------------------------------------------
    Routing Tables: management
             Destinations : 3        Routes : 3
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
            1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
         10.10.11.0/24  Direct  0    0           D   10.10.11.100    GigabitEthernet1/0/0
       10.10.11.100/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
    
    
  5. 也可以通过ping的方式来查看路由是否隔离
    <HUAWEI> ping 10.10.11.100
    PING 10.10.11.100: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 10.10.11.100 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        10.00% packet loss
    <HUAWEI> ping –vpn-instance management 10.10.11.100
    PING 10.10.11.100: 56  data bytes, press CTRL_C to break
        Reply from 10.10.11.100: bytes=56 Sequence=1 ttl=255 time=1 ms
        Reply from 10.10.11.100: bytes=56 Sequence=2 ttl=255 time=30 ms
        Reply from 10.10.11.100: bytes=56 Sequence=3 ttl=255 time=10 ms
        Reply from 10.10.11.100: bytes=56 Sequence=4 ttl=255 time=30 ms
        Reply from 10.10.11.100: bytes=56 Sequence=5 ttl=255 time=30 ms
    
      --- 10.10.11.100 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/20/30 ms

通过Ma-defend禁止从业务面上送管理协议报文

组网需求

为了保证只从管理网口接收管理协议报文,可以禁止从业务面上送管理协议报文。

配置思路
采用如下的配置思路,禁止从业务面接收管理协议报文:
  1. 系统视图下,创建全局的ma-defend策略,禁止上送管理协议。

  2. 查看配置结果以及丢弃报文计数。
  1. 创建全局的ma-defend策略,禁止从业务面上送ftp、snmp、ssh、telnet、tftp管理协议。
    [~HUAWEI] ma-defend global-policy
    [*HUAWEI-app-sec-global] protocol ftp deny
    [*HUAWEI-app-sec-global] protocol snmp deny
    [*HUAWEI-app-sec-global] protocol ssh deny
    [*HUAWEI-app-sec-global] protocol telnet deny
    [*HUAWEI-app-sec-global] protocol tftp deny
    [*HUAWEI-app-sec-global] enable
    [*HUAWEI-app-sec-global] commit
    [~HUAWEI-app-sec-global] quit
  2. 查看配置结果
    [~HUAWEI] display ma-defend global-policy
    MA-defend policy type: global-policy
    ----------------------------------------------------
      The global-policy is enabled
      --------------------------------------------------
      protocol       rule
      --------------------------------------------------
      FTP            deny
      SSH            deny
      SNMP           deny
      TELNET         deny
      TFTP           deny
  3. 查看是否所有业务口均不能上送管理协议,管理协议均被丢弃(可以查看统计计数),如下:
    [~HUAWEI] display cpu-defend ma-defend statistics
    Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
    -------------------------------------------------------------------------------
    3         MA-Defend                            100            0               100
    -------------------------------------------------------------------------------
              FTP SERVER                           100            0               100

通过MPAC禁止从业务面上送管理协议报文

组网需求

为了保证只从管理网口接收管理协议报文,可以禁止从业务面上送管理协议报文。

配置思路
创建两个MPAC策略视图,一个用于全局绑定,一个用于接口绑定。全局绑定的策略模板配置禁止上送管理协议报文管理协议的rule。接口绑定的策略配置允许特定管理协议上送的rule,其他管理协议配置为禁止上送。可以采用如下的配置思路:
  1. 系统视图下,创建MPAC策略视图global,以及interface。
  2. Global视图配置禁止管理协议上送的rule,interface视图配置允管理协议上送的rule。
  3. 将MPAC global策略全局绑定,将interface策略绑定到管理网口GE0/0/0。
  4. 查看配置结果以及丢弃报文计数。
  1. 系统视图下,创建MPAC策略视图global,以及interface
    [~HUAWEI] service-security policy ipv4 global
    [*HUAWEI-service-sec-global] commit
    [~HUAWEI] service-security policy ipv4 interface
    [*HUAWEI-service-sec-interface] commit
    
  2. global视图配置禁止上送ftp、snmp、ssh、telnet、tftp管理协议的rule,interface视图配置允许上送ftp、snmp、ssh、telnet、tftp管理协议的rule
    [*HUAWEI-service-sec-global] rule deny protocol ftp
    [*HUAWEI-service-sec-global] rule deny protocol snmp
    [*HUAWEI-service-sec-global] rule deny protocol ssh
    [*HUAWEI-service-sec-global] rule deny protocol telnet
    [*HUAWEI-service-sec-global] rule deny protocol tftp
    [*HUAWEI-service-sec-global] commit
    [~HUAWEI-service-sec-global] quit
    [*HUAWEI-service-sec-interface] rule permit protocol ftp
    [*HUAWEI-service-sec-interface] rule permit protocol snmp
    [*HUAWEI-service-sec-interface] rule permit protocol ssh
    [*HUAWEI-service-sec-interface] rule permit protocol telnet
    [*HUAWEI-service-sec-interface] rule permit protocol tftp
    [*HUAWEI-service-sec-interface] commit
    [~HUAWEI-service-sec-interface] quit
  3. 将interface策略绑定到管理网口GE0/0/0,将MPAC global策略全局绑定
    [~HUAWEI] interface GigabitEthernet 0/0/0
    [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface
    [*HUAWEI-GigabitEthernet0/0/0] commit
    [~HUAWEI-GigabitEthernet 0/0/0] quit
    [*HUAWEI] service-security global-binding ipv4 global
    [*HUAWEI] commit
    
  4. 查看配置结果
    [~HUAWEI] display service-security binding ipv4 
    Configured : Global
    Policy Name: global
    
    Interface  : GigabitEthernet0/0/0
    Policy Name: interface
    [~HUAWEI] display service-security policy ipv4
    Policy Name : global
    Step        : 5
     rule 5 deny protocol ftp
     rule 10 deny protocol snmp
     rule 15 deny protocol ssh
     rule 20 deny protocol tftp
     rule 25 deny protocol telnet
    
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp
     rule 10 permit protocol snmp
     rule 15 permit protocol ssh
     rule 20 permit protocol tftp
     rule 25 permit protocol telnet
  5. 查看是否所有业务口均不能上送管理协议,管理协议均被丢弃(可以查看统计计数),如下所示:
    [~HUAWEI] display service-security statistics ipv4 
    Policy Name : global
    Step        : 5
     rule 5 deny protocol ftp (9 times matched)
     rule 10 deny protocol snmp (0 times matched)
     rule 15 deny protocol ssh (0 times matched)
     rule 20 deny protocol tftp (0 times matched)
     rule 25 deny protocol telnet (15 times matched)
    
    Policy Name : interface
    Step        : 5
     rule 5 permit protocol ftp (74 times matched)
     rule 10 permit protocol snmp (0 times matched)
     rule 15 permit protocol ssh (0 times matched)
     rule 20 permit protocol tftp (0 times matched)
     rule 25 permit protocol telnet (237 times matched)
    
说明:
如果只配置全局策略,并且全局策略不允许管理协议通过,则会导致设备托管。为了防止设备托管,应该先配置某些口上允许管理协议通过,而且要保证这些接口是UP。
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028554

浏览量:4002

下载量:121

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页