Professional Documents
Culture Documents
01-07 Security Deployment
01-07 Security Deployment
7 Security Deployment
Local device You need to configure an You want to log in to the device
login through authentication mode and through the console port while
the console port a user level for the improving local login security.
console user interface.
If an aggregation device -
functions as the user gateway,
you can deploy security policies
by referring to security policy
deployment for core devices.
Configuring Security for Local Device Login Through the Console Port
Logging in to a switch through the console port (also called serial port) is a basic
login mode and forms the basis of other login modes such as Telnet and STelnet.
Once an attacker accesses the console port on a switch, the switch is exposed to
the attacker, causing security risks. You can configure the authentication mode,
user authentication information, and user level for the console user interface to
ensure security of switch login through the console port.
Deployment Precautions
● If you configure the console user interface after login through the console
port, the configuration takes effect at your next login.
● To ensure device security, you are required to change the default password
upon the first login and change the password periodically.
Procedure
Step 2 Configure authentication information and user level for the console user interface.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create local user
admin123 and set the login password to abcd@123.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user admin123 to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[HUAWEI-aaa] local-user admin123 service-type terminal //Set the access type of local user admin123
to terminal user, that is, console user.
Step 3 Connect to the switch through the console port and enter the user name and
password as prompted to log in to the switch. (In this example, the user name is
admin123 and the password is abcd@123.)
Login authentication
Username:admin123
Password:
<HUAWEI>
----End
Step 1 Configure a protocol type, an authentication mode, and a user level for the VTY
user interface.
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] authentication-mode aaa //Configure AAA authentication for the VTY user
interface.
[HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default,
SSH is used.
[HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15.
[HUAWEI-ui-vty0-4] quit
Step 2 Enable the STelnet server function and create an SSH user.
[HUAWEI] stelnet server enable //Enable the STelnet server function on the switch.
[HUAWEI] ssh user admin123 //Create SSH user admin123.
[HUAWEI] ssh user admin123 service-type stelnet //Set the service mode of the SSH user to STelnet.
To use password authentication, create a local user with the same name as the
SSH user in the AAA view.
[HUAWEI] ssh user admin123 authentication-type password //Configure password authentication for
the SSH user.
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create a local user with
the same user name as the SSH user and set a login password for the local user.
[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15.
[HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH.
[HUAWEI-aaa] quit
# Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The
following uses ECC authentication as an example. Steps for configuring RSA and
DSA authentication are similar to those for configuring ECC authentication.)
To use RSA, DSA, or ECC authentication, you need to configure the public key of
the SSH client on the SSH server. When the SSH client connects to the SSH server,
the SSH client passes the authentication if the private key of the client matches
the configured public key. For details about the public key on the client, see the
help document of the SSH client software.
[HUAWEI] ssh user admin123 authentication-type ecc //Configure ECC authentication for the SSH user.
[HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding format of ECC
public key key01 and enter the ECC public key view.
Enter "ECC public key" view, return system view with "peer-public-key end".
[HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view.
Enter "ECC key code" view, return last view with "public-key-code end".
[HUAWEI-dsa-key-code] 308188 //Copy the public key of the client, which is a hexadecimal character
string.
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-ecc-key-code] 171896FB 1FFC38CD
[HUAWEI-ecc-key-code] 0203
[HUAWEI-ecc-key-code] 010001
[HUAWEI-ecc-key-code] public-key-code end //Return to the public key view.
[HUAWEI-ecc-public-key] peer-public-key end //Return to the system view.
[HUAWEI] ssh user admin123 assign ecc-key key01 //Assign an existing public key key01 to user
admin123.
Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH
protocol.
Click Open. Enter the user name and password as prompted and press Enter to
log in to the SSH server. (The following information is for reference only.)
login as: admin123
Sent username "admin123"
admin123@10.10.10.20's password:
----End
● Configure IPSG.
# Configure IPSG against static binding entries.
<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //Create a static
binding entry.
[HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 //Create a static
binding entry.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
# Configure IPSG against dynamic DHCP snooping binding entries. Before the
configuration, you need to configure DHCP snooping and generate dynamic
DHCP snooping binding entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IP packet
check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable //Enable the alarm
function of IP packet check.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 100 //Set the alarm
threshold for IP packet check.
● Configure ND snooping.
<HUAWEI> system-view
[HUAWEI] nd snooping enable //Enable ND snooping globally.
[HUAWEI] interface gigabitethernet 0/0/1 //Access the user-side interface.
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable //Enable ND snooping.
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2 //Access the interface directly or indirectly
connected to the gateway.
[HUAWEI-GigabitEthernet0/0/2] nd snooping trusted //Configure the interface as a trusted
interface.
● Configure DAI.
Before the configuration, you need to configure DHCP snooping and generate
dynamic DHCP snooping binding entries or manually configure static DHCP
snooping binding entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable //Enable DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address //
Configure the device to check only IP addresses in ARP packets based on binding entries.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable //Enable
the alarm function for ARP packets discarded by DAI.
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 100 //Set
the alarm threshold for ARP packets discarded by DAI.
# If access users seldom change locations, you can configure port security to
change dynamic MAC addresses to sticky MAC addresses. This ensures that
bound MAC address entries are not lost after a device resets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security.
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky //Enable the sticky MAC
function on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum
number of secure MAC addresses that can be learned on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for
port security protection.
# If there are only a few access users and they seldom change locations, you
can configure secure static MAC addresses.
<HUAWEI> system-view
[HUAWEI] port-security static-flapping protect //Enable static MAC address
flapping detection.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable //Enable port security.
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 1 //Set the maximum
number of secure MAC addresses that can be learned on the interface.
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict //Configure the action for
port security protection.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-isolate enable //Enable port isolation.
Table 7-4 describes the security policy deployment suggestions for core devices.
You can configure functions based on service requirements.
Configuration Examples
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car enable //Enable user-level rate limiting.
● Configure the device not to send ARP packets destined for other devices to
the CPU.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp optimized-passby enable //Configure the device not to
send ARP packets destined for other devices to the CPU.
<HUAWEI> system-view
[HUAWEI] arp gratuitous-arp send enable //Enable the device to send
gratuitous ARP packets.
[HUAWEI] arp gratuitous-arp send interval 60 //Set the interval for sending
gratuitous ARP packets.
Table 7-5 describes the security policy deployment suggestions for wireless
services. You can configure functions based on service requirements.
Configuration Examples
● External network users can access the HTTP server on the internal network.
To ensure the proper running of the server, defend against SYN flood, UDP
flood, and HTTP flood attacks.
● To prevent viruses from being introduced by emails, perform antivirus
detection on emails using HTTP and POP3 protocols.
● Defend against attacks such as worms, Trojan horses, and botnets.
● To ensure normal services, restrict P2P and online video traffic within 30
Mbit/s at any time. To better control P2P and online video traffic, restrict
connections of related applications within 10,000. To ensure the proper
running of email and ERP applications, assign a minimum of 60 Mbit/s
bandwidth for such traffic.
● Record employees' online behaviors to implement more refined security policy
control.
GE1/0/0 GE1/0/0
Eth-Trunk 1 Eth-Trunk 1
Eth-Trunk 10 Eth-Trunk 20
GE1/1/1/0 GE2/1/1/0
HTTP server GE1/1/1/1 GE2/1/1/1
GE1/1/0/10 CORE
Core layer
CSS
GE1/2/0/0 GE2/2/0/0
Eth-Trunk 30
GE1/0/1 GE2/0/1
Aggregation layer
AGG
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Device Interface Member VLANIF IP Address
Number Interface
GE1/0/3 - - 10.4.0.1/24
GE1/0/2
GE1/0/3 - - 10.4.0.2/24
GE1/0/2
GE2/1/1/1
Eth-Trunk 20 GE2/1/1/0
GE1/1/1/1
GE2/2/0/0
GE2/0/1
Procedure
This section mainly describes security configurations of firewalls. For details about other
configurations, see 4 Campus Egress Deployment.
To configure URL filtering, you need to activate the license and ensure that the license is
within the validity period.
Ensure that the content security package has been loaded before configuring file and data
filtering.
Assume that the user in this example already exists on the firewall, and the authentication
configuration is complete.
The system has four security zones by default. If the default security zones do
not meet your service requirements, you can create security zones and define
their security levels. After creating a security zone, add interfaces to it. Then
all packets sent and received on the interfaces are considered in the security
zone. By default, an interface does not belong to any security zone and is
unable to communicate with interfaces in other security zones.
# Assign interfaces to security zones.
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone name untrust //Add the interface connected to the external
network to the untrusted zone.
[FWA-zone-untrust] set priority 5
[FWA-zone-untrust] add interface gigabitethernet 1/0/0
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to
the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name untrust //Add the interface connected to the external network to
the untrusted zone.
[FWB-zone-untrust] set priority 5
[FWB-zone-untrust] add interface gigabitethernet 1/0/0
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWAA-policy-security] quit
# Configure a security policy for traffic from the internal network to the
external network (from the trusted zone to the untrusted zone).
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_av_1
# Configure a security policy for traffic from the trusted zone to the untrusted
zone and reference intrusion prevention profile profile_ips_pc.
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_1
HRP_M[FWA-policy-security-rule-policy_sec_1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-policy_sec_1] profile ips profile_ips_pc
HRP_M[FWA-policy-security-rule-policy_sec_1] action permit
HRP_M[FWA-policy-security-rule-policy_sec_1] quit
Servers often suffer from SYN flood, UDP flood, and HTTP flood attacks. To ensure
the normal running of the servers, enable the anti-DDoS function on the firewall
to defend against the three types of DDoS attacks.
HRP_M[FWA] traffic-policy
HRP_M[FWA-policy-traffic] profile profile_p2p
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole both 30000
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
HRP_M[FWA-policy-traffic-profile-profile_p2p] quit
The following example describes the bandwidth management configuration for BitTorrent
(BT) and YouTube services. You can specify other P2P services as required.
HRP_M[FWA-policy-traffic] rule name policy_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_p2p] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_p2p] application app BT YouKu
HRP_M[FWA-policy-traffic-rule-policy_p2p] action qos profile profile_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] quit
The following example describes the bandwidth management configuration for Outlook
Web Access (OWA) and Lotus Notes. You can specify other applications as required.
HRP_M[FWA-policy-traffic] rule name policy_email
HRP_M[FWA-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_email] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FWA-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FWA-policy-traffic-rule-policy_email] quit
# Follow-up procedure
By viewing various reports, audit logs, and user activity logs, you can obtain the
online behavior of employees to implement more refined security policy control.
----End
Configuration Files
● FWA configuration file
#
sysname FWA
#
interface GigabitEthernet1/0/0
anti-ddosflow-statistic enable
#
keyword-group name keyword1
pre-defined-keyword name confidentiality weight 1
user-defined-keyword name abc
expression match-mode text "abcd"
weight 1
#
profile type audit name profile_audit_1
description Profile of auditing for research.
http-audit url all
http-audit url recorded-title
http-audit bbs-content
http-audit micro-blog
http-audit file direction download
ftp-audit file direction download
profile type av name av_http_pop3
http-detect direction download
pop3-detect action delete-attachment
exception application name Netease_WebMail action allow
exception av-signature-id 1000
profile type data-filter name profile_data_research
rule name rule1
keyword-group name keyword1
file-type all
application all
direction upload
action block
profile type file-block name profile_file_user1
rule name rule1
file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
file-type pre-defined name BZ2 C CPP JAVA
application all
direction upload
action block
rule name rule2
file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
application all
direction download
action block
profile type ips name profile_ips_pc
description profile for intranet users
collect-attack-evidence enable
signature-set name filter1
target client
severity high
protocol HTTP
#
profile type url-filter name profile_url_research
category pre-defined subcategory-id 101 action block
category pre-defined subcategory-id 102 action block
category pre-defined subcategory-id 162 action block
category pre-defined subcategory-id 163 action block
category pre-defined subcategory-id 164 action block
category pre-defined subcategory-id 165 action block
category pre-defined subcategory-id 103 action block
category pre-defined subcategory-id 166 action block
category pre-defined subcategory-id 167 action block
category pre-defined subcategory-id 168 action block
category pre-defined subcategory-id 104 action block
category pre-defined subcategory-id 169 action block
category pre-defined subcategory-id 170 action block
category pre-defined subcategory-id 105 action block
category pre-defined subcategory-id 171 action block
category pre-defined subcategory-id 172 action block
category pre-defined subcategory-id 173 action block
category pre-defined subcategory-id 174 action block
category pre-defined subcategory-id 106 action block
category pre-defined subcategory-id 108 action block
category pre-defined subcategory-id 177 action block
category pre-defined subcategory-id 251 action block
category pre-defined subcategory-id 109 action block
category pre-defined subcategory-id 110 action block
category pre-defined subcategory-id 111 action block
category pre-defined subcategory-id 112 action block
category pre-defined subcategory-id 114 action block
category pre-defined subcategory-id 115 action block
category pre-defined subcategory-id 117 action block
category pre-defined subcategory-id 178 action block
category pre-defined subcategory-id 179 action block
category pre-defined subcategory-id 180 action block
category pre-defined subcategory-id 181 action block
category pre-defined subcategory-id 248 action block
category pre-defined subcategory-id 118 action block
category pre-defined subcategory-id 119 action block
category pre-defined subcategory-id 122 action block
category pre-defined subcategory-id 182 action block
category pre-defined subcategory-id 183 action block
category pre-defined subcategory-id 184 action block
category pre-defined subcategory-id 123 action block
category pre-defined subcategory-id 124 action block
category pre-defined subcategory-id 186 action block
category pre-defined subcategory-id 187 action block
category pre-defined subcategory-id 188 action block
action permit
rule name policy_sec_user1
source-zone trust
destination-zone untrust
user user-group /default/priuser
profile file-block profile_file_user1
action permit
rule name policy_sec_research
source-zone trust
destination-zone untrust
user user-group /default/priuser
profile data-filter profile_data_research
action permit
#
audit-policy
rule name policy_audit_1
description Policy of auditing for research.
source-zone trust
destination-zone untrust
user user-group /default/priuser
action audit profile profile_audit_1
#
traffic-policy
profile profile_p2p
bandwidth maximum-bandwidth whole both 30000
bandwidth connection-limit whole both 10000
profile profile_email
bandwidth guaranteed-bandwidth whole both 60000
rule name policy_p2p
source-zone trust
destination-zone untrust
application app BT
application app YouKu
action qos profile profile_p2p
rule name policy_email
source-zone trust
destination-zone untrust
application app LotusNotes
application app OWA
action qos profile profile_email
#
return