Guide to Defense Configuration on S Series Switches Highlighted

Created: Mar 13, 2019 15:11:00 434 0 0 0

Guide to Defense Configuration on S Series Switches


Note: Before the configuration, ensure that no service is using ports 135, 137, 139, 445, and 3389. Otherwise, the services are affected.

Product Family

Enterprise network products

Product Model

S series switches

Release Date

   

Severity

Major

Versions Involved

V100R006 and later versions

Application Scope

S series switches

External Vulnerability ID

CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148  


[Network-side defense configuration case for S series switches]

 

1. Create ACL rules for high-risk ports.
acl number 3000     //The ACL number ranges from 3000 to 4000 and is not in use.
  rule 5 permit tcp destination-port eq 445
  rule 10 permit tcp destination-port eq 135
  rule 15 permit tcp destination-port eq 137
  rule 20 permit tcp destination-port eq 139
  rule 25 permit tcp destination-port eq 3389
  rule 30 permit udp destination-port eq 445
  rule 35 permit udp destination-port eq 135
  rule 40 permit udp destination-port eq 137
  rule 45 permit udp destination-port eq 139
  rule 50 permit udp destination-port eq 3389 

2. Create a traffic policy.
traffic classifier deny-bingdu operator and

  if-match acl 3000     //The ACL must be the previous one.
traffic behavior deny-bingdu
  deny
traffic policy deny-bingdu
  classifier deny-bingdu behavior deny-bingdu
 

3. Apply the traffic policy.
//Apply the policy to an interface. Run this script in the system view.


interface GigabitEthernet0/0/1
 traffic-policy deny-bingdu inbound
 traffic-policy deny-bingdu outbound


//Apply the policy globally. Run this script in the system view.
 traffic-policy deny-bingdu global inbound
 traffic-policy deny-bingdu global outbound


//Apply the policy to a port group. Run this script in the system view. In this manner, you do not need to repeat the configuration on each involved port.


port-group deny-bingdu
 group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/10  //Note the port range.
 traffic-policy deny-bingdu inbound
 traffic-policy deny-bingdu outbound
 

 

[Note]

1.     It is recommended that this script be configured on the core and aggregation switches. If an intranet computer has been compromised, configure the script on the access switch.

2.     It is recommended that the configuration be performed on all interfaces. If there are difficulties, configure the script globally and on upstream interfaces.

3.     The traffic-policy command can be used only once in the system view and on an interface. If a traffic policy already exists, the configuration will fail. In this case, you can add classifier deny-bingdu behavior deny-bingdu to the existing traffic policy.

4.     S2700SI series switches do not support ACLs. The S2700/S3700 does not support outbound traffic policies.


If there are complex applications, contact Huawei engineers.

 


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top