Management Plane Security

Created: Mar 31, 2017 15:22:20Latest reply: Apr 1, 2017 10:27:55 2005 1 1 0

Management Plane Security

As mentioned in the preceding sections, the security protection measure for the management plane is administrator login protection. To ensure that administrators can log in and securely manage the switch, resolve the following three problems.

1.1 Who Can Log In

20170331152143987001.png

1. Configure the user name and password on the switch. Only the administrator who has a user name and password can log in to the switch.

The switch supports the following login authentication modes. AAA provides a higher security.

l AAA: Users must enter both user names and passwords for login.

l Password: Only the password is required for login.

l None: No verification is required.

Figure 1-1 Administrator login

20170331152144475002.png

In Figure 1-1, the switch uses AAA to control user login. Create a user name admin001 and password SuperAdmin@123.

[Switch] aaa

[Switch-aaa] local-user admin001 password irreversible-cipher SuperAdmin@123

Administrator 1 and administrator 2 are authorized users who have the user names and passwords. They can log in to the switch. The unauthorized user does not have user name and password, and cannot log in to the switch. However, if the none mode is used, the unauthorized user can also log in to the switch.

2. Configure the ACL to allow only the users matching the rules to log in to the switch.

Only the administrator knows the login user name and password of the switch. However, if the user name and password are obtained by unauthorized users, the unauthorized users can log in to the switch. To prevent this problem, configure an ACL to allow only the users on the specified subnet to log in.

Figure 1-2 Configure ACL to control login

20170331152145515003.png

In Figure 1-2, administrator 1 and administrator 2 belong to subnet 10.10.10.0/24, and the unauthorized user belongs to subnet 20.20.10.0/24. Configure an ACL on the switch to allow only the user on subnet 10.10.10.0/24 to log in to the switch. The users on other subnets cannot log in even if they obtain the user name and password. The configuration on the switch is as follows:

[Switch] acl 2008
[Switch-acl-basic-2008] rule permit source 10.10.10.0 0.0.0.255
[Switch-acl-basic-2008] quit
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] acl 2008 inbound

[Switch-ui-vty0-14] quit

1.2 How to Log In Securely

20170331152146014004.png

Users can log in to the switch through CLI or web. CLI login is implemented through the console port, Telnet, or STelnet.

l Console port: This is a local login mode. The user terminal is connected to the switch through a dedicated console cable. This mode is usually used for the first login on a switch. The risk is controllable.

l Telnet: This is a remote login mode. The login process uses plain-text transmission, and has a low security. User information may be intercepted.

l STelnet: This is also a remote login mode. It is based on SSH and has a high security.

1. STelnet login

Telnet uses plain-text transmission. Transmitted data may be intercepted. When this mode is used, the switch may undergo the man-in-the-middle (MITM) attack. That is, the "middle man" poses as a server to receive the data from the user host to the real server, and then poses as the user host to return data to the real server. The data exchanged between the server and user host is tampered with.

SSH can encrypt transmitted data to prevent MITM attacks.

Therefore, for the CLI mode, the SSH-based STelnet protocol is recommended.

2. Web login

In the web login mode, users log in to the switch through HTTPS and operate the switch on the GUI. Based on HTTP, HTTPS uses SSL to encrypt the data between client and switch. If higher security is required, you can also reconfigure an SSL policy and load digital certificate on the switch.

1.3 How to Ensure Operation Security

Different operation rights can be configured for different administrators. The operations an administrator can perform depends on the user level and command level. The administrator can only run the commands of which the command levels are lower than or equal to the administrator's user level.

There are 16 user levels (level 0-15) and 4 command levels (level 0-3). A greater value indicates a higher level.

The following table lists the mappings between user levels and command levels.

User Level

Command Level

Description

0

0

Network diagnosis tools (such as ping and tracert) and device login commands (such as Telnet)

1

0, 1

Most display commands

2

0, 1, 2

Service configuration commands

3-15

0, 1, 2, 3

All commands registered in the system, including the debugging and diagnosis commands

The command levels are defined in the system, and only the user levels are configurable. How are user levels configured? There is an important concept "Virtual Type Terminal (VTY) user interface."

What is VTY? When a user logs in to the switch through Telnet or STelnet, the system automatically allocates a VTY user interface to manage and monitor the device and user sessions. Each VTY user interface has the corresponding authentication mode and user level.

When the authentication mode of the VTY user interface is Password or None, the VTY user interface level is the user level. The default user level is 0.

When the authentication mode of the VTY user interface is AAA, the user level is that specified in the AAA view. The default user level is 0.

The user level configuration on the switch:

l Set the user level of VTY user interfaces 0-4 to 2.

[Switch] user-interface vty 0 4
[Switch-ui-vty0-4] user privilege level 2

l Set the user level for the user test001 in the AAA view to 15.

[Switch] aaa
[Switch-aaa] local-user test001 privilege level 15

The following section shows the configuration example of secure switch login and management.

1.4 Example for Configuring Administrator Secure Login

Figure 1-3 Administrator secure login

20170331152147019005.png

In Figure 1-3, three administrators maintain and manage the devices. To ensure device management security, perform the following configurations.

Configuration Roadmap

1. Administrator 1 is the chief maintenance personnel who is allowed to carry out major operations on the devices. So administrator 1 has the highest operation right. Administrator 1 is on the internal network, so the network environment is secure. Consider Telnet login.

2. Administrator 2 and administrator 3 usually need to log in to the devices to view configuration. They are allocated low operation right. Administrator 2 and administrator 3 are on the external network, which has security risk. Therefore, consider STelnet login.

3. To ensure user security, configure an ACL to allow only the IP address of administrator 1 and the IP addresses on the subnet where administrator 2 and administrator 3.

Procedure

1. Configure the VTY user interface.

<Switch> system-view

[Switch] user-interface vty 0 4 //Configure the VTY user interfaces 0-4

[Switch-ui-vty0-4] authentication-mode aaa //Set the authentication method to AAA.

[Switch-ui-vty0-4] protocol inbound all //Set the login method to STelnet and Telnet.

[Switch-ui-vty0-4] quit

2. Configure the user name and password for administrator 1. Allocate the highest operation right and set the login mode to Telnet.

[Switch] telnet server enable //Enable Telnet server.

[Switch] aaa

[Switch-aaa] local-user admin001 password irreversible-cipher test@123

[Switch-aaa] local-user admin001 privilege level 15 //Configure the highest operation right.

[Switch-aaa] local-user admin001 service-type telnet //Set the login method to Telnet.

[Switch-aaa] quit

3. Configure user names and passwords for administrator 2 and administrator 3. Configure the right of view-only and set the login method to STelnet.

[Switch] dsa local-key-pair create //Generate the key pair.

Info: The key name will be: HUAWEI_Host_DSA.

Info: The key modulus can be any one of the following : 1024, 2048.

Info: If the key modulus is greater than 512, it may take a few minutes.

Please input the modulus [default=2048]:

Info: Generating keys...

Info: Succeeded in creating the DSA host keys.

[Switch] stelnet server enable //Enable STelnet server.

[Switch] aaa

[Switch-aaa] local-user admin002 password irreversible-cipher Hell@6789

[Switch-aaa] local-user admin002 privilege level 1 //Configure the view-only right.

[Switch-aaa] local-user admin002 service-type ssh //Set the service type to SSH.

[Switch-aaa] local-user admin003 password irreversible-cipher Hell@1234

[Switch-aaa] local-user admin003 privilege level 1

[Switch-aaa] local-user admin003 service-type ssh

[Switch-aaa] quit

[Switch] ssh user admin002 authentication-type password //Set the authentication method for administrator 2 to password.

[Switch] ssh user admin003 authentication-type password

[Switch] ssh user admin002 service-type stelnet //Set the service type for the SSH user to STelnet.

[Switch] ssh user admin003 service-type stelnet

After the configurations are complete, install the PuTTY software on the client. Enter the device IP address and set the protocol type to SSH.

4. Configure the ACL to prevent the users on non-specific subnets from logging in to the device.

[Switch] acl 2008

[Switch-acl-basic-2008] rule permit source 10.10.10.2 0.0.0.0 //Allow only the user with IP address 10.10.10.2 to log in.

[Switch-acl-basic-2008] rule permit source 10.10.20.0 0.0.0.255 //Allow only the users on this subnet to log in.

[Switch-acl-basic-2008] quit

[Switch] user-interface vty 0 4

[Switch-ui-vty0-14] acl 2008 inbound

[Switch-ui-vty0-14] quit

After the configurations are complete, only the user with IP address 10.10.10.2 and the users on the subnet 10.10.20.0/24 can log in to the switch.

Security Issues - Issue 1 Security Holistic View
Security Issues - Issue 2 Management Plane Security
Security Issues - Issue 3 Control Plane Security
Security Issues - Issue 4 Forwarding Plane Security – Layer 2 Security
Security Issues - Issue 5 Forwarding Plane Security – Layer 3 Security

本帖最后由 交换机在江湖 于 2017-08-11 10:41 编辑
  • x
  • convention:

gululu     Created Apr 1, 2017 10:27:55 Helpful(0) Helpful(0)

thanks for sharing
  • x
  • convention:

Come on!

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top