Management port security configurations that are easily ignored or misunderstood

173 0 3 3

Network devices exposed to the public network generally refer to network devices configured with public IP addresses, such as WAN routers and border routers. These devices are configured with public IP addresses on interfaces. The VPN device such as the firewall is easy to ignore. The VPN device is configured with a public IP address to establish a VPN tunnel with the user. The public IP address is also configured on the Layer 3 interface of the device. Therefore, the VPN device is also a network device exposed to the public network.

The network device management ports are high-risk ports. Exposure to the public network is very risky. If an unauthorized user logs in to the network device, one command is sufficient for all services to break down. During network device rectification, the problem that ports are exposed to the public network is often found. This section describes some port security configurations that are easily ignored or misunderstood.

1. The VTY 16~VTY 20 does not invoke the ACL. As a result, the external network can still scan the management port of the network device.

Generally, the ACL is used to control the access permission on the user interface. The configuration is as follows:

acl number 2000

 rule 5 permit source 10.0.0.0 0.255.255.255

 rule 100 deny

#

user-interface vty 0 4

 acl 2000 inbound

However, some devices, such as the NE40 router, in addition to the VTY0~VTY4 reserved for Telnet and SSH users (the maximum value is VTY0~VTY14), the reserved number VTY 16~VTY 20 is reserved for the NMS.

If the ACL is bound to only VTY 0~VTY4 or VTY 0~VTY 14, the management port of the device is still exposed to the external network. Therefore, you also need to bind the ACL to the VTY 16~VTY 20.

user-interface vty 16 20

acl 2000 inbound

2. The ACL invoked by the user interface does not restrict web login.

The user interface includes the console user interface and vty user interface. It is a command-line view provided by the system. It is used to configure and manage all physical interfaces and logical interfaces working in asynchronous mode to manage various user interfaces in a unified manner. The logical interface is the vty. It can be seen that the vty user interface is used to log in to the CLI in asynchronous mode. SSH and Telnet are used in this mode. Web login is a graphical interface instead of a command-line mode. Therefore, the ACL invoked by the user interface does not restrict web login.

What are the restrictions on web login?

The web management ports are 8443 and 8887. You can use either of the following methods

(1). Intercept the access to the local management port through the upstream network device. Ips security devices or firewalls are used for the interception.

(2). Use a policy to prevent the external IP address from accessing the web port of the local public IP address

For example, configure the following policies in the untrust-> local direction on a firewall:

rule name web_untrust_local_deny

  source-zone untrust

destination-zone local

destination-address x.x.x.x.0 mask 255.255.255.0

service protocol tcp

destination-port 8443

service protocol tcp

destination-port 8887

action deny

3. Binding an ACL to an SNMP community name cannot prevent other users from attempting to log in.

When analyzing logs, we often find that the IP address of the external network attempts to log in to the device through SNMP. Although the SNMP port is not a high-risk port, the device information and performance may be read after being cracked.

The usual practice is configuring an ACL to specify the IP addresses that can access network devices through SNMP. Generally, you can configure an intranet IP address to access the network device, prevent other IP addresses from accessing the network device, and bind the ACL to the snmp-agent community.

 snmp-agent community read cipher xxxx mib-view userinfo acl 2000

 snmp-agent community write cipher xxxx mib-view userinfo acl 2000

However, it is found that the problem still occurs after the ACL is configured. Take a closer look at this command. The command is used to allow the IP address in the ACL to use the community name xxxx to read and write the IP address in the MIB view. If the IP address is not in the ACL range, the IP address cannot be read or written by the XXXX community name. Therefore, the IP address that is not in the ACL range can still reach the device, but it fails to check the community name and cannot log in.

The correct method is to configure an ACL globally in the snmp-agent. Only the SNMP users in the ACL can access the device. After the ACL is configured, the IP address that is not in the ACL cannot attempt to log in to the device.

snmp-agent acl 2000

What else do you think is important but easy to ignore? Welcome to share.


  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login