You are on page 1of 94

OptiX RTN 900

V100R006C00
Security Configuration,
Maintenance, and Hardening
Manual
!!ue 0"
#ate $01"%1$%$6
H&'() T)CHNO*O+)S CO,, *T#,
Copyrig-t . Hua/ei Tec-nologie! Co,, *td, $01", 'll rig-t! re!er0ed,
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trade1ar2! and 3er1i!!ion!
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. nless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided !A" #"! without warranties, guarantees
or representations of any kind, either e$press or implied.
The information in this document is sub%ect to change without notice. &very effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, e$press or implied.
Huawei Technologies Co., Ltd.
Address' Huawei #ndustrial (ase
(antian, Longgang
"hen)hen *+,+-.
/eople0s 1epublic of China
2ebsite' http'33www.huawei.com
&mail' support4huawei.com
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
i
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual Contents
Contents
1 Introduction.................................................................................1
1"1 Purposes for *e!urity Configuration +aintenan!e , Hardening""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1
1"2 -.out $ayered *e!urity Configuration +aintenan!e and Hardening"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1
2 Security Confguration at the Device Management Layer.................3
2"1 (/ 0ser +anage1ent""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3
2"1"1 2uerying the (/ 0ser Infor1ation""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3
2"1"2 Creating an (/ 0ser"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3
2"1"3 4eleting an (/ 0ser"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""6
2"1"3 +odifying (/ 0ser -ttri.utes"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""6
2"1"5 Changing an (/ 0ser Password""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""")
2"1"6 Changing the Password for an %nline (/ 0ser""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""")
2"1"6 +odifying 0ser -dditional Para1eters""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""11
2"1"7 2uerying (/ 0ser 8roups"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""12
2"1") 2uerying (/ *e!urity Para1eters""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""13
2"2 +anaging (/ 0ser $ogins""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""15
2"2"1 +anaging %nline (/ 0sers""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""15
2"2"2 *wit!hing a $ogged-In (/ 0ser""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""16
2"2"3 *etting the (/ $ogin +essage"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""17
2"3 *etting the *e!urity -!!ess Control of an (/"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""20
2"3"1 /thernet -!!ess Control"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""20
2"3"2 *erial Port -!!ess Control""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""21
2"3"3 0*9 -!!ess Control"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""22
2"3 Che!:ing 4e;i!e $ogs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""23
2"3"1 9rowsing 4e;i!e $ogs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""23
2"3"2 <orwarding the 4e;i!e $ogs to the *yslog *er;er"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""25
3 Security Confguration at the Network Layer.................................2
3"1 (etwor: *e!urity +anage1ent"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""2)
3"1"1 -!!ess Control $ist"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""2)
3"1"2 -!!ess +anage1ent"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""33
3"2 Proto!ols and Controls"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""30
3"2"1 **$=$* Proto!ol"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""30
3"2"2 *<P Proto!ol"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""35
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
ii
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual Contents
3"2"3 (P Proto!ol""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""36
3"3 (etwor: -!!ess -uthenti!ation"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""37
3"3"1 /na.ling a '-4I0* Client or a '-4I0* Pro>y *er;er"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""37
3"3"2 Creating a '-4I0* *er;er""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3)
3"3"3 Configuring '-4I0* *er;er Para1eters"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""50
3"3 4ata *er;i!e *e!urity"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""51
3"3"1 <low Control"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""51
3"3"2 $oop -;oidan!e""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""53
3"3"3 -!!ess Control of $ayer 2 *er;i!es""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""56
3"3"3 *er;i!e Isolation"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""66
3"5 $ayer 3 Proto!ols"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""6)
3"5"1 I*-I*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""6)
3"5"2 '*?P""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""60
3"5"3 98P""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""61
! Security Maintenance.................................................................."3
3"1 *uggestions on Port +aintenan!e""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""63
3"2 (/ -!!ount +aintenan!e""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""63
3"3 $og -udit"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""63
3"3 *e!urity Pat!h 0pgrade"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""63
3"5 *oftware Pa!:age Integrity Che!:"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""63
# Security $ardening....................................................................."%
5"1 4e;i!e $ayer *e!urity Hardening""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""66
5"1"1 -!!ount +anage1ent Hardening"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""66
5"1"2 *e!urity $og Hardening""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""66
5"1"3 0*9 -ppli!ation Hardening"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""66
5"2 (etwor: $ayer *e!urity Hardening"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""67
5"2"1 Configuring an -C$ to Pre;ent 0nauthori@ed -!!ess"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""67
5"2"2 0sing **$ to Pre;ent 0nauthori@ed -!!ess to *ensiti;e 4ata""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""67
5"2"3 0sing **H to Pre;ent *ensiti;e 4ata fro1 heft""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""6)
5"2"3 0sing *<P to $oad *oftware""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""6)
5"2"5 4ata *er;i!e *e!urity Hardening"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""72
5"2"6 4efense -gainst <lood -tta!:s"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""73
% &''endi(es.................................................................................)!
6"1 'eferen!es""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""73
6"2 -!rony1s and -..re;iations"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""73
6"3 +aintenan!e ools"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""76
6"3"1 /+* and (+* ool"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""76
6"3"2 *oftware 0pgrade ool"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""76
6"3"3 <ault Colle!tion ool""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""76
6"3"3 (etwor: Health Che!: ool"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""76
6"3"5 Handheld er1inal"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""77
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
iii
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual Contents
6"3 %ther +aintenan!e +eans"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""77
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
i;
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
1 Introduction
1.1 *ur'oses +or Security Confguration
Maintenance , $ardening
Currently# appli!ation syste1s are fa!ing .igger and .igger se!urity threats" %n!e these
threats !ause any trou.le# there !an e1erge ris:s su!h as ser;i!e interruption# profit
de!reasing# and e;en syste1 .rea:-down" herefore# operators need to .uild and 1aintain a
se!urity wall for the whole appli!ation syste1 in 1ulti-layers" In this way# they !an find and
sol;e all sorts of potential se!urity pro.le1 in ad;an!e"
1.2 &-out Layered Security Confguration
Maintenance and $ardening
In addition# the se!urity threats are e1erging !onstantly. hatAs why operators need to harden
syste1 se!urity spe!ifi!ally !orresponding to pro.le1s e1erging in daily syste1
1aintenan!e# to ensure the safe and nor1al operation of appli!ation syste1s"
&t the Device Management Layer
Purposes for se!urity 1aintenan!e at the de;i!e 1anage1ent layer are to guarantee the
nor1al operation of hardware=software syste1s# nor1al operation of the de;i!es and their
nor1al e>ternal ser;i!e pro;ision"
*e!urity 1aintenan!e at the de;i!e layer is !ondu!ted a!!ording to the 1aintenan!e ter1inals
and tools for the 1aintenan!e o.Be!ti;es"
&t the Network Layer
Purposes for se!urity 1aintenan!e at the networ: layer are to ensure the (/As nor1al
operation and that the se!urity strategy of this layer is i1ple1ented"
*e!urity 1aintenan!e at the networ: layer is !ondu!ted a!!ording to the 1aintenan!e
ter1inals and tools for the 1aintenan!e o.Be!ti;es"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
1
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
&-out Security $ardening
9ased on the se!urity features of the de;i!e 1anage1ent and networ: layers and
!hara!teristi!s of !lient networ:s# !onfigure !orresponding se!urity fun!tions for de;i!e
1anage1ent and data platfor1s# and pro;ide atta!: defense for de;i!es to eli1inate potential
threats"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
2
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
2 Security Confguration at the
Device Management Layer
2.1 N. /ser Management
2.1.1 0uerying the N. /ser In+ormation
*rere1uisites
Cou are an (+* user with Administrator User Group rights or higher"
*rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose Security > NE User
Management fro1 the <un!tion ree"
Ste' 2 Cli!: Query# to !he!: the !urrent (/ user infor1ation" (/ user 1anage1ent ta.le"
----End
Table 1.1 4efault user list for deli;era.le de;i!es
/ser name *assword /ser 2rou'
s@hw nesoft *uper ad1inistrator user group
root password -d1inistrator user group
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
3
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
/ser name *assword /ser 2rou'
l!t password -d1inistrator user group
$C4 $C4 -d1inistrator user group
+oreo;er# when the (/ is in 9I%* state# the user need to enter the !orre!t password for
authenti!ation .efore logging in (/ (without authenti!ation# the a!!ount na1e !an .e any
!hara!ter string)" his is si1ilar to the 9I%* of Personal Co1puters" he default password in
9I%* state is DnesoftD
0ser passwords that are stored on the de;i!es are en!rypted using +45 and *H-256 .y default" 0sers
!an set the en!ryption 1ode to *H-256" hen# newly added or !hanged passwords are en!rypted using
only *H-256 for storage"
2.1.2 Creating an N. /ser
*rere1uisites
Cou are an (+* user with Administrator User Group rights or higher"
*rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose Security E NE User
Management"
Ste' 2 In the NE User Management Table pane# !li!: Add and the Add NE User dialog .o> is
displayed" -fter setting the user attri.utes# !li!: ! in the dialog .o> to sa;e the
1odifi!ations"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
3
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Table 1.1 Para1eters for (/ user attri.utes
*arameter 3a4ue 5ange De+au4t 3a4ues Descri'tion
(/ 0ser - - his para1eter spe!ifies the na1e of a
registered (/ user"
NTE
he na1e of an (/ !annot !ontain any Chinese
!hara!ters"
0ser $e;el +onitor $e;el
%peration $e;el
+aintenan!e
$e;el
*yste1 $e;el
4e.ug $e;el
+onitor $e;el Monitor "e#elF represents the lowest
authority" +onitor le;el (/ users are
authori@ed to issue Guery !o11ands and
1odify their own attri.utes"
peration "e#elF %peration le;el (/ users
are authori@ed to Guery de;i!e infor1ation
and perfor1 !ertain !onfiguration
operations"
Maintenance "e#elF +aintenan!e le;el (/
users are authori@ed to 1aintain the syste1
and perfor1 all 1aintenan!e operations"
System "e#elF *yste1 le;el (/ users are
authori@ed to 1anage se!urity and perfor1
all Guery and !onfiguration operations"
$ebug "e#elF 4e.ug le;el (/ users are
authori@ed to perfor1 all operations
in!luding se!urity 1anage1ent"
(/ 0ser <lag $C (/ 0ser
/+* (/ 0ser
C+4 (/ 0ser
8eneral (/ 0ser
$C (/ 0ser his para1eter spe!ifies the flag of a
registered (/ user"
-n "%T NE User !an 1anage an (/ on the
$C# 02000-$o!al Craft er1inal"
-n EMS NE User !an 1anage an (/ on
the 02000"
- %M$ NE User !an 1anage an (/ on the
C+4# the 1anage1ent syste1 using
!o11and lines"
- General NE User does not differentiate
the (+* types"
4es!ription - - 4es!ri.es the (/ user infor1ation that has
.een set"
(ew Password - - *pe!ifies the password for a new (/ user"
Confir1 Password - - /nter the sa1e ;alue as Ne& 'ass&ord"
I11ediate
Password Change
Ces
(o
Ces his para1eter spe!ifies whether the
password of a registered (/ user !an .e
!hanged"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
5
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
2.1.3 De4eting an N. /ser
*rere1uisites
Cou are an (+* user with Administrator User Group rights or higher"
he (/ user to .e deleted e>ists"
*rocedure
Ste' 1 In NE User Management Table# sele!t the user to .e deleted# and !li!: $elete"
Ste' 2 - dialog .o> is displayed as:ing you whether to delete the (/ user" -fter you !onfir1 that the
user is to .e deleted# !li!: !"
----End
2.1.! Modi+ying N. /ser &ttri-utes
*rere1uisites
Cou are an (+* user with Administrator User Group rights or higher"
he (/ user has .een !reated"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
6
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Co11on users with rights lower than Administrator User Group !an 1odify only their
own attri.utes"
*rocedure
Ste' 1 In the NE User Management Table pane# sele!t the (/ user for attri.ute 1odifi!ation" Cli!:
Modi(y"
he Modi(y NE User dialog .o> is displayed"
Ste' 2 -fter 1odifying the user attri.utes# !li!: ! to sa;e the 1odifi!ations"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
6
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Table 1.1 0ser attri.utes
*arameter 3a4ue 5ange De+au4t 3a4ues Descri'tion
(/ 0ser - - his para1eter spe!ifies the na1e of a
registered (/ user"
NTE
he na1e of an (/ !annot !ontain any
Chinese !hara!ters"
0ser $e;el +onitor $e;el
%peration $e;el
+aintenan!e $e;el
*yste1 $e;el
4e.ug $e;el
+onitor $e;el - $ebug "e#el (/ user has the right
to use all Guery !o11ands# to log in#
to log out# and to !hange its own
password"
- System "e#el (/ user has all fault
perfor1an!e authorities# se!urity
authorities# and !onfiguration
authorities"
- Maintenance "e#el (/ user has
so1e se!urity rights# so1e
!onfiguration rights# the
!o11uni!ation setting rights# and the
log 1anage1ent rights"
-n peration "e#el (/ user has all
fault perfor1an!e authorities# so1e
se!urity authorities# and so1e
!onfiguration authorities"
- Monitor "e#el (/ user has all
se!urity and !onfiguration authorities#
and has the right to run de.ugging
!o11ands"
(/ 0ser <lag $C (/ 0ser
/+* (/ 0ser
C+4 (/ 0ser
8eneral (/ 0ser
$C (/ 0ser his para1eter spe!ifies the flag of a
registered (/ user"
-n "%T NE User !an 1anage an (/
on the $C# 02000-$o!al Craft
er1inal"
-n EMS NE User !an 1anage an (/
on the 02000"
- %M$ NE User !an 1anage an (/
on the C+4# the 1anage1ent syste1
using !o11and lines"
- General NE User does not
differentiate the (/ types"
4es!ription - - his para1eter des!ri.es the (/ user
infor1ation that has .een set"
$ogin -llowed Ces
(o
Ces his para1eter des!ri.es whether the
(/ user is ena.led"
Per1anently
?alid or not
Ces
(o
- his para1eter displays whether a
registered (/ user is per1anently
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
7
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
*arameter 3a4ue 5ange De+au4t 3a4ues Descri'tion
;alid"
?alid <ro1 CCCC++44HH+
+** indi!ates the
!reation ti1e"
CCCC++44HH++*
* indi!ates the !reation
ti1e
his para1eter spe!ifies that the
default ti1e for !reating a user !annot
.e 1odified"
?alid ill his para1eter
displays the ti1e
when a registered (/
user logged in to the
(/ for the last ti1e"
he ;alue of this
para1eter is spe!ified .y
the user"
If the ;alue of the 'ermanently )alid
or not para1eter is *es# the field
!annot .e 1odified" If the ;alue of the
'ermanently )alid or not para1eter
is No# the field !an .e set 1anually"
2.1.# Changing an N. /ser *assword
*rere1uisites
Cou are an (+* user with Administrator User Group rights or higher"
he (/ user has .een !reated"
*rocedure
Ste' 1 In the NE User Management Table pane# sele!t the (/ user for password 1odifi!ation"
Cli!: Set 'ass&ord" he Set 'ass&ord o( NE User dialog .o> is displayed"
Ste' 2 -fter 1odifying the user password# !li!: ! to sa;e the 1odifi!ations"
----End
2.1.% Changing the *assword +or an 6n4ine N. /ser
*rere1uisites
Cou are an (+* user with Monitor User Group rights or higher"
he (/ user is online"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
*rocedure
Ste' 1 In the (/ />plorer# sele!t the desired (/ user" Choose Security E NE "ogin Management
fro1 the <un!tion ree" Cli!: Set %urrent User 'ass&ord. - dialog .o> is displayed as:ing
you whether to !hange the !urrent password"
Ste' 2 In the displayed *et Password for (/ 0ser dialog .o># enter (ew Password and Confir1
Password and !li!: %H"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
10
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
2.1." Modi+ying /ser &dditiona4 *arameters
*rere1uisites
Cou are an (+* user with Maintainer User Group rights or higher and .elongs to the
Security Manager Group"
he (/ user has .een !reated"
he le;el of the (/ user to .e 1odified is lower than that of the user that is logged in"
*rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose Security > NE User
Management fro1 the <un!tion ree"
Ste' 2 Cli!: Query. hen sele!t the desired user" Cli!: )ie& Additional User +n(o" he Additional
User +n(o "ist dialog .o> is displayed"
Ste' 3 +odify reGuired user additional infor1ation" Cli!: ! or Apply to sa;e the 1odifi!ations"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
11
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Table 1.1 0ser additional para1eters
*arameter Descri'tion
(/ his para1eter displays the !urrent (/ na1e"
0ser his para1eter displays the registered (/ na1e"
'e!ords of -ll $ogins his para1eter spe!ifies whether a registered (/ !an .e
logged in at any ti1e"
-llowa.le $ogin *tart
4ate
his para1eter spe!ifies the date when a registered (/ user
logs in to the (/ for the first ti1e"
-llowa.le $ogin *tart ti1e his para1eter spe!ifies the ti1e when a registered (/ user
logs in to the (/ for the last ti1e"
-llowa.le $ogin /nd 4ate his para1eter spe!ifies the date when a registered (/ user
logs in to the (/ for the last ti1e"
?alid ill (ti1e) his para1eter spe!ifies the ti1e when a registered (/ user
logs in to the (/ for the last ti1e"
i1e to $o!: 0ser for (o
-!ti;ities (4ay)
his para1eter spe!ifies days to lo!: a user for no a!ti;ities"
+a>i1u1 Password
?alidity (4ay)
his para1eter spe!ifies the password ;alidity days"
Password Change i1e his para1eter displays last password !hange ti1e
$ast $ogin i1e his para1eter displays last login ti1e"
2.1.) 0uerying N. /ser 2rou's
*rere1uisites
Cou are an (+* user with Maintainer User Group rights or higher"
*rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose Security > NE User Group Management fro1
the <un!tion ree"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
12
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 2 Cli!: Query to Guery (/ users in!luded .y ;arious (/ user groups of the (/"
----End
2.1. 0uerying N. Security *arameters
*rere1uisites
Cou are an (+* user with Maintainer User Group rights or higher"
*rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose Security > NE
Security 'arameters fro1 the <un!tion ree"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
13
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 2 Cli!: Query to Guery the settings of (/ se!urity para1eters"
----End
Table 1.1 (/ se!urity para1eters
*arameter 3a4ue 5ange Descri'tion
(/ />a1pleF (/1 his para1eter displays the !urrent
(/ na1e"
Iarning *!reen
*wit!h
/na.led# 4isa.led his para1eter spe!ifies whether to
ena.le Iarning *!reen"
Iarning *!reen
Infor1ation
his para1eter !an .e
rando1 !hara!ters#
nu1erals# or a
!o1.ination of
!hara!ters and nu1erals"
he 1a>i1u1 length of
the para1eter is 1500
!hara!ters"
his para1eter spe!ifies that you !an
enter the infor1ation after you set the
,arning Screen to Enabled"
-llowa.le 0sed i1es
for %utdated Password
<or e>a1pleF 3 his para1eter spe!ifies the
allowa.le a!!ess ti1e of an outdated
password" his para1eter !annot .e
1odified" Its fi>ed ;alue is 3"
+a>i1u1 Password
?alidity (4ay)
<or e>a1pleF )0 his para1eter spe!ifies the longest
period for you to use a password" his
para1eter ranges fro1 25 to )))" Its
default ;alue is 0# indi!ating that the
password is ;alid per1anently"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
13
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
*arameter 3a4ue 5ange Descri'tion
+ini1u1 Password
?alidity (4ay)
<or e>a1pleF 1 his para1eter spe!ifies the shortest
period for you to use a password" his
para1eter !annot .e 1odified" Its
fi>ed ;alue is 1"
Password 0niGueness <or e>a1pleF 5 his para1eter spe!ifies password
uniGueness" If the ;alue is n# it
indi!ates that the 1odified password
1ust .e different fro1 the passwords
used in the latest n ti1es D0D indi!ates
that the password uniGueness is not
reGuired" his para1eter !annot .e
1odified" Its fi>ed ;alue is 5"
$o!: esting i1e
(+inute)
<or e>a1pleF 170 his para1eter 1onitors the total
ti1e of (/ lo!:out" his para1eter
!annot .e 1odified" Its fi>ed ;alue is
170"
-llowa.le Illegal
-!!ess i1es
<or e>a1pleF 5 his para1eter spe!ifies allowa.le
illegal a!!ess ti1es his para1eter
!annot .e 1odified" Its fi>ed ;alue is
5"
$o!:out i1e
(*e!ond)
<or e>a1pleF )00 his para1eter spe!ifies the total ti1e
of (/ lo!:out"
/n!ryption ype for
Password *torage
+45 and *H-256 his para1eter spe!ifies the
en!ryption type of usersA passwords
that are stored on the de;i!es"
2.2 Managing N. /ser Logins
2.2.1 Managing 6n4ine N. /sers
*rere1uisites
Cou are an (+* user with Maintainer User Group rights or higher"
*rocedure
Ste' 1 o ensure the se!urity of (/ operations# the (+* 1aintainers or ad1inistrators !an use the
02000 ser;er to ;iew all the online (/ users within the 1anage1ent rights and the way in
whi!h the users log in to the (/s"
Ste' 2 Ihen you want to log in to an (/ as a user who has a higher le;el of rights# you !an for!e a
lower-le;el (/ user to log out of the (/" In this way# you !an a;oid an (/ .eing !onfigured
.y 1ultiple (/ users at the sa1e ti1e# or pre;ent unauthori@ed logins .y other (/ users"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
15
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose Security E nline
User Management"
- $ist of %nline 0ser is displayed"
Ste' ! Cli!: Query to Guery the latest infor1ation a.out (/ logins"
*ele!t the (/ entry" Cli!: -orced "ogout to for!e the desired (/ user to log out of the (/"
----End
2.2.2 Switching a Logged7In N. /ser
4uring a new deploy1ent# after the (/ user root !reates an (/# this user !an !reate another
(/ user" 9y swit!hing a logged-in (/ user# you !an log in to the (/ with a new user"
*rere1uisites
Cou are an (+* user with Maintainer User Group rights or higher"
he (/ user has .een !reated"
*rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose Security E NE "ogin
Management"
-n (/ $ogin +anage1ent a.le is displayed"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
16
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 2 Cli!: Query to Guery the !urrent (/ user"
Ste' 3 In the NE "ogin Management Table. sele!t the (/ and !li!: S&itc/ NE User" In the
S&itc/ %urrent NE User dialog .o># enter ;alues in User and 'ass&ord"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
16
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' ! Cli!: !"
----End
2.2.3 Setting the N. Login Message
Cou !an !usto1i@e the 1essage to pop up when a user logs in to an (/" <or e>a1ple# you !an
!usto1i@e a 1essage displaying the reGuired user rights for operating an (/ to pro1pt an
unauthori@ed user not to log in to the (/"
*rere1uisites
Cou are an (+* user with Maintainer User Group rights or higher"
*rocedure
Ste' 1 *ele!t the desired (/ in the (/ />plorer" Choose Security > NE Security 'arameters fro1
the <un!tion ree"
he (/ *e!urity Para1eter $ist is displayed"
Ste' 2 Cli!: Query to Guery the settings of (/ se!urity para1eters"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
17
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 *ele!t an (/# dou.le-!li!: ,arning Screen S&itc/ing and !hoose Enabled or $isabled"
Ste' ! 4ou.le-!li!: ,arning Screen +n(ormation and enter the 1essage"
Ste' # Cli!: Apply" - 1essage is displayed indi!ating that the operation is su!!essful" Cli!: %lose"
Cou !an enter a 1essage in the ,arning Screen +n(ormation field only when ,arning Screen
S&itc/ing is set to Enabled"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
1)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
2.3 Setting the Security &ccess Contro4 o+ an
N.
o ensure the (/ se!urity# you !an disa.le the unused interfa!es on the (/"
2.3.1 .thernet &ccess Contro4
*rere1uisites
Cou are an (+* user with perator User Group rights or higher"
*rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose %ommunication E Access %ontrol fro1 the
<un!tion ree"
Ste' 2 In the Et/ernet Access %ontrol area# sele!t or desele!t Enable Et/ernet Access and !li!:
Apply"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
20
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
If you sele!t Enable Et/ernet Access# the e>ternal networ: port of an (/ !an .e used for /thernet
!o11uni!ation"
If you desele!t Enable Et/ernet Access# the e>ternal networ: port of an (/ !annot .e used for
/thernet !o11uni!ation"
If /thernet !o11uni!ation e>ists on the e>ternal networ: port of an (/ and Enable Et/ernet
Access is not sele!ted# the (/ 1ay .e unrea!ha.le to the (+*"
----End
2.3.2 Seria4 *ort &ccess Contro4
*rere1uisites
Cou are an (+* user with perator User Group rights or higher"
*rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose %ommunication > Access %ontrol fro1 the
<un!tion ree"
Ste' 2 In the Serial 'ort Access %ontrol area# set serial port a!!ess para1eters and !li!: Apply"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
21
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
*et the para1eters as followsF
he Enable Serial 'ort Access para1eter allows eGuip1ent to .e 1anaged through the
serial port" If Enable Serial 'ort Access is sele!ted# the 1anage1ent through the serial
port is allowed"
he Access %ommand "ine para1eter allows eGuip1ent to .e 1anaged in !o11and-
line 1ode"
he Access NM para1eter allows eGuip1ent to .e 1anaged using the (+*
he 0aud 1ate para1eter indi!ates the rate for serial port a!!ess"
----End
2.3.3 /S8 &ccess Contro4
*rere1uisites
Cou are an (+* user with perator User Group rights or higher"
*rocedure
Ste' 1 In the (/ />plorer# sele!t an (/# !hoose %ommunication E Access %ontrol fro1 the
<un!tion ree# and !li!: the US0 Access %ontrol ta. on the right pane"
Ste' 2 %n the US0 Access %ontrol ta.# set Enabled2$isabled and !li!: Apply"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
22
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
2.! Checking Device Logs
2.!.1 8rowsing Device Logs
9y .rowsing se!urity and operation logs periodi!ally# you !an !he!: and tra!: the operation
se!urity infor1ation of de;i!es"
Security Logs
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
%onte4t
*e!urity logs are sa;ed in the 02000 data.ase# where you !an !he!: the infor1ation
a.out se!urity operations"
Ihen the se!urity logs are sent forward the syslog ser;er# they are not sa;ed in 02000
data.ase# so they !an .e !he!:ed only on the syslog ser;er"
'rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose Security E NE Security "og fro1 the <un!tion
ree# as shown in the following figure"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
23
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 2 2uery logs using one of the following 1ethodsF
2uery logs using the 02000F Cli!: 2uery and set filter !riteria to o.tain reGuired logs"
2uery logs fro1 the (/F Choose Query (rom t/e NE and !li!: Query" 2uerying fro1
the (/ ta:es a relati;ely long period of ti1e" -fter the Guery results are returned# !li!:
2uery and set filter !riteria to o.tain reGuired logs"
Ste' 3 Cli!: Sa#e as to sa;e (/ se!urity logs"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
23
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
6'eration Logs
'rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose Security > NE peration "og fro1 the
<un!tion ree# as shown in the following figure"
Ste' 2 Cli!: Sa#e as to sa;e (/ operation logs to files"
----End
2.!.2 9orwarding the Device Logs to the Sys4og
Server
*rere1uisites
Cou are an (+* user with perator User Group rights or higher"
*rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose Security > NE "og -or&arding fro1 the
<un!tion ree"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
25
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 2 Configure the syslog ser;er" Cli!: the Syslog Ser#er ta." he list of syslog ser;ers is
displayed" Cli!: Ne&.
he Add Syslog Ser#er dialog .o> is displayed" *et the +' Address# Send Mode# and 'ort
.ased on the networ: settings"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
26
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 Configure the *yslog 8(/" Cli!: the Syslog GNE ta." he list of syslog 8(/s is displayed"
Cli!: Ne&"
<ro1 the displayed b5ect Select dialog .o># sele!t a proper (/ as a syslog 8(/"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
26
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
27
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3 Security Confguration at the
Network Layer
3.1 Network Security Management
3.1.1 &ccess Contro4 List
-!!ess !ontrol list (-C$) !an .e used for .asi! traffi! filtering" -C$ !an .e !onfigured for all
the (/s to filter IP pa!:ets that pass through (/s" 4e;i!es support .asi! and ad;an!ed -C$
rules"
Setting 8asic &CL 5u4es
<or ordinary (/s that do not ha;e high se!urity reGuire1ents# you !an set the .asi! -C$
rules" he .asi! -C$ rules e>a1ine the sour!e IP addresses of pa!:ets" he .asi! -C$ rules
do not use 1any syste1 resour!es"
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose Security > A%" fro1 the <un!tion ree"
Ste' 2 Cli!: the 0asic A%" ta." he .asi! -C$ rule list is displayed"
Ste' 3 Cli!: Query to Guery the .asi! -C$ rules fro1 the (/"
Ste' ! Cli!: Ne&"
-n undefined .asi! -C$ rule is added to the .asi! -C$ rule list" *et the para1eters a!!ording
to the networ: reGuire1ents"
Ste' # Cli!: Apply to apply the new !onfiguration data to the (/"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
2)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
- dialog .o> is displayed# indi!ating that the operation is su!!essful"
Ste' % Cou !an repeat the pre!eding steps set 1ore .asi! -C$ rules for this (/"
----End
Setting &dvanced &CL 5u4es
<or (/s that ha;e ;ery high se!urity reGuire1ents# you !an set ad;an!ed -C$ rules" he
ad;an!ed -C$ rules e>a1ine the sour!e and sin: IP addresses# the sour!e and sin: port I4s#
and the proto!ol types of IP pa!:ets" he i1ple1entation of ad;an!ed -C$ rules uses 1any
syste1 resour!es" he ad;an!ed -C$ rules ha;e higher priority than the .asi! -C$ rules"
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose Security E A%" fro1 the <un!tion ree"
Ste' 2 Cli!: the Ad#anced A%" ta." he ad;an!ed -C$ rule list is displayed"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
30
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 Cli!: Query to Guery the ad;an!ed -C$ rules fro1 the (/"
Ste' ! Cli!: Ne&"
-n undefined ad;an!ed -C$ rule is added to the ad;an!ed -C$ rule list" *et the para1eters
a!!ording to the networ: reGuire1ents"
Ste' # Cli!: Apply to apply the new !onfiguration data to the (/" - 1essage appears indi!ating the
operation is su!!essful"
Ste' % Cou !an repeat the pre!eding steps to set 1ore ad;an!ed -C$ rules to this (/"
Para1eter list for -C$ rules is shown as following"
----End
Table 1.1 *etting -C$ para1eters as followsF
*aramete
r
3a4ue 5ange 6'eration
%peration
ype
/na.le and 4isa.le his para1eter spe!ifies the type of the -C$" he
;alues are as followsF
4isa.leF If the 1essage re!ei;ed does not !o1ply
with the -C$ rules# it is dis!arded"
/na.leF his para1eter spe!ifies that if the
1essage re!ei;ed does not !o1ply with the -C$
rules# its a!!ess !an .e allowed"
*our!e IP
-ddress
*our!e IP -ddress he Source +' Address para1eter and the Source
,ildcard para1eter together deter1ine the
addresses that !o1ply with an -C$ rule"
*our!e
Iild!ard
0J0><<<<<<<< *et the sour!e wild!ard of the 1at!h ;alue" -dopt
0 for stri!tly 1at!hed .its# and 1 for un!on!erned
.its"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
31
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
*aramete
r
3a4ue 5ange 6'eration
*in: IP
-ddress
*in: IP -ddress he Sin6 +' Address para1eter and the ,ildcard
para1eter together deter1ine the addresses that
that !o1ply with an -C$ rule"
*in: Iild!ard 0J0><<<<<<<< *et the sour!e sin: wild!ard of the 1at!h ;alue"
-dopt 0 for stri!tly 1at!hed .its# and 1 for
un!on!erned .its"
Proto!ol ype CP=04P=IC+P=IP he 'rotocol Type para1eter spe!ifies the type of
proto!ol" Ihen filtering pa!:ets at the 04P=CP
port# you need to set the proto!ol type to 04P or
CPK when filtering pa!:ets in the IC+P proto!ol
type and !ode type# you need to set the proto!ol
type as IC+P" Ihen this para1eter is 1eaningless
to the proto!ol type# set the para1eter as IP"
*our!e Port he ;alid ;alue
range is fro1 0 to
65535 or
0><<<<<<<<"
0><<<<<<<<
indi!ates that the
para1eter is not
!on!erned a.out
this ite1"
his para1eter is ;alid only when the proto!ol
type is CP=04P"
*in: Port he ;alid ;alue
range is fro1 0 to
65535 or
0><<<<<<<<"
0><<<<<<<<
indi!ates that the
para1eter is not
!on!erned a.out
this ite1"
his para1eter is ;alid only when the proto!ol
type is CP=04P"
IC+P
Proto!ol ype
IC+P Proto!ol
ype
his para1eter spe!ifies that this ite1 is ;alid only
when the proto!ol type is CP=04P" If the
para1eter ;alue is 255# this para1eter is
1eaningless to this ite1" (If this para1eter is set to
255# then IC+P Code ype should also .e 255")
IC+P Code
ype
IC+P Code ype his para1eter is ;alid only when the proto!ol
type is IC+P" If the para1eter ;alue is 255# it
spe!ifies that this para1eter 1eaningless to this
ite1" (If the proto!ol type is 255# then the !ode
should also .e 255")
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
32
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3.1.2 &ccess Management
NMS &ccess
he (+* is !onne!ted to de;i!es through /thernet (+ interfa!es and %-+ serial ports#
re1ote login# 1anage and 1aintain the de;i!es" he (+* !o11uni!ates with the de;i!es
through CP=IP proto!ols" he (+* and gateway de;i!es !an .e !onne!ted to the 4C( or a
networ: !a.le" 0sers !an also sele!t the proper !onne!tion ways as reGuired" <or non-8(/s#
users !an disa.le de;i!e a!!ess through /thernet (+ interfa!es and %-+ serial ports" <or the
operation 1ethod# see 2"3"1/thernet -!!ess Control and 2"3"2*erial Port -!!ess Control"
Confguring LC: &ccess to N.s
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
'rocedure
Ste' 1 In the (/ />plorer# sele!t the (/ fro1 the %.Be!t ree and then !hoose Security E "%T
Access %ontrol fro1 the <un!tion ree"
Ste' 2 Cli!: Access Allo&ed to ena.le the $C a!!ess fun!tion" o disa.le the $C a!!ess fun!tion#
!li!: $isable Access"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
33
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 Cli!: Query to Guery the status of the $C a!!ess"
----End
SNM* &ccess
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
33
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
'rocedure
Ste' 1 In the (/ />plorer# sele!t an (/ and !hoose %ommunication E SNM' %ommunication
'arameters"
Ste' 2 Cli!: %reate" he %reate SNM' %ommunication 'arameters dialog .o> is displayed" *et
para1eters# su!h as NMS +' Address# 1ead2,rite 'ermissions# 'ort# 1ead2,rite
%ommunity Name# and Trap )ersion"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
35
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 -fter the para1eter !onfiguration is !o1plete# !li!: !"
----End
*(+P ?1=?2=?3 is supported" Ihen *(+P ?3 is used# the default user na1es are
s7/&S8A and s7/&M$9# and the default password is Neso(t:;"
1ead %ommunity Name and ,rite %ommunity Name 1ust 1eet the following !o1ple>ity
reGuire1entsF
1" he na1e 1ust .e a !hara!ter string with a 1ini1u1 length of si> .ytes" ?alid length
ranges fro1 6J16 .ytes"
2" he na1e 1ust !o1.ine at least two types of the following !hara!tersF
J$ower!ase letters
J0pper!ase letters
J4igits
J*pe!ial !hara!ters# in!luding spa!e and LMNOPQRS,T()-UVWXYZ[\]KFAD#^"E=_
If su!h !o1ple> !o11unity na1es are unne!essary for you# you !an !hoose %ommunication
E SNM' %ommunication 'arameters to disa.le the !o11unity na1e !o1ple>ity
;erifi!ation fun!tion"
SS$ &ccess
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
'rocedure
1" *et the (/ !o11uni!ation ser;i!e type"
2" Choose Administration E NE Security Management E NE %ommunication Ser#ice
Management fro1 the 1ain 1enu"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
36
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3" Cli!: the %ommunication Ser#ice Management ta."
3" *ele!t the target (/ fro1 the (/ list and !li!: . In the dialog .o> that is displayed#
!li!: Query" he Guery result will .e displayed in the right pane"
5" *et %ontrol S&itc/ to Enabled for .oth ser;i!e types (<P !lient and *<P !lient)"
6" Cli!: Apply"
2uery the **H ser;er"
1" Choose Administration E NE Security Management E NE %ommunication Ser#ice
Management fro1 the 1ain 1enu"
2" Cli!: the SS8 Ser#er ta."
3" *ele!t the target (/ fro1 the (/ list and !li!: . In the dialog .o> that is displayed#
!li!: Query" he Guery result will .e displayed in the right pane"
*et the :ey for the **H ser;er"
1" Choose Administration E NE Security Management E NE %ommunication Ser#ice
Management fro1 the 1ain 1enu"
2" Cli!: the NE !ey Management ta."
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
36
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3" *ele!t the target (/ fro1 the (/ list and !li!: . In the dialog .o> that is displayed#
!li!: Query" he Guery result will .e displayed in the right pane"
3" Cli!: Ne& !ey 'air"
5" In the Ne& !ey 'air dialog .o># set !ey Type to S-1SA<NE As t/e Ser#er= and
#er&rite Mode to *es"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
37
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
6" Cli!: !" In the 1esult dialog .o># !li!: %lose"
6" Cli!: />port Pu.li! Heys"
7" In the displayed dialog .o># sele!t S-1SA and set -ile Name" Cli!: !"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
3)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
)" In the 1esult dialog .o># !li!: %lose"
I1port pu.li! :ey infor1ation to the (/"
1" Choose Administration E NE Security Management E NE %ommunication Ser#ice
Management fro1 the 1ain 1enu"
2" Cli!: the %lient !ey Management ta."
3" *ele!t the target (/ fro1 the (/ list and !li!: . In the dialog .o> that is displayed#
!li!: Query" he Guery result will .e displayed in the right pane"
3" Cli!: %reate"
5" In the displayed Add %lient !ey dialog .o># set !ey Name# !ey 1emar6s# and !ey
+n(ormation"
0sers !an !opy the pu.li! :ey infor1ation in the file e>ported in step 7 to the te>t .o># or !li!: +mport
to i1port pu.li! :ey infor1ation to the (+*"
6" Cli!: !" In the 1esult dialog .o># !li!: %lose"
he pu.li! :ey infor1ation is uploaded to the spe!ified dire!tory"
-sso!iate an **H user and the **H !lient :ey"
1" Choose Administration E NE Security Management E NE %ommunication Ser#ice
Management fro1 the 1ain 1enu"
2" Cli!: the SS8 User Management ta."
3" *ele!t the target (/ fro1 the (/ list and !li!: . In the dialog .o> that is displayed#
!li!: Query" he Guery result will .e displayed in the right pane"
3" *et the authenti!ation 1ode and !lient pu.li! :ey na1e"
5" Cli!: Apply" In the 1esult dialog .o># !li!: %lose"
3.2 *rotoco4s and Contro4s
3.2.1 SSL;:LS *rotoco4
he **$=$* proto!ol is a proto!ol used to en!rypt=de!ode data for pro;iding all se!urity
features e>!ept ser;i!ea.ility in a short-ter1" 4e;eloped .ased on '<C 2236# '( )00
supports all en!ryption algorith1s spe!ified in **$ 3"0=$* 1"0# su!h as -/*# 4/*# 'C3#
'C5# I4/-# *H--1# and +45" 0sers !an !onne!t to an (/ in **$ 1ode"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
30
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Modi+ying Connection Modes 8etween the NMS and 2N.
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
he IP 8(/ has .een !reated"
'rocedure
Ste' 1 *ele!t the (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %ommunication E
%ommunication 'arameters fro1 the <un!tion ree" *et %onnection Mode to Security
SS" or %ommon > Security SS""
Ste' 2 Choose Administration E $%N Management fro1 the +ain +enu. Cli!: the GNE ta."
'ight-!li!: the 8(/ to .e 1odified and !hoose Modi(y GNE fro1 the short!ut 1enu"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
31
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 In the Modi(y GNE dialog .o> that displayed# set %onnection Mode to Security SS""
----End
Modi+ying Connection Modes Su''orted -y Common N.s
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
'rocedure
Ste' 1 *ele!t the (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %ommunication E
%ommunication 'arameters fro1 the <un!tion ree"
Ste' 2 *et %onnection Mode to Security SS" or %ommon > Security"
<or a !o11on (/# its 8(/ uses to !o11uni!ate with the (+*# so that it !an !o11uni!ate nor1ally
with its (+*" <or e>a1pleF If an (/As 8(/ uses Security SS" 1ode to !o11uni!ate with the (+*#
then its !orresponding !onne!tion 1ode should .e set to Security SS" or %ommon > Security"
4e;i!es are deli;ered with default **$ !ertifi!ates" he default **$ !ertifi!ates are not en!rypted" It is
re!o11ended that users repla!e the default **$ !ertifi!ates with their own !ertifi!ates and pu.li!-
pri;ate :ey pairs"
----End
Down4oading SSL certifcates to N. -y NMS
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
he **$ !ertifi!ates ha;e .een i1ported to 02000"
'rocedure
Ste' 1 $og in to the 02000 !lient
Ste' 2 Choose Administration E NE So(t&are Management E 0oard So(t&are Upgrade"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
32
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
9y default# the 4C a!!ounts of (/s are .lan:# after enter the 0oard So(t&are
Upgrade# the na;igator tree !annot auto1ati!ally filter the (/ list of the su.net" Cou
need to !onfigure the 4C a!!ount of the (/ in the $% "ogin User Management (Choose
Administration > NE Security Management > NE "ogin Management) first# then
enter the 0oard So(t&are Upgrade again# the na;igator tree will filter the spe!ifi! (/s"
Ste' 3 'ight-!li!: a desired (/ in the na;igation tree and !hoose "ogin NE fro1 the short!ut 1enu"
Cou !an also !hoose Set "ogin Account fro1 the short!ut 1enu and set "ogin User and 'ass&ord in
the dialog .o> that is displayed
Ste' ! 'ight-!li!: the (/ and !hoose Query 0oard fro1 the short!ut 1enu" hen .oard
infor1ation a.out the (/ is displayed"
It 1ay ta:e a period of ti1e for the .oard infor1ation to display# whi!h is nor1al
Ste' # Cli!: to e>pand the .oard list
Ste' % *ele!t the !he!: .o> .efore the desired 1ain !ontrol .oard and !li!: to add the .oard
to the operation list
Ste' " In the Upgrade )ersion field# !li!: he 0oard so(t&are setting window is displayed
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
33
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' ) *et the software load type to %erti(icate and !li!: Add So(t&are" he %/oose -ile window
is displayed
Cou !an !li!: Add So(t&are to add 1ultiple files at the sa1e ti1e
Ste' In the %/oose -ile dialog .o># sele!t the %A.%1T. %E1TNE.%1T# and %E1TNE.!E*
!ertifi!ates

If the file path !ontains non-alphanu1eri! !hara!ters# you 1ay fail to a!!ess the file
/nter the !orre!t IP address of the *<P=<P ser;er# user na1e# password# and port"hen# !li!:
-fter the su!!essful !onne!tion# you !an a!!ess the files on the <P ser;er" o use the <P
proto!ol# enter port 21" o use the *<P proto!ol# enter port 22"
Ste' 1< In the 0oard so(t&are setting dialog .o># !li!: !" he upgrade software sele!tion is
!o1plete
Ste' 11 *ele!t a .oard in the peration "ist. and !li!: Start
Ste' 12 Ihen the loading is !o1plete# !li!: Acti#ate" he ,arning dialog .o> is displayed" Confir1
whether to a!ti;ate the software
Ste' 13 Cli!: *es to start a!ti;ating the software
Ste' 1! -fter the a!ti;ation# the peration 1esult dialog .o> is displayed indi!ating that the
a!ti;ation su!!eeds" Cli!: %lose
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
33
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3.2.2 S9:* *rotoco4
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
'rocedure
Ste' 1 Choose Administration E NE Security E Ser#ice Management E NE %ommunication
Ser#ices Management fro1 the +ain +enu"
-igure 1.1 Configuring the *<P !ontrol swit!h
Ste' 2 4ou.le-!li!: the %ontrol S&itc/ of S-T' client# and !hoose Enabled"
Ste' 3 In (/ *<P Hey +anage1ent# !li!: Ne& !ey 'air and enter ;alues in 'assp/rase# !ey
lengt/# !ey Type# and #er&rite Mode" Cli!: !"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
35
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' ! In the displayed dialog .o># !li!: %lose" In the following displayed dialog .o># !li!: *es"
Ste' # he newly !reated pu.li! :ey infor1ation is uploaded fro1 the (/ to the (+*" In addition#
!ey %reation Time and 'ublic !ey -ingerprint ;alues are displayed" 'ublic !ey
Uploaded is *es"
Ste' % Cli!: E4port 'ublic !eys" In the displayed E4port 'ublic !eys dialog .o># set Start 1o&#
End 1o&# and -ile Name# and !li!: !"
Ste' " Copy the pu.li! :ey file to the *<P ser;er"
Ste' ) -fter deploying the pu.li! :ey file for the 8(/# you !an .a!: up and upload (/ software .y
1eans of *<P"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
36
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
3.2.3 N:* *rotoco4
'rere3uisites
Cou are an (+* user with Maintainer User Group rights or higher"
'rocedure
Ste' 1 In the (/ />plorer" Choose %on(iguration E NE Time Sync/roni7ation fro1 the <un!tion
ree"
Ste' 2 /na.le NE Time Sync/roni7ation and !onfigure the (P ser;er address# and !li!: Apply"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
36
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
3.3 Network &ccess &uthentication
he %pti& '()00 supports lo!al authenti!ation and '-4I0* authenti!ation" In lo!al
authenti!ation 1ode# user a!!ounts and passwords are stored in lo!al eGuip1ent# and lo!al
eGuip1ent perfor1s authenti!ation" In '-4I0* authenti!ation 1ode# user a!!ounts and
passwords are stored on a '-4I0* ser;er and the '-4I0* ser;er perfor1s authenti!ation"
he user a!!ounts and passwords used in '-4I0* authenti!ation 1ode are se!ure and easy
to 1aintain"
'e1ote -uthenti!ation 4ial In 0ser *er;i!e ('-4I0*) is a ser;er=!lient proto!ol that
pro;ides !entrali@ed 1anage1ent of authenti!ation# !onfiguration infor1ation .etween
networ: a!!ess eGuip1ent and a '-4I0* ser;er"
his !hapter des!ri.es how to !onfigure the '-4I0* authenti!ation"
3.3.1 .na-4ing a 5&DI/S C4ient or a 5&DI/S *ro(y
Server
-fter the '-4I0* fun!tion of an (/ is ena.led# the (/ !an fun!tion as a '-4I0* !lient or
pro>y ser;er" If the fun!tion of '-4I0* !lient or pro>y ser;er for an (/ ser;ing '-4I0*
!lient or a pro>y ser;er is not ena.led# then the rele;ant '-4I0* fun!tions of the (/ !an fail"
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
Co11uni!ation .etween the (/ and the (+* is nor1al"
'rocedure
Ste' 1 In the (/ />plorer# sele!t the desired (/ fro1 the %.Be!t ree and !hoose Security E NE
1A$+US -unction %on(iguration fro1 the <un!tion ree
Ste' 2 Cli!: Query to Guery the infor1ation a.out '-4I0* fun!tion !onfiguration fro1 the (/"
Ste' 3 *et '-4I0* Client and Pro>y *er;er to %pen"
-igure 1.1 Configuring '-4I0* swit!h
Ste' ! Cli!: Apply to deli;er the !onfiguration data to the (/"
----End
3.3.2 Creating a 5&DI/S Server
9efore ena.ling the '-4I0*# you need to !reate the '-4I0* ser;er"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
37
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
he '-4I0* !lient fun!tion of the (/ is ena.led"
'rocedure
Ste' 1 In the (/ />plorer# sele!t the desired (/ fro1 the %.Be!t ree and !hoose Security E NE
1A$+US %on(iguration fro1 the <un!tion ree"
Ste' 2 Cli!: the '-4I0* *er;er Configuration ta." he '-4I0* *er;er Infor1ation dialog .o> is
displayed"
Ste' 3 Cli!: Query to Guery the infor1ation a.out '-4I0* ser;er !onfiguration fro1 the (/"
Ste' ! Cli!: Ne&"
he Ne& 1A$+US Ser#er +n(ormation dialog .o> is displayed"
Ste' # Configure infor1ation a.out the '-4I0* ser;er" Cli!: ! to sa;e the !onfiguration"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
3)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
If a new '-4I0* ser;er is added# then set an IP address for the ser;er to uniGuely identify it"
If a new '-4I0* pro>y ser;er is added# then set an IP address or (/ (a1e for the '-4I0* pro>y
ser;er to uniGuely identify it"
9efore adding a new '-4I0* pro>y ser;er# you need to !onfigure the (/ as '-4I0* pro>y ser;er"
----End
3.3.3 Confguring 5&DI/S Server *arameters
he '-4I0* ser;er !an .e used for authenti!ation only when the 'adius ser;er para1eters
are !onfigured"
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
he '-4I0* ser;er has .een !reated"
'rocedure
Ste' 1 In the (/ />plorer# sele!t the desired (/ fro1 the %.Be!t ree and !hoose Security E NE
1A$+US %on(iguration fro1 the <un!tion ree"
Ste' 2 Cli!: Query to Guery the infor1ation a.out '-4I0* para1eter !onfiguration fro1 the (/"
Ste' 3 Cli!: Ne&"
he (ew (/ '-4I0* *er;er Configuration dialog .o> is displayed"
Ste' ! Configure infor1ation a.out '-4I0* para1eters" Cli!: ! to sa;e the !onfiguration"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
50
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3.! Data Service Security
3.4.1 Flow Control
he o.Be!ti;e of flow !ontrol !onfiguration is to a;oid the following pro.le1sF
0ne>pe!ted traffi! surge !aused .y .road!ast# un:nown uni!ast# or 1ulti!ast pa!:ets
-.nor1al networ: de;i!e load !aused .y an e>!essi;ely large nu1.er of users a!!essing
the syste1
(etwor: !ongestion !aused .y .urst traffi!
he following fun!tions 1ust .e !onfigured .ased on networ: operation and 1aintenan!e
(%,+) reGuire1ents"
8roadcast :ra=c Su''ression
he .road!ast traffi! suppression fun!tion is used to li1it the .road!ast traffi! that !an pass a
port" he .road!ast pa!:ets of e>!essi;e .road!ast traffi! are dis!arded" Cou !an ena.le or
disa.le the .road!ast pa!:et suppression fun!tion# and !onfigure a .road!ast pa!:et
suppression threshold"
9or .6: -oards
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer# and !hoose %on(iguration E
Et/ernet +nter(ace Management E Et/ernet +nter(ace fro1 the <un!tion ree"
Ste' 2 *ele!t E4ternal 'ort" Cli!: the Ad#anced Attributes ta.# sele!t the port to .e 1odified# and
then set 0roadcast 'ac6et Suppression or 0roadcast 'ac6et Suppression T/res/old"
Ste' 3 Cli!: Apply to sa;e the settings"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
51
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
9or 'acket service -oards
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E +nter(ace Management E Et/ernet +nter(ace fro1 the <un!tion
ree"
Ste' 2 Cli!: the Ad#anced Attributes ta.# and then set 0roadcast 'ac6et Suppression or
0roadcast 'ac6et Suppression T/res/old<?="
Ste' 3 Cli!: Apply to sa;e the settings"
----End
/nknown Mu4ticast :ra=c Discard >+or *acket Service 8oards?
Cou !an spe!ify whether to transparently trans1it or dis!ard un:nown 1ulti!ast pa!:ets that
arri;e at the de;i!e"
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# !li!: the
Un6no&n -rame 'rocessing ta.# and then set the pro!essing 1ode of uni!ast or 1ulti!ast
fra1es to -lood or $iscard"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
52
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
-igure 1.1 Configuring the un:nown fra1e pro!essing 1e!hanis1 on a pa!:et ser;i!e .oard
Ste' 3 Cli!: Apply to sa;e the settings"
----End
/nknown /nicast :ra=c Discard >+or *acket Service 8oards?
Cou !an spe!ify whether to transparently trans1it or dis!ard un:nown uni!ast pa!:ets that
arri;e at the de;i!e"
<or details# see D0n:nown +ulti!ast raffi! 4is!ard (for Pa!:et *er;i!e 9oards)"D
3.!.2 Loo' &voidance
he loop a;oidan!e fun!tion is used to a;oid loops on a $ayer 2 ($2) networ:# as loops 1ay
!ause .road!ast stor1" Cou !an !onfigure port self-loop dete!tion and ser;i!e loop.a!:
dete!tion to i1ple1ent loop a;oidan!e"
'ort Sel(-"oop $etection
Cou !an ena.le or disa.le the port self-loop dete!tion fun!tion# and spe!ify whether to
auto1ati!ally .lo!: ser;i!e loops" If auto1ati! ser;i!e loop .lo!:ing is ena.led# the syste1
will auto1ati!ally .lo!: a ser;i!e loop after dete!ting the loop"
9or .6: -oards
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
Et/ernet +nter(ace Management E Et/ernet +nter(ace fro1 the <un!tion ree"
Ste' 2 Cli!: the Ad#anced Attributes ta.# sele!t the port to .e 1odified# and then set "oop
$etection or "oop 'ort S/utdo&n to Enabled or $isabled"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
53
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 Cli!: Apply to sa;e the settings"
----End
9or 'acket service -oards@
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E +nter(ace Management E Et/ernet +nter(ace fro1 the <un!tion
ree"
Ste' 2 Cli!: the -d;an!ed -ttri.utes ta.# and then set $oop 4ete!tion or $oop.a!: Port 9lo!: to
/na.led or 4isa.led"
-igure 1.1 Configuring loop dete!tion for ports on a pa!:et ser;i!e .oard
Ste' 3 Cli!: Apply to sa;e the settings"
----End
Service Loo' Detection >+or *acket Service 8oards?
he de;i!e !an dete!t /-$-( ser;i!e loops" Cou !an ena.le or disa.le auto1ati!
dis!onne!tion for ser;i!e loops" If a ser;i!e loop is dete!ted and auto1ati! dis!onne!tion is
ena.led# the /-$-( ser;i!e is auto1ati!ally dis!onne!ted" 0sers will re!ei;e alar1s a.out
ser;i!e dis!onne!tion"
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
/-$-( ser;i!es ha;e .een !onfigured"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# and !li!: the
"oopbac6 ta."
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
53
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 *ele!t the desired /thernet ser;i!e# and !li!: Start" he Start "oopbac6 dialog .o> is
displayed" Cli!: Start" he dete!tion result is displayed after the dete!tion is !o1plete"
Ste' ! Cli!: Ser#ice Status "ist" he Ser#ice Status "ist dialog .o> is displayed# indi!ating
whether the related ports are disa.led" o ena.le a disa.led port# !li!: Enable"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
55
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3.!.3 &ccess Contro4 o+ Layer 2 Services
he de;i!e supports a!!ess !ontrol of $2 ser;i!es" <or e>a1ple# you !an !onfigure stati!
+-C addresses# add an +-C .la!:list# or !onfigure rules for !lassifying and filtering
!o1ple> traffi! to filter ser;i!e pa!:ets or !ontrol ser;i!e a!!ess"
Static MA% Address
Cou !an add# delete# and Guery stati! +-C address entries"
9or .6: -oards
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
Cou ha;e !onfigured and 1ounted /-$-( ser;i!es"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration >
Et/ernet Ser#ice > Et/ernet "AN Ser#ice fro1 the <un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e# and then !li!: the )"AN Unicast ta."
If the +-C address learning 1ode of the sele!ted /-$-( ser;i!e is I?$# !li!: the )"AN -iltering ta.
to !reate a ?$-( filtering ta.le"
Ste' 3 Cli!: Ne&" he %reate )"AN Unicast dialog .o> is displayed" *et related stati! +-C
address para1eters"
If the +-C address learning 1ode of the sele!ted /-$-( ser;i!e is *?$# the ?$-( I4 !annot .e
spe!ified"
Ste' ! Cli!: ! to sa;e the settings"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
56
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
9or 'acket service -oards
'rere3uisites
Cou are an (+* user with perator User Group rights or higher"
/-$-( ser;i!es ha;e .een !onfigured"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# and !li!: the
Static MA% Address ta."
Ste' 3 Cli!: Ne&" he NE, Static MA% Address dialog .o> is displayed" *et the para1eters of
the stati! +-C address"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
56
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
If the +-C address learning 1ode of the sele!ted /-$-( ser;i!e is *?$# the ?$-( I4 !annot .e
spe!ified"
Ste' ! Cli!: ! to sa;e the settings"
----End
M&C &ddress 84ack4ist
-n +-C address .la!:list !an .e !onfigured to pre;ent the unauthori@ed users spe!ified in
the .la!:list fro1 a!!essing the networ:" Cou !an add# delete# and Guery .la!:listed +-C
addresses"
9or .6: -oards
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
/-$-( ser;i!es ha;e .een !onfigured"
'rocedure
Ste' 1 *ele!t the (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E Et/ernet
Ser#ice E Et/ernet "AN Ser#ice fro1 the <un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e# and then !li!: the $isable MA% Address ta."
Ste' 3 Cli!: Ne&" he $isable MA% Address %reation dialog .o> is displayed" *et the para1eters
of the +-C address to .e .la!:listed"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
57
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
-igure 1.1 *etting the para1eters of the +-C address to .e .la!:listed on the /% .oard
If the +-C address learning 1ode of the sele!ted /-$-( ser;i!e is *?$# the ?$-( I4 !annot .e
spe!ified"
Ste' ! Cli!: ! to sa;e the settings"
----End
9or 'acket service -oards
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
Cou ha;e !onfigured /-$-( ser;i!es"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# and !li!: the
$isable MA% Address ta."
-igure 1.1 Configuring the +-C address .la!:list on the pa!:et ser;i!e .oard
Ste' 3 Cli!: Ne&" he $isabled MA% Address dialog .o> is displayed" *et the para1eters of the
+-C address to .e .la!:listed"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
5)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' ! Cli!: ! to sa;e the settings"
If the +-C address learning 1ode of the sele!ted /-$-( ser;i!e is *?$# the ?$-( I4 !annot .e
spe!ified"
----End
Ma(imum Num-er o+ M&C &ddresses
he +-C address ta.le !apa!ity !an .e spe!ified in the syste1# so that +-C addresses are no
longer learned when the nu1.er of e>isting +-C addresses rea!h the 1a>i1u1 nu1.er of
+-C addresses allowed in the syste1" his pro;ides an effe!ti;e 1eans to !ontrol the
nu1.er of users a!!essing the syste1"
Cou !an !onfigure an +-C address ta.le !apa!ity .ased on an /thernet ser;i!e I4# ?$-(# or
logi!al port for an /% .oard"
<or a pa!:et ser;i!e .oard# you !an also spe!ify an upper threshold and a lower threshold for
+-C address alar1s# in addition to !onfiguring an +-C address ta.le !apa!ity .ased on an
/thernet ser;i!e I4" If the nu1.er of +-C addresses rea!hes the upper threshold ()5R .y
default)# an alar1 is generated# indi!ating that the +-C address ta.le is full" his alar1 is
!leared when the nu1.er of +-C addresses drops .elow the lower threshold ()0R .y
default)"
9or .6: -oards
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
/-$-( ser;i!es ha;e .een !onfigured"
'rocedure
Ste' 1 *ele!t the (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E Et/ernet
Ser#ice E Et/ernet "AN Ser#ice fro1 the <un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
60
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
o !onfigure the +-C address ta.le !apa!ity .ased on a ?$-(# !li!: the )"AN MA%
Address Table %apacity ta. and sele!t the desired ?$-( I4"
o !onfigure the +-C address ta.le !apa!ity .ased on a ?9 port# !li!: the )0 'ort
MA% Address Table %apacity ta. and sele!t the desired ?9 port" - dialog .o> is
displayed"
Ste' 3 /nter the 1a>i1u1 nu1.er of +-C addresses in the MA% Address Table %apacity te>t
.o>"
Ste' ! Cli!: ! to sa;e the settings"
o !onfigure the +-C address ta.le !apa!ity .ased on a ?$-(# you 1ust first !reate a ?$-(
filtering ta.le on the )"AN -iltering page"
o !onfigure the +-C address ta.le !apa!ity .ased on a ?9 port# you 1ust first !onfigure the ?9
port on the Ser#ice Mount page"
----End
9or 'acket service -oards@
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
Cou ha;e !onfigured /-$-( ser;i!es"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# and !li!: the
MA% Address "earning 'arameters ta."
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
61
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 3 *et the +-C address ta.le !apa!ity# the upper threshold for +-C address alar1s# and the
lower threshold for +-C address alar1s"
Ste' ! Cli!: Apply to sa;e the settings"
----End
Disa-4ing the M&C &ddress Learning 9unction >+or *acket Service
8oards?
Cou !an disa.le the +-C address learning fun!tion of /-$-( ser;i!es# so that new users
!annot a!!ess the networ:" If the +-C address learning fun!tion of /-$-( ser;i!es is
disa.led# the e>isting users are not affe!ted and !an still a!!ess the networ:"
Cou !an disa.le the +-C address learning fun!tion .ased on a spe!ified ?$-( to guarantee
the sta.ility and se!urity of networ: users in this ?$-( and pre;ent unauthori@ed users fro1
a!!essing the networ:"
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
'rocedure
Ste' 1 *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# and then set Sel(-
"earning MA% Address to Enabled or $isabled"
Ste' 3 Cli!: Ne&" he Ne& E-"AN Ser#ice dialog .o> is displayed" *et Sel(-"earning MA%
Address to Enabled or $isabled"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
62
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' ! Cli!: Apply or ! to sa;e the settings"
----End
Com'4e( :ra=c C4assifcation and 9i4tering >+or *acket Service
8oards?
Co1ple> traffi! is !lassified .ased on !o1ple> rules" <or e>a1ple# pa!:ets !an .e !lassified
.ased on lin: layer# networ: layer# and transport layer infor1ation# su!h as the sour!e +-C
address# destination +-C address# sour!e IP address# destination IP address# user group I4#
proto!ol type# or CP=04P port nu1.er of an appli!ation" Cou !an !onfigure -C$ rules to
filter 1at!hing pa!:ets in !o1ple> traffi!" he -C$ a!tion in a traffi! !lassifi!ation rule is to
either per1it or deny the traffi!"
Cou !an set the -C$ a!tion for a traffi! !lassifi!ation rule .ased on a port or ?-0(I ingress
poli!y for pa!:et ser;i!e .oards" he following !onfiguration pro!edures use the port poli!y
as an e>a1ple" he !onfiguration pro!edures are si1ilar under the ?-0(I ingress poli!y"
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
<based on an e4isting QoS policy=@
1" *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E QoS Management E 'olicy Management E 'ort 'olicy fro1
the <un!tion ree"
2" *ele!t an e>isting poli!y and !li!: the Tra((ic %lassi(ication %on(iguration ta."
` *ele!t a traffi! !lassifi!ation rule# and !hange the ;alue of A%" Action to 'ermit or
$eny" Cli!: Apply to sa;e the settings"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
63
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
` Create a traffi! !lassifi!ation rule" Cli!: Ne&" he %reate Tra((ic %lassi(ication
dialog .o> is displayed" *et the 1at!hing rule and -C$ a!tion" Cli!: ! to sa;e the
settings"
<based on a ne& QoS policy=@
1" *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E QoS Management E 'olicy Management E 'ort 'olicy fro1
the <un!tion ree"
2" Cli!: Ne&" - dialog .o> is displayed# where you !an !reate a port poli!y" Cli!: the
Tra((ic %lassi(ication %on(iguration ta."
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
63
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3" Cli!: Ne&" he %reate Tra((ic %lassi(ication dialog .o> is displayed" he rest
operations are the sa1e as those in Pro!edure 1"
3" Cli!: ! to sa;e the settings"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
65
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3.!.! Service Iso4ation
he de;i!e pro;ides 1ultiple ser;i!e isolation 1eans to pre;ent 1utual !o11uni!ation
.etween user ser;i!es and redu!e the i1pa!t of .road!ast traffi!"
Setting the $u-;S'oke &ttri-ute >+or .6: 8oards?
0sers who !reate /thernet pri;ate ser;i!es !an separate ser;i!es .y !onfiguring DHu.=*po:eD"
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
Cou ha;e !onfigured and 1ounted /-$-( ser;i!es"
'rocedure
Ste' 1 *ele!t the (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E Et/ernet
Ser#ice > Et/ernet "AN Ser#ice fro1 the <un!tion ree"
Ste' 2 *ele!t the desired /-$-( ser;i!e# !li!: the Ser#ice Mount ta.# and set 8ub2Spo6e to 8ub
or Spo6e"
Ste' 3 Cli!: ! to sa;e the settings"
----End
Confguring S'4it $oriAon 2rou's >+or *acket Service 8oards?
Cou !an !onfigure a group of physi!al or logi!al ports that !annot interwor: on the lo!al
de;i!e to a;oid ser;i!e loops and isolate ser;i!es .etween different !usto1ers"
Cou !an !reate a split hori@on group for /-$-( ser;i!es# the 1e1.ers of whi!h !an .e added
or deleted .ased on a!tual reGuire1ents"
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
<based on e4isting E-"AN ser#ices=
1" *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN *er;i!e fro1 the
<un!tion ree"
2" *ele!t the desired /-$-( ser;i!e fro1 the list of a;aila.le /-$-( ser;i!es# and !li!:
the Split 8ori7on Group ta."
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
66
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3" Cli!: Ne&" he Ne& Split 8ori7on Group dialog .o> is displayed" *et the 1e1.ers of
the split hori@on group"
3" Cli!: ! to sa;e the settings"
<based on a ne& E-"AN ser#ice=
1" *ele!t the desired (/ fro1 the %.Be!t ree in the (/ />plorer" Choose %on(iguration E
'ac6et %on(iguration E Et/ernet Ser#ice Management E E-"AN Ser#ice fro1 the
<un!tion ree"
2" Cli!: Ne&" he Ne& E-"AN Ser#ice dialog .o> is displayed" Cli!: the Split 8ori7on
Group ta."
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
66
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3" Cli!: Ne&" he Ne& Split 8ori7on Group dialog .o> is displayed" *et the 1e1.ers of
the split hori@on group" he rest steps are the sa1e as those in Pro!edure 1"
3" Cli!: ! to sa;e the settings"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
67
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
3.# Layer 3 *rotoco4s
3.#.1 IS7IS
Inter1ediate *yste1 to Inter1ediate *yste1 (I*-I*) is a lin:-state routing proto!ol and an
internal gateway proto!ol# designed for use within an autono1ous syste1" %pti& '( )00
uses I*-I* in !ooperation with 'esour!e 'eser;ation Proto!ol-raffi! /ngineering ('*?P-
/) to dyna1i!ally !reate +ultiproto!ol $a.el *wit!hing (+P$*) la.el swit!hed paths
($*Ps)"
I*-I* pro;ides null authenti!ation and :ey authenti!ation for se!urity# in !o1plian!e with I*%
1057)# '<C 11)5# and '<C 5303"
(ull authenti!ationF Pa!:ets are not authenti!ated"
*i1ple password authenti!ationF - si1ple password is used for authenti!ation for .oth parties
in a !o11uni!ation" he authenti!ation fails if there is no password or the password is
in!orre!t" Ihen e1ploying si1ple password authenti!ation# ea!h %pti& '( )00 within an
I*-I* area uses the sa1e password"
Hey authenti!ationF H+-C-+45 is used to !al!ulate the digest" he password for !al!ulating
the digest is ne;er sent o;er the networ: to defend against passi;e atta!:s" Ihen e1ploying
:ey authenti!ation# ea!h %pti& '( )00 within an I*-I* area uses the sa1e :ey"
he following des!ri.es how to !onfigure I*-I* authenti!ation on %pti& '( )00"
'rere3uisites
Cou 1ust .e an (+ user with -d1inistrator 0ser 8roup rights or higher"
I*-I* is ena.led on ports"
'rocedure
Ste' 1 Choose %on(iguration E 1oute Management E +S+S E +S+S +nstance fro1 the 1ain 1enu"
Ste' 2 Cli!: the %reate or Modi(y ta."
Ste' 3 *et Aut/entication Type" If null authenti!ation is sele!ted# no authenti!ation password is
reGuired" If si1ple password authenti!ation or +45 authenti!ation is sele!ted# you 1ust set a
password for the authenti!ation"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
6)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' ! Cli!: Apply" he 1esult dialog .o> is displayed"
Ste' # Cli!: %lose"
----End
3.#.2 5S3*
'esour!e 'eser;ation Proto!ol ('*?P) is designed for the Integrated *er;i!e 1odel and
reser;es resour!es on e;ery node along an $*P" '*?P is a !ontrol proto!ol at the transport
layer .ut does not trans1it appli!ation data" '*?P-/# as an e>tension to '*?P# !reates or
deletes !onstraint-.ased routed $*Ps (C'-$*Ps) .y using traffi! engineering (/) attri.utes
!arried in e>tended o.Be!ts" '*?P-/ !o1plies with '<C 2205 and '<C 320)"
'*?P 1essages are prote!ted fro1 1odifi!ation and spoofing .y added o.Be!ts and !he!:s
on these o.Be!ts# ele;ating the relia.ility and se!urity le;el of the networ:" '*?P supports
interfa!e-.ased authenti!ation" hat is# you are allowed to !onfigure authenti!ation on
interfa!es so that '*?P handles the authenti!ation .ased on the egress interfa!e of 1essages"
he following three authenti!ation types are a;aila.leF
Null aut/entication
Pa!:ets are not authenti!ated"
Simple pass&ord aut/entication
- !hara!ter string of 1 .yte to 23 .ytes is used for si1ple password authenti!ation"
!ey aut/entication
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
60
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
- !hara!ter string of 1 .yte to 23 .ytes is used for +45 authenti!ation"
%pti& '( )00 uses null authenti!ation .y default" Cou !an !onfigure authenti!ation types
.ased on appli!ation s!enarios"
he following des!ri.es how to !onfigure '*?P authenti!ation on %pti& '( )00"
'rere3uisites
Cou 1ust .e an (+ user with -d1inistrator 0ser 8roup rights or higher"
'rocedure
Ste' 1 Choose %on(iguration E %ontrol 'lane %on(iguration E M'"S-1S)' %on(iguration
fro1 the 1ain 1enu"
Ste' 2 Cli!: the 'ort %on(iguration ta."
Ste' 3 *et Aut/entication Type" If null authenti!ation is sele!ted# no authenti!ation password is
reGuired" If +45 authenti!ation is sele!ted# you 1ust set a password for the authenti!ation"
Ste' ! Cli!: Apply" he 1esult dialog .o> is displayed"
Ste' # Cli!: %lose"
----End
3.#.3 82*
9order 8ateway Proto!ol (98P) is used for trans1itting routing infor1ation" %pti& '( )00
supports 98P-3 and +P-98P in !o1plian!e with '<C 3261# '<C 3660# and '<C 3623"
9esides trans1ission of IP;3 and $ayer 3 ;irtual pri;ate networ: ($3?P() routing
infor1ation# :ey authenti!ation is also pro;ided for se!urity !onsiderations"
Plain-te>t password authenti!ationF he plain-te>t password is reGuired for the authenti!ation
.etween peers" he authenti!ation fails if the password is in!orre!t"
Hey authenti!ation uses +45 to !al!ulate the digest" he password for !al!ulating the digest
is ne;er sent o;er the networ: to defend against passi;e atta!:s" In :ey authenti!ation# the two
98P peers that trans1it routing infor1ation 1ust ha;e the sa1e :ey"
he following des!ri.es how to !onfigure 98P authenti!ation on %pti& '( )00"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
61
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
'rere3uisites
Cou 1ust .e an (+ user with -d1inistrator 0ser 8roup rights or higher"
98P peers ha;e .een !onfigured"
'rocedure
Ste' 1 Choose %on(iguration E 1oute Management E 0G' E 0G' 'eer +n(ormation fro1 the
1ain 1enu"
Ste' 2 Cli!: the %reate or Modi(y ta."
Ste' 3 *et the plain-te>t password or +45 authenti!ation :ey"
Ste' ! Cli!: Apply" he 1esult dialog .o> is displayed"
Ste' # Cli!: %lose"
----End
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
62
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
! Security Maintenance
*e!urity 1aintenan!e is a 1eans to audit the de;i!e in ter1s of se!urity to dis!o;er se!urity
ris:s in ti1e and effe!ti;ely i1ple1ent se!urity hardening# ai1ing to ensure that the de;i!e
wor:s properly and se!urely"
!.1 Suggestions on *ort Maintenance
Ports are !lassified into logi!al ports and physi!al ports" $ogi!al ports are standard
!o11uni!ation proto!ol ports# su!h as */$(/ port 22" Physi!al ports are 1anage1ent
a!!ess ports and ser;i!e ports pro;ided .y the de;i!e"
It is re!o11ended that unused ports .e disa.led during routine %,+ to a;oid unauthori@ed
a!!ess traffi!" he following ports !an .e disa.ledF
CP Port <un!tion
1600 /CC e>tension
23 elnet
2007 'aw elnet
22 */$(/
04P Port <un!tion
161 *(+P
123 (P
520 'IP
1712 'adius
1713 'adius
1305 -uto1ati! (/ report
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
63
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
!.2 N. &ccount Maintenance
(/ a!!ounts are user na1es and passwords used for (/ 1anage1ent" (/ a!!ounts 1ust .e
updated in ti1e to pre;ent unauthori@ed a!!ess and guarantee de;i!e se!urity" he following
issues 1ust .e !onsidered during a!!ount 1aintenan!eF
Periodi!ally updating passwords
Changing the default a!!ount and password of the (/ in ti1e
4eleting a.andoned and unused a!!ounts in ti1e
!.3 Log &udit
$og audit is a 1eans to dis!o;er se!urity ris:s during networ: %,+ and identify hidden
se!urity trou.les" he de;i!e pro;ides two types of logs# se!urity logs and operation logs# for
this purpose" *e!urity logs re!ord operations related to (/ a!!ounts# su!h as a!!ount deletion#
to re;eal unauthori@ed user a!!ess" %peration logs re!ord all user !onfiguration operations to
help effe!ti;ely dis!o;er unauthori@ed !onfiguration operations"
*e!urity logs 1ust .e periodi!ally audited to strengthen the prote!tion against unauthori@ed
a!!ount a!!ess or login atte1pts" Cou !an add an a!!ess !ontrol list (-C$) or deploy a
firewall to shield unauthori@ed login atte1pts# and !an !lear a.andoned or unused a!!ounts to
pre;ent unauthori@ed a!!ount a!!ess"
%peration logs 1ust also .e periodi!ally audited to dis!o;er unauthori@ed !onfiguration
operations perfor1ed .y unauthori@ed users on (/s in ti1e" Cou !an delete a!!ounts to
redu!e se!urity ris:s in ti1e"
!.! Security 'atc/ Upgrade
*e!urity ;ulnera.ilities on de;i!es !an .e re!tified online through hot pat!hes"
!.# So(t&are 'ac6age +ntegrity %/ec6
Ihen a de;i!e software pa!:age is released at httpF==support"huawei"!o1# the digest ;alue of
this software pa!:age is !al!ulated .ased on the standard Hash algorith1 and written in an
+45 authenti!ation do!u1ent that is released at the we.site si1ultaneously"
/a!h do!u1ent !ontains the following infor1ationF
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
63
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
0sers !an sele!t a reGuired tool and a proper !al!ulation algorith1 (+45 or *H--256) to
!al!ulate the digest ;alueK and then !o1pare the !al!ulated digest ;alue with the digest ;alue
in the 1entioned +45 do!u1ent to !he!: the integrity of the software pa!:age" If these two
digest ;alues are in!onsistent# the integrity of the software pa!:age is !orrupted" In this !ase#
do not use the software pa!:age and !onta!t HuaweiAs engineers to o.tain a new software
pa!:age"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
65
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
# Security $ardening
#.1 Device Layer Security $ardening
#.1.1 &ccount Management $ardening
-!!ount 1anage1ent hardening in;ol;es a!!ount 1aintenan!e hardening and 1anage1ent
1ode hardening"
&ccount Maintenance $ardening
-fter an (/ is handed o;er to the !usto1erAs %,+ depart1ent# the ad1inistrator 1ust
delete the e>-fa!tory default a!!ounts or 1odify the passwords of the e>-fa!tory default
a!!ounts in ti1e" <or details a.out a list of the default a!!ounts# see 2"1"1 I*tep 21a.le
1"1"
4elete outdated or useless a!!ounts in ti1e"
-llo!ate the 1onitor rights to ea!h new a!!ount .ased on the D+ini1u1 'ightsD
prin!iple"
/nsure that only one ad1inistrator is defined for ea!h (/ to a;oid !onfli!ts during
a!!ount 1aintenan!e"
Change the user password periodi!ally (prefera.ly on!e e;ery two 1onths)# ensuring that
the user password !ontains three or 1ore !hara!ters"
*et a ;alidity period for the password of ea!h new a!!ount" It is re!o11ended that the
;alidity period .e three 1onths"
It is re!o11ended to set the storage 1ode for the password of ea!h a!!ount to *H-256"
Centra4iAed &ccount Management on an 5&DI/S Server
he de;i!e pro;ides lo!al authenti!ation and '-4I0* authenti!ation" If the de;i!e is
deployed in lo!al authenti!ation 1ode# a!!ounts and passwords 1ust .e periodi!ally updated"
his# howe;er# .rings a huge 1aintenan!e wor:load" herefore# the '-4I0* authenti!ation
1ode is re!o11ended for higher 1aintenan!e effi!ien!y"
-n '-4I0* ser;er !an .e deployed on the li;e networ:# with all de;i!es on the networ:
using the sa1e a!!ounts or passwords" hese a!!ounts are !onfigured on the '-4I0* ser;er
only" his effe!ti;ely lowers the 1aintenan!e wor:load# .e!ause you need only to
periodi!ally e>a1ine the a!!ounts or passwords on the '-4I0* ser;er during %,+"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
66
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
#.1.2 Security Log $ardening
he de;i!e !an store a li1ited nu1.er of se!urity logs" If se!urity logs are not audited# useful
logs 1ay .e o;erwritten# !ausing a failure to dis!o;er se!urity ris:s in ti1e and .ringing
hidden trou.les during networ: %,+"
he de;i!e pro;ides the syslog fun!tion" he logs of the de;i!e !an .e du1ped to an e>ternal
syslog ser;er" his helps sol;e the issue a.out an insuffi!ient se!urity log storage spa!e"
Cou !an !onfigure the syslog ser;er on ea!h de;i!e" <or details a.out the 1ethods for
!onfiguring the syslog ser;er and the gateway ser;er# see se!tion 2"3"
-fter the !onfiguration is su!!essfully# the de;i!es will upload se!urity logs to the syslog
ser;er"
he following e>a1ple des!ri.es how to !onfigure the syslog ser;er on (/ 1"
-igure 1.1 (etwor: topology
Cou !an set the syslog ser;er on (/1 to the (/ I4 (0>000)2012) of the 8(/# and then
!onfigure the IP address (127"100"1"1) of the syslog ser;er on a gateway (/ (8(/)" Here# a
forwarding ser;er 1ust .e !onfigured# .e!ause Huawei proprietary /1.edded !ontrol !hannel
(/CC) proto!ol instead of IP is used on the 1anage1ent plane of the networ: where (/ 1 is
lo!ated"
If IP is used on the networ:# the IP address of the syslog ser;er !an .e dire!tly !onfigured on
ea!h (/ and then the forwarding ser;er is not ne!essary"
#.1.3 /S8 &''4ication $ardening
-fter site deploy1ent# if 0*9 flash dri;e 1aintenan!e is not reGuired# disa.le 0*9 a!!ess
ports" If 0*9 flash dri;e 1aintenan!e is reGuired# ena.le 0*9 a!!ess ports"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
66
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
o support the pre;ious ;ersion# +45 en!ryption is a;aila.le" Howe;er# it is re!o11ended
that you use *H-256 en!ryption when sa;ing new files"
#.2 Network Layer Security $ardening
#.2.1 Confguring an &CL to *revent /nauthoriAed
&ccess
Confguring a 8asic &CL to Contro4 /nauthoriAed I* &ccess
he .asi! -C$ !o;ers only the IP addresses that are allowed to a!!ess the de;i!e" IP addresses
.eyond the .asi! -C$ will .e una.le to a!!ess the de;i!e" he -C$ rules that define the IP
addresses allowed to a!!ess the de;i!e !an .e !onfigured on all gateway (/s"
he following figure shows an e>a1ple a.out how to !onfigure the .asi! -C$ so that only IP
addresses in the networ: seg1ent 100"100"1"0 !an a!!ess the (/"
Confguring an &dvanced &CL to Contro4 /nauthoriAed *ort
&ccess
he ad;an!ed -C$ !an filter out all appli!ation layer proto!ols that are for.idden to a!!ess
the de;i!e" he ports of appli!ation proto!ols# howe;er# are dis!rete" <or this reason# you !an
!onfigure .la!:listed users one .y one on the Ad#anced A%" page" he .la!:list !an .e
!onfigured on the gateway (/"
he following figure shows an e>a1ple a.out how to prohi.it elnet a!!ess to the de;i!e"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
67
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
#.2.2 /sing SSL to *revent /nauthoriAed &ccess to
Sensitive Data
4uring the !reation of a gateway (/ on the (+*# you 1ust sele!t a se!urity so!:et layer
(**$) !onne!tion" <or details# see se!tion 3"2"1" his# howe;er# will trigger the esta.lish1ent
of a se!urity en!ryption !hannel .etween the (+* and the gateway (/ using the **$3"0 or
$*1"0 proto!ol"
4e;i!es are deli;ered with default **$ !ertifi!ates" Pri;ate :ey en!ryption in the PHC*P1
for1at is supported" 0sers !an repla!e the default **$ !ertifi!ates with their own **$
!ertifi!ates in the sa1e for1at"
#.2.3 Using SS8 to 're#ent Sensiti#e $ata (rom T/e(t
0sers !an a!!ess an (/ using elnet or **H" elnet trans1its plainte>t so so1e ris:s e1erge"
o i1pro;e re1ote a!!ess se!urity# users !an disa.le elnet and ena.le **H"
#.2.! /sing S9:* to Load So+tware
he de;i!e supports two 1odes to download software pa!:ages on an all-IP networ:" %ne is
to use the <ile ransfer Proto!ol (*P) !lient# and the other is to use the **H <P !lient" he
de;i!e ser;es as the !lient# and the (+* ser;es as the ser;er" <P trans1its plainte>t so so1e
ris:s e1erge" o guarantee se!urity during software pa!:age download# you !an sele!ti;ely
disa.le the <P !lient ser;i!e and use only the *<P !lient to download software pa!:ages"
he following figure shows how to ena.le or disa.le the <P=*<P !lient"
o use *<P# log in to the we. page on the 02000 to !onfigure a third-party ser;er"
Configuring a third-party ser;er
'rere3uisites
Cou are an (+* user with Administrator User Group rights or higher"
'rocedure
Ste' 1 /nter httpsF==02000*ser;erIP=ftp!onf=login"Bsp in the we. page" 02000*ser;erIP refers to the
IP address of the 02000 ser;er"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
6)
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' 2 $og in to the 02000"
Ste' 3 Cli!: hird Party <P *ettings"
Ste' ! Configure the third-party ser;er"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
70
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Ste' # $og in to the 02000" In the (/ />plorer# sele!t the target (/" Choose Administration E NE
So(t&are Management E -T' Settings fro1 the 1ain 1enu"
Ste' % Cli!: the T/ird-party -T' ser#er settings ta." he ser;er infor1ation !onfigured earlier is
displayed" Configurations are su!!essful"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
71
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
----End
#.2.# Data Service Security $ardening
Confguring 8roadcast :ra=c Su''ression
Cou !an ena.le the .road!ast traffi! suppression fun!tion and !onfigure related thresholds to
!ontrol the traffi! of .road!ast pa!:ets in.ound to the eGuip1ent# so that .road!ast traffi! is
not e>!essi;ely high and uni!ast ser;i!es !an .e properly forwarded"
Confguring Service Loo' Detection >+or *acket Service 8oards?
-fter !reating /-$-( ser;i!es# you !an perfor1 a ser;i!e loop dete!tion test to dis!onne!t the
related ser;i!es and a;oid ser;i!e loops" <or details# see se!tion 3"6"2"
Confguring the Ma(imum Num-er o+ /sers
Cou !an !onfigure the +-C address ta.le !apa!ity and the un:nown uni!ast pa!:et dis!ard
fun!tion to !ontrol /-$-( ser;i!es" If the nu1.er of e>isting +-C addresses rea!hes the
+-C address ta.le !apa!ity# new +-C pa!:ets are dis!arded as un:nown uni!ast pa!:ets# so
that only a li1ited nu1.er of users !an a!!ess the syste1"
<or /% .oards# you !an !onfigure the +-C address ta.le !apa!ity .ased on a ?$-( or ?9
port" <or pa!:et ser;i!e .oards# you !an !onfigure the +-C address ta.le !apa!ity .ased on
an /thernet ser;i!e instan!e"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
72
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
Confguring the &CL &ction in a :ra=c C4assifcation 5u4e to 9i4ter
Services >+or *acket Service 8oards?
Cou !an !onfigure the -C$ a!tion in a traffi! !lassifi!ation rule to filter ser;i!e pa!:ets .ased
on the following !riteriaF
*our!e IP address
4estination IP address
*our!e +-C address
4estination +-C address
Proto!ol type
*our!e port
4estination port
Internet Control +essage Proto!ol (IC+P) pa!:et type
4ifferentiated ser;i!es !ode point (4*CP)
IP Pre
C?$-( I4
C?$-( Pri
*?-$( I4
*?$-( Pri
4/I
- !o1.ination of 1ultiple or all of the pre!eding !riteria
Confguring Service Iso4ation
-fter /-$-( ser;i!es are !reated on an (/# different users 1ay share the sa1e ?-$-(
ser;i!e" o pre;ent ser;i!e interwor:ing .etween users# you !an ta:e the following ser;i!e
isolation 1easuresF
/% .oardsF Cou !an !onfigure the hu.=spo:e attri.ute of ea!h ?9 port# ensuring that
ser;i!es !annot interwor: .etween spo:e ports"
Pa!:et ser;i!e .oardsF Cou !an !reate a split hori@on group and add 1e1.ers to the
group" *er;i!es !annot interwor: .etween the 1e1.ers of this split hori@on group"
#.2.% De+ense &gainst 94ood &ttacks
he firewall needs to .e used for defense against flooding atta!:s su!h as -'P flood# IC+P
flood# refle!ting IC+P flood# no-IP-load flood# $-(4 atta!:# 04P flood# *yn<lood# CP
*tress atta!:# <raggle atta!:# 4HCP e>haustion# re;erse -'P-triggered flood# and +-C
forwarding ta.le flood"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
73
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
% &''endi(es
%.1 5e+erences
1" Product Security Technical White Paper
2" Product Communication Matrix
%.2 &cronyms and &--reviations
&--reviation 9u44 Name
%*( %pti!al *wit!h (ode
4+ i1e 4i;ision +ultiple>ing
+-C +ediu1 -!!ess Control
I8+P Internet 8roup +anage1ent Proto!ol
9P40 9ridge Proto!ol 4ata 0nit
$-CP $in: -ggregation Control Proto!ol
-P* -uto1ati! Prote!tion *wit!hing
2%* 2uality of *er;i!e
?$-( ?irtual $o!al -rea (etwor:
?P( ?irtual Pri;ate (etwor:
4C( 4ata Co11uni!ation (etwor:
/CC /1.edded Control Channel
HP* Hyper-e>t rans1ission Proto!ol
%*P< %pen *hortest Path <irst
CP=IP rans1ission Control Proto!ol= Internet Proto!ol
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
73
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
&--reviation 9u44 Name
04P 0ser 4atagra1 Proto!ol
IC+P Internet Control +essage Proto!ol
-C$ -!!ess Control $ist
2& Pri;ate +anage Proto!ol of H0-I/I
(+* (etwor: +anage1ent *yste1
+45 +essage 4igest -lgorith1 5
%*P< %pen *hortest Path <irst Proto!ol
'*?P 'esour!e 'eser;ation Proto!ol
<P <ile ransfer Proto!ol
**$ *e!urity *o!:et $ayer
*(+P *i1ple (etwor: +anage1ent Proto!ol
$C he lo!al 1aintenan!e ter1inal of a transport networ:# whi!h is .ased
on http Proto!ol
I*-I* Inter1ediate *yste1 to Inter1ediate *yste1
'-4I0* 'e1ote -uthenti!ation 4ial In 0ser *er;i!e
$4P $a.el 4istri.ution Proto!ol
+P$* +ulti-Proto!ol $a.el *wit!hing
</C <orwarding /Gui;alen!e Class
$*P $a.el *wit!hed Path
98P 9order 8ateway Proto!ol
?''P ?irtual 'outer 'edundan!y Proto!ol
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
75
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
%.3 Maintenance :oo4s
%.3.1 .MS and NMS :oo4
Table 1.1 /+* and (+* tool
:oo4
Name
Communicati
on *ort
Communicatio
n *rotoco4
5emarks
02000 1300=5332 Co11uni!ation
!hannels are
esta.lished using
CP" he 2&
proto!ol is used for
!o11uni!ation in
the (/ appli!ation
layer"
he 02000 is a new-
generation graphi!al networ:
1anage1ent tool" It pro;ides
1ultiple fun!tions# su!h as
ser;i!e pro;isioning#
1onitoring# %,+# and
se!urity 1anage1ent"
I/9_$C 1300 Co11uni!ation
!hannels are esta.lished
using CP" he 2&
proto!ol is used for
!o11uni!ation at the
appli!ation layer"
he I/9U$C is used for lo!al (/
a!!ess during networ: operating and
1aintenan!e phases" It supports
si1ple 1aintenan!e operations#
su!h as alar1 and perfor1an!e
1onitoring and ser;i!e 1onitoring"
%.3.2 So+tware /'grade :oo4
Table 1.1 *oftware upgrade tool
:oo4
Nam
e
Communicati
on *ort
Communicatio
n *rotoco4
5emarks
4C 1300 Co11uni!ation
!hannels are
esta.lished using
CP" - Huawei
proprietary proto!ol
is used for
!o11uni!ation in
the (/ appli!ation
layer"
he 4C is a tool used during
software upgrade" Cou !an use it to
load software pa!:ages and pat!hes#
or upload the data.ase" his tool
auto1ati!ally loads software
pa!:ages to an (/ and a!ti;ates the
software pa!:ages after you !reate a
software loading tas:# so that the
(/ software is auto1ati!ally
upgraded"
his tool !an also .e used to load#
a!ti;ate# and ;alidate pat!hes# and
.a!: up or re!o;er the (/ data.ase"
his tool !an .e either
independently used or integrated in
the 02000" In 1ost !ases# it is
integrated in the 02000"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
76
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
%.3.3 9au4t Co44ection :oo4
Table 1.1 <ault !olle!tion tool
:oo4
Name
Communicati
on *ort
Communication
*rotoco4
5emarks
*1art:it
(*/2600
%pti&
4ataColle!tor
1300 Co11uni!ation
!hannels are
esta.lished using
CP" - Huawei
proprietary proto!ol is
used for
!o11uni!ation at the
appli!ation layer"
he *1art:it (*/2600
%pti& 4ataColle!tor is a
fault !olle!tion tool" Ihen
a software or hardware
fault o!!urs on an (/# you
!an !olle!t data a.out the
fault e>!luding the
!usto1erAs ser;i!e data
using this tool fro1 the (/"
%.3.! Network $ea4th Check :oo4
Table 1.1 (etwor: health !he!: tool
:oo4
Name
Communicati
on *ort
Communicatio
n *rotoco4
5emarks
*1art:it
(*/2600
%pti&
Inspe!tor
1300= Co11uni!ation
!hannels are
esta.lished using
CP" - Huawei
proprietary proto!ol
is used for
!o11uni!ation at
the appli!ation layer"
he *1art:it (*/2600
%pti& Inspe!tor is a networ:
health !he!: tool" Cou !an
use this tool to periodi!ally
!he!: the health of an (/
and identify i1proper
!onfiguration data or
potential software faults on
the (/" he health !he!:
ite1s ;ary a!!ording to
different ;ersions of the (/
and do not in;ol;e the
!usto1erAs ser;i!e data"
%.3.# $andhe4d :ermina4
Table 1.1 Handheld ter1inal
:oo4
Name
Communicatio
n *ort
Communication
*rotoco4
5emarks
Handheld
ter1inal
he handheld ter1inal is
!onne!ted to an (/ fro1
a serial port" It is useful
during deploy1ent and
site !o11issioning"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
76
%pti& '( )00
*e!urity Configuration# +aintenan!e# and Hardening +anual 6 -ppendi>es
%.! 6ther Maintenance Means
-ll the !o11ands in these do!u1ents are intended for !usto1ers that deploy and 1aintain the
Huawei de;i!es on the li;e networ:"
he !o11ands# in!luding .ut not li1ited to the !o11ands that are used during produ!tion#
asse1.ly# and return for repair# are !onfidential and will not .e pro;ided in this do!u1ent" If
you do need to use these !o11ands# please apply to Huawei for the1"
Issue 03 (2013-12-26) Huawei Proprietary and Confidential
Copyright Huawei e!hnologies Co"#
$td"
77