Security rebuild case of Huawei firewall eudemon

Background: The previously configured EUDEMON firewall is transformed for security requirements. The network environment of the DMZ zone of the existing business system is 192 CIDR blocks. The network is connected to the public network through the firewall and routing of the uplink Huawei 8508. The Business System DMZ zone is connected to the internal core area through the Huawei EUDEMON firewall.
 
Environment: network equipment are Huawei, switch Huawei LS-S5328C, firewall Huawei Eudemon 1000E, SERVER systems are SUSE 11 enterprise server 64bit version.
Requirement: the firewall requires remote logon through SSH; security access restrictions are imposed between different regions of the firewall.
 
Network Topology:
 
1. The firewall requires remote logon through SSH
Original Configuration:
 
The Telnet protocol belongs to the application layer protocol in the TCP/IP protocol family and provides remote logon and virtual terminal functions through the network.
 
[Switch] aaa
[Switch-aaa] local-user admin password simple usermax // set the account password [switch-aaa] local-user admin privilege level 3 // set the account level, 3 is the highest level
[Switch-aaa] local-user service-type telnet // set the service type of the local account to telnet
[Switch-aaa] quit
[Switch] user-interface vty 0 4
[Switch-user-vty0-4] authentication-mode aaa // set login user authentication method to aaa
[Switch-user-vty0-4] protocol bind telnet // bind user protocol to telnet
[Switch-user-vty0-4] idle-timeout 5 0 // idle timeout 5 minutes exit
[Switch-user-vty0-4] quit
The SSH (Secure Shell) feature provides Secure Information Protection and powerful authentication functions to protect devices from attacks such as IP Address Spoofing and plaintext password interception.
Configuration after transformation:
The server creates the SSH user user001.
# Create an SSH user whose username is user001 and the authentication method is password.
[Quidway] ssh user user001
[Quidway] ssh user user001 authentication-type password
(Supplement: SSH users mainly have password, RSA, password-rsa, and all authentication methods:
If the SSH user authentication method is password or password-rsa, the local-user with the same name must be configured. If the SSH user authentication method is RSA, password-rsa, and all, the server should save the RSA public key of the SSH client .)
# Configure the password huawei for SSH user001.
[Quidway] aaa
[Quidway-aaa] local-user user001 password simple huawei
[Quidway-aaa] local-user user001 service-type ssh
# Configure the VTY user interface.
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-4] authentication-mode aaa
[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] quit
# Enable SFTP service functions
[Quidway] sftp server enable
Connect the client to the SSH server
# For the first login, you must enable the first authentication function of the SSH client.
[User001] ssh client first-time enable
# The SFTP client Client001 uses password authentication to connect to the SSH server.
<User001> system-view
[User001] sftp 221.116.139.121
Input Username: user001
Trying 221.116.139.121...
Press CTRL + K to abort
Enter password:
Sftp-client>
2. Add security access restrictions between different regions of the firewall
The most basic function of a firewall is to control data streams transmitted between regions with different trust levels in a computer network. Typical trusted areas include the Internet (UNTRUST area), an internal network (TRUST area), and a neutral zone (DMZ ). By using firewalls to divide internal networks, you can isolate key network segments on the Intranet, thus limiting the impact of local key or sensitive network security issues on the global network.
Original configuration: (no restrictions are imposed on each region. packets can pass through all directions in the security zone)
#
Firewall packet-filter default permit interzone local trust direction inbound
Firewall packet-filter default permit interzone local trust direction outbound
Firewall packet-filter default permit interzone local untrust direction inbound
Firewall packet-filter default permit interzone local untrust direction outbound
Firewall packet-filter default permit interzone local dmz direction inbound
Firewall packet-filter default permit interzone local dmz direction outbound
Firewall packet-filter default permit interzone local vzone direction inbound
Firewall packet-filter default permit interzone local vzone direction outbound
Firewall packet-filter default permit interzone trust untrust direction inbound
Firewall packet-filter default permit interzone trust untrust direction outbound
Firewall packet-filter default permit interzone trust dmz direction inbound
Firewall packet-filter default permit interzone trust dmz direction outbound
Firewall packet-filter default permit interzone trust vzone direction inbound
Firewall packet-filter default permit interzone trust vzone direction outbound
Firewall packet-filter default permit interzone dmz untrust direction inbound
Firewall packet-filter default permit interzone dmz untrust direction outbound
Firewall packet-filter default permit interzone untrust vzone direction inbound
Firewall packet-filter default permit interzone untrust vzone direction outbound
Firewall packet-filter default permit interzone dmz vzone direction inbound
Firewall packet-filter default permit interzone dmz vzone direction outbound
Configuration after transformation: www.2cto.com
1. Simplified on the basis of mutual access in the original region
#
Firewall packet-filter default permit interzone local trust direction inbound
Firewall packet-filter default permit interzone local trust direction outbound
Firewall packet-filter default permit interzone local untrust direction inbound
Firewall packet-filter default permit interzone local untrust direction outbound
Firewall packet-filter default permit interzone local dmz direction inbound
Firewall packet-filter default permit interzone local dmz direction outbound
Note: Data flows between security domains are in the direction, including Inbound and Outbound ).
Inbound: data is transmitted from low-priority security areas to high-priority security areas.
Outbound: data is transmitted from a high-priority security area to a low-priority security area.
2. Set the address set:
[Quidway] #
Ip address-set addressgroup1
Address 4 192.29.141.130 0
Address 5 192.29.141.132 0
Address 6 192.29.141.140 0
Address 7 192.29.141.142 0
[Quidway] #
Ip address-set addressgroup4
Address 0 192.29.141.25 0
Address 1 192.29.141.26 0
Address 2 192.29.141.27 0
3. Add access rules and restrictions between specific address Sets
[Quidway] #
Acl number 3201
Rule 10 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq sqlnet
Rule 11 permit tcp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ssh
Rule 15 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmp
Rule 16 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq ntp
Rule 17 permit udp source address-set addressgroup1 destination address-set addressgroup4 destination-port eq snmptrap
Rule 3000 deny ip
[Quidway] #
Acl number 3202
Rule 10 permit tcp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ssh
Rule 15 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmp
Rule 16 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq ntp
Rule 17 permit udp source address-set addressgroup4 destination address-set addressgroup1 destination-port eq snmptrap
Rule 3000 deny ip
4. Match the ACL between regions
[Quidway] #
Firewall interzone dmz untrust
Packet-filter 3201 inbound
Packet-filter 3202 outbound
Detect ftp
Detect http
Session log enable acl-number 3201 inbound
Session log enable acl-number 3202 outbound
Security transformation between other regions is similar.
After the security transformation, the network security is improved to some extent. Of course, you can also configure the ACL (Access Control List) and AM (Access Management Configuration) based on the actual situation), AAA, dot1x, and MAC binding.
From: dishui chuanshi blog