交换机安全基线整改方式-华为S5700系列

交换机安全基线整改

账号口令认证授权日志审计协议安全其它安全

配置安全基线是网络安全维护的基础，基线合规可以有效的防护大部分已知的攻击手段
配置基线涉及许多功能的关闭/开启，如不确认命令执行的影响，切勿在已运行业务的设备上做基线整改！

账号口令

1> 检查是否口令加密

//确保所有账户的password均为cipher加密
[S5720S]aaa
[S5720S-aaa]local-user admin password cipher <K.R)YFE!!(II9%HS7.!Q!!

2> 检查是否配置console口密码保护

console口登录采取口令认证

[S5720S]user-interface console 0
[S5720S-ui-console0]authentication-mode password

console设置登陆密码，并密文存放

[S5720S]user-interface console 0
[S5720S-ui-console0]set authentication password cipher Huawei@123

3> 检查是否避免共享账号

//确保有两个及以上用户
[S5720S]aaa
[S5720S-aaa]display this      

4> 检查是否配置账户锁定策略

//用户的重试时间间隔为5分钟、连续输入错误密码的限制次数为3次，帐号锁定时间为5分钟
[S5720S]aaa
[S5720S-aaa]local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

认证授权

1> 检查是否会话超时配置

console口设置超时时间

//console登录10分钟无操作自动下线，下线后0分钟后可再次登录
[S5720S]user-interface console 0
[S5720S-ui-console0]idle-timeout 10 0

所有vty线路设置超时

//远程登录10分钟无操作自动下线，下线后0分钟后可再次登录
[S5720S]user-interface vty 0 4
[S5720S-ui-vty0-4]idle-timeout 10 0

2> 检查是否分级权限控制

//确保账户权限(privilege level)不全为最高
[S5720S]aaa
[S5720S-aaa]display this

3> 检查是否使用认证服务器认证

RADIUS协议

//认证策略命名为SOC
//认证、授权服务器为1.1.1.1，端口1812
//协商秘钥Huawei@123
//重传次数为3

[S5720S]radius-server template soc
[S5720S-radius-soc]radius-server authentication 1.1.1.1 1812
[S5720S-radius-soc]radius-server shared-key cipher Huawei@123
[S5720S-radius-soc]radius-server retransmit 3

[S5720S-radius-soc]aaa
[S5720S-aaa]authentication-scheme soc
[S5720S-aaa-authen-soc]authentication-mode radius
[S5720S-aaa-authen-soc]quit
[S5720S-aaa]domain default
[S5720S-aaa-domain-default]authentication-scheme soc
[S5720S-aaa-domain-default]radius-server soc

HWTACACS协议

//认证策略命名为SOC
//认证、授权服务器为1.1.1.1，端口49
//协商秘钥Huawei@123
//重传次数为3

[S5720S]hwtacacs-server template soc
[S5720S-hwtacacs-soc]hwtacacs-server authentication 1.1.1.1 49
[S5720S-hwtacacs-soc]hwtacacs-server authorization 1.1.1.1 49
[S5720S-hwtacacs-soc]hwtacacs-server shared-key cipher Huawei@123

[S5720S-hwtacacs-soc]aaa
[S5720S-aaa]authentication-scheme soc
[S5720S-aaa-authen-soc]authentication-mode local hwtacacs 
[S5720S-aaa]authorization-scheme soc
[S5720S-aaa-author-soc]authorization-mode hwtacacs
[S5720S-aaa]domain default
[S5720S-aaa-domain-default]authentication-scheme soc
[S5720S-aaa-domain-default]authorization-scheme soc
[S5720S-aaa-domain-default]hwtacacs-server soc

4> 检查是否VTY端口访问的认证

[S5720S]user-interface vty 0 4
[S5720S-ui-vty0-4]authentication-mode aaa

5> 检查是否授权粒度控制

//指定dis cur命令在系统视图下的权限为3
command-privilege level 3 view system display current-configuration

日志审计

1> 检查是否限制NTP通信地址范围

//以ntp服务器地址1.1.1.1为例

[S5720S]acl 2001
[S5720S-acl-basic-2001]rule  permit source 1.1.1.1 0

[S5720S]ntp-service access peer 2001
[S5720S]ntp-service unicast-server 1.1.1.1

2> 检查是否记录用户操作行为日志

logbuffer启用

[S5720S]info-center logbuffer
[S5720S]info-center logbuffer channel 4
[S5720S]info-center source default channel 4 log level informational

info-center开启

[S5720S]info-center enable

用户对设备的操作记录到tacacs服务器

//以服务器地址1.1.1.1为例

[S5720S]hwtacacs-server template soc
[S5720S-hwtacacs-soc]hwtacacs-server accounting 1.1.1.1

[S5720S-hwtacacs-soc]aaa
[S5720S-aaa]recording-scheme soc
[S5720S-aaa-recording-soc]recording-mode hwtacacs soc

[S5720S-aaa]cmd recording-scheme soc

3> 检查是否记录用户登录日志
同记录用户操作行为日志

4> 检查是否启用NTP服务

//NTP服务器地址为1.1.1.1
//自身以loopback0为源发起同步
//协商秘钥为Huawei@123

[S5720S]ntp-service source-interface LoopBack 0
[S5720S]ntp-service unicast-server 1.1.1.1
[S5720S] ntp-service authentication enable
[S5720S]ntp-service authentication-keyid 1 authentication-mode md5 Huawei@123

[S5720S]disp ntp-service status            //查询同步状态，status为synchronized代表成功

5> 检查是否配置日志存储位置

//日志服务器地址为1.1.1.1，输出严重告警到服务器
[S5720S]info-center loghost 1.1.1.1
[S5720S]info-center source default channel loghost log level critical
[S5720S]info-center enable

6> 检查是否设置系统日志消息记录

[S5720S]info-center source default channel 0 log state off

7> 检查是否调整系统日志的缓冲区大小

//设置仅存储1024条
[S5720S]info-center logbuffer size 1024

8> 检查是否设置发送系统日志的源地址

[S5720S]info-center loghost source LoopBack0

协议安全

1> 检查是否防止仿冒ARP网关攻击

[S5720S]arp anti-attack entry-check send-ack enable 

2> 检查是否预防源地址伪造攻击

//根据实际选择，端口负载模式下建议选loose，反之选strict

[S5720S]int g0/0/x
[S5720S-GigabitEthernet0/0/x]urpf strict allow-default-route

3> 检查是否修改SNMP默认的Community字符串

未开启SNMP代理

[S5720S]undo snmp-agent

修改community RO/RW 通行字不为private和public

[S5720S]undo snmp-agent community private
[S5720S]undo snmp-agent community public
[S5720S]snmp-agent community read Huawei@123
[S5720S]snmp-agent community write Huawei@123

4> 检查是否Community字符串加密

[S5720S]snmp-agent community read cipher Huawei@123
[S5720S]snmp-agent community write cipher Huawei@123

5> 检查是否SNMP服务读写权限管理

关闭SNMPv1和SNMPv2c

[S5720S]undo snmp-agent sys-info version v2c
[S5720S]undo snmp-agent sys-info version v1

关闭写权限

//删除所有write通行字
[S5720S]undo snmp-agent community write Huawei@123

6> 检查是否访问IP地址范围限制

[S5720S]acl 2001
[S5720S-acl-basic-2001]rule permit source 1.1.1.1 0
[S5720S]snmp-agent community read Huawei@123 acl 2001

7> 检查是否屏蔽用户端口上不必要的协议

//仅供参考，勿屏蔽实际使用协议

[S5720S]acl 3001
[S5720S-acl-adv-3001]rule deny icmp
[S5720S-acl-adv-3001]rule deny 112
[S5720S-acl-adv-3001]rule deny igmp

[S5720S]acl 4001
[S5720S-acl-L2-4001]rule deny l2-protocol arp

[S5720S]traffic classifier soc
[S5720S-classifier-soc]if-match acl 3001 
[S5720S-classifier-soc]if-match acl 4001

[S5720S]traffic behavior soc
[S5720S]traffic policy soc
[S5720S-trafficpolicy-soc]classifier soc behavior soc

[S5720S]int GigabitEthernet 0/0/x
[S5720S-GigabitEthernet0/0/x]traffic-policy soc inbound

8> 使用SNMP V3版本

[S5720S]snmp-agent sys-info version V3
[S5720S]snmp-agent group v3 soc
[S5720S]snmp-agent usm-user v3 soc soc_user

其它安全

1> 检查是否隐藏banner信息

[S5720S]header login information ''

2> 检查是否已知典型攻击防护

//仅供参考，勿屏蔽实际使用协议

[S5720S]acl 3002
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 593
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 593
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 139
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 139
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 69
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 1434
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 135
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 135
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 137
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 4444
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 5554
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 445
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 445
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 9995
[S5720S-acl-adv-3002]rule deny tcp source any destination any destination-port eq 9996
[S5720S-acl-adv-3002]rule deny udp source any destination any destination-port eq 138

3> 检查是否流量控制

[S5720S]traffic classifier soc
[S5720S-classifier-soc]if-match acl 3002

[S5720S]traffic behavior soc
[S5720S]traffic policy soc
[S5720S-trafficpolicy-soc]classifier soc behavior soc

[S5720S]int GigabitEthernet 0/0/x
[S5720S-GigabitEthernet0/0/x]traffic-policy soc inbound

4> 检查是否关闭不必要的服务

//按需配置，示例为关闭dhcp、ftp服务

[S5720S]undo dhcp enable
[S5720S]undo ftp server

5> 检查是否远程主机IP地址段限制

//如允许列表配置错误会影响ssh访问，勿在生产机器测试配置

[S5720S]acl 2002
[S5720S-acl-basic-2002]rule permit source 1.1.1.1 0
[S5720S]user-interface vty 0 4
[S5720S-ui-vty0-4]acl 2002 inbound

6> 检查是否功能禁用

//禁用arp代理，会影响网络访问，勿在生产机器测试配置

[S5720S-vlan10]int vlan xx
[S5720S-Vlanif10]undo arp-proxy enable

7> 检查是否远程管理通信安全

配置SSH服务，可参考历史发过的SSH配置文章

//关闭telnet服务

[S5720S]undo telnet server enable

8> 检查是否设备引擎防护

//设置icmp、ttl过期的报文上送速率为128kbps

[S5720S]cpu-defend policy 1
[S5720S-cpu-defend-policy-1]car packet-type icmp cir 128
[S5720S-cpu-defend-policy-1]car packet-type ttl-expired cir 128

[S5720S]cpu-defend-policy 1 global

9> 检查是否端口安全

//可能影响网络访问，勿在生产机器测试配置

[S5720S]int g0/0/x
[S5720S-GigabitEthernet0/0/1]port-security enable
[S5720S-GigabitEthernet0/0/1]port-security protect-action protect
[S5720S-GigabitEthernet0/0/1]port-security max-mac-num 2
[S5720S-GigabitEthernet0/0/1]port-security mac-address sticky

10> 检查是否基本安全防护

//开启全局自动防护
//每5个报文抽样1个，阈值每秒50判断为告警，对白名单接口G0/0/X不做防护

[S5720S]cpu-defend policy soc
[S5720S-cpu-defend-policy-soc]auto-defend enable
[S5720S-cpu-defend-policy-soc]auto-defend attack-packet sample 5
[S5720S-cpu-defend-policy-soc]auto-defend threshold 50
[S5720S-cpu-defend-policy-soc]auto-defend whitelist 1 interface GigabitEthernet 0/0/X

[S5720S]cpu-defend-policy soc global 

11> 检查是否VTY端口防护策略

//远程会话数最大为5

[S5720S]user-interface maximum-vty 5

12> 检查是否开启STP功能

//开启或关闭STP会导致网络震荡

[S5720S]stp enable

13> 检查是否报文速率限制

//端口下配置百分比限制：组播10%、广播10%、单播30%

[S5720S]int GigabitEthernet 0/0/x
[S5720S-GigabitEthernet0/0/x]multicast-suppression 10
[S5720S-GigabitEthernet0/0/x]broadcast-suppression 10
[S5720S-GigabitEthernet0/0/x]unicast-suppression 30