< Home

Device Management Interface Security

Overview

After you run the service-manage enable command on an interface to enable the access control function, you can permit or deny the administrator's access to the device through a specified protocol. The interface access control function implemented in this mode has a higher priority than the security policy. In this case, even if a security policy is configured, the device cannot be managed through the interface. To implement more refined access control management through the security policy, you need to run the undo service-manage enable command on the interface to disable the access control management function.

Unauthorized users who obtain device accounts and passwords can access and manage devices through service interfaces. In addition, the management network can be attacked through the service network. Binding the device management interface to a specific VPN instance isolates the management plane from the control and forwarding planes, preventing unauthorized access through service interfaces or attacks through the service network, and greatly improving device security.

Impact on the System

None

Procedure

  • Configure the access control management function of the interface.
    1. Enable the access control and management function of the interface. By default, the access control management function is enabled on an interface.

      system-view
interface interface-type interface-number
service-manage enable

    2. Permit or deny the administrator's access to the device through HTTP, HTTPS, ping, SSH, SNMP, NETCONF, Telnet, or all methods.

      service-manage { http | https | ping | ssh | snmp | netconf | telnet | all } { permit | deny }

      After the access control management function is enabled on the interface, the HTTP, HTTPS, and ping permissions on the management interface are enabled by default. The HTTP, HTTPS, Telnet, ping, SSH, SNMP and NETCONF permissions are disabled on non-management interfaces.

  • Bind the device management interface to a management VPN instance.
    1. Enter the system view.

      system-view

    2. Create a management VPN instance and enter the VPN instance view.

      ip vpn-instance management

    3. Enable the IPv4 address family for the VPN instance and enter the VPN instance IPv4 address family view.

      ipv4-family

    4. Exit the VPN instance IPv4 address family view.

      quit

    5. Exit the VPN instance view.

      quit

    6. Enter the management interface view.

      interface MEth 0/0/0

    7. Bind the management interface to the management VPN instance.

      ip binding vpn-instance management

Checking the Security Hardening Result

Run the display this command in the management interface view to check the binding relationship between the management interface and management VPN instance.

Parent Topic: Management Plane Security (Level-1)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >