To ensure the security of communication between Internet access users and device, the device provides the following security hardening policies:
Internet Access User Spoofing Prevention
The device provides local authentication, server authentication, and single-sign on (SSO) for Internet access users. You can select to verify users' IP or MAC address when authenticating users' passwords.
When using one of the preceding authentication modes, you can configure for each account whether to allow multiple users to log in concurrently using the account. The device supports third-party server authentication. For details on communication security between the authentication server and device, see section Access Authentication Security,LDAP Server Authentication Security, and AD Server Authentication Security. The device also allows login page customization to improve user login security. You can customize the logo, background, and welcome page to help the enterprise to identity whether the login page is redirected to a phishing website.
Anti-Brute Force
To prevent attackers from cracking passwords through enumeration, the device locks the account in case of three consecutive incorrect password inputs in local authentication. After a specific period of time, the device automatically unlocks the account to recover the account use.
In AD, LDAP, HWTACACS, and RADIUS server authentication, the device functions as a client. It proactively sends packets to the server. The server then responds according to the request packets. The server needs to control the anti-brute force function. In COA of RADIUS authentication, the server proactively sends requests to the device. You are advised to change the default shared key promptly. The new key must contain at least sixteen characters in at least three of the following types of characters: lower-case letters, upper-case letters, digits, and special characters.
Password Security
The device provides password policies and supports high, medium, and low password strengths. The default password strength is high. In local authentication, you can set whether users are forced to change passwords upon their first login. The device also supports password validity period reminder and expiration reminder in local authentication. When a password is about to expire, the system prompts the user to change the password. Passwords of local users are encrypted using AES256 and then stored in a database.
Anti-repudiation
Local authentication of Internet access users is recorded in detailed authentication logs. When acting as a server authentication proxy, the device records the authentication process. Authentication information is recorded by the authentication server. All recorded information can be used for auditing and source tracing.
Data Leak Prevention and Anti-tampering
HTTPS is supported for interaction between access users and authentication pages, and the certificate replacement function is available to verify device authenticity.
None
system-view user-manage security server-certificate server.cer
By default, the device sends the default certificate to the user. However, the user cannot verify its validity because the certificate is user-defined, not issued by a trusted Certificate Authority (CA). You are advised to apply for the device certificate and CA certificate to the CA, and import the device certificate to the device and CA certificate to the user browser.
system-view user-manage user test bind mode unidirectional bind mode unidirectional bind ipv4 10.2.2.2
system-view user-manage user test bind mode bidirectional bind ipv4 10.2.2.2 mac aaaa-bbbb-cccc
Set the password strength to high (when changing a password, a user has to comply with the requirement), require that a user must change the password upon first login (only for local authentication), set the password validity period and expiry reminder.
system-view password-policy level high firstmodify enable lefttime 60 alarmtime 15