It is recommended to implement the separation of management and data/customer traffic in your Huawei Service Routers (e.g. NE40E Series). Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA.
These are the steps on hardening the security on Huawei Routers.
Management instance can be configured using these commands:
ip vpn-instance STRING<1-31>
Here’s the recommended configuration or practices for these management services.
- Configure Authentication, Authorization and Accounting (AAA)
-preferably to setup centralized TACACS+ to manage all your devices, implement central network management that can impose security protocol to audit and control configuration. It can setup individual or group profiles with respective access rights like read-only or allow specific commands only.
-recommended to integrate the TACACS+ server to Lightweight Directory Access Protocol (LDAP) or Active Directory so can easily track changes, setup password complexity requirements and can have certain password expiry. Sample Configuration: (Assuming tacacs server host is 192.168.10.10, tacacs key will be auto encyrpted, and management IP is 192.168.1.88)<Huawei>system-view
Enter system view, return user view with return command.
hwtacacs-server template freenetworktutorials
hwtacacs-server authentication 192.168.10.10
hwtacacs-server authorization 192.168.10.10
hwtacacs-server accounting 192.168.10.10
hwtacacs-server source-ip 192.168.1.88
hwtacacs-server shared-key cipher %^%#;@A~knt;f>XtB2)8,}f`FLf~1/84^%#
hwtacacs-server user-name original
More detailed configuration –> TACACS (AAA) Configuration on Huawei Router
2. Use STelnet or Secure Shell (SSH) for Remote Access
– to provide secure remote connection to a device as the traffic is encrypted.
- Disable Telnet services
undo telnet server enable
undo telnet ipv6 server enable
undo telnet server-source all-interface
undo telnet ipv6 server-source all-interface
- Enable and run only the latest SSH Version 2 (SSHv2)
stelnet server enable
ssh server ip-block disable
ssh authorization-type default aaa
ssh server-source -i GigabitEthernet0/0/0
ssh server acl 3333 (ACL can create first)
- Configure Access Lists (ACL) to secure management sessions
Assuming your jump host IPs are:
192.168.40.11Step1. Create your ACL to allow only authorized IPs and deny all
acl number 3333
rule 10 permit ip vpn-instance management source 192.168.30.11 0
rule 20 permit ip vpn-instance management source 192.168.40.11 0
rule 30 deny ip vpn-instance management
Step2. Apply the ACL in management interface
user-interface vty 0 4
acl 3333 inbound
idle-timeout 0 0
protocol inbound ssh
ssh user freenetwork
ssh user freenetwork authentication-type all
ssh user freenetwork service-type stelnet
3. Configure Idle Timeout for SSH and console sessions
-this is to prevent unauthorized users from accessing your unattended login sessions. Recommended not more than 10 minutes.
ssh server rekey-interval <hours>
ssh server timeout <seconds>
ssh server authentication-retries <value>
More detailed configuration –> SSH Configuration on Huawei Router
4. Configure stricter password policies
If tacacs not reachable, it will look for the local account. It is advisable to implement stricter password requirements and complexity such as:
- at least 8 characters
- should contain both uppercase and lowercase characters
- should contain numbers
- does not contain any dictionary words
As per official Huawei documentation:
Password complexity is controlled by the local user security policy. Such a policy has the following limitations for user names and passwords in the AAA view and local AAA server view:
1. The local user name must contain no less than six characters.
2. The password applies to the following rules:
- The password must contain no less than eight characters.
- The password must contain digits, uppercase letters, lowercase letters, and special characters. The space and question mark (?) are not included. However, a space can be included if the string entered is enclosed with quotation marks (“).
- The password must not contain the user name or reverse user name
- The password must be different from the last 10 passwords. Entering a password the same as an existing password is not allowed, either.
More info from Huawei official doc –> Password Complexity Rules
5. Configure SNMP
SNMP or Simple Network Mangement Protocol is an application–layer protocol for exchanging management information between network devices via SNMP managers and agents.
It is advisable to run version 3 as it provides better security because of authentication and encryption between this communication.
Here’s sample recommended configuration for SNMPv3
192.168.11.0/25 & 192.168.12.0/25 SNMP Pollers
192.168.11.99 -SNMP trap server
snmp-agent sys-info version all
Create the access-list first to allow only authorized SNMP requests
acl number 3999
rule 10 permit ip vpn-instance management source 192.168.11.0 25
rule 20 permit ip vpn-instance management source 192.168.12.0 25
rule 30 deny ip vpn-instance management
snmp-agent acl 3999
More detailed configuration –> SNMP Polling and Traps Configuration on Huawei Router
6. Configure Syslog Logging
Recommended configuration: (Assuming syslog server IP is 192.168.15.254)
info-center source default channel 2 log level debugging
info-center source default channel 5 trap level informational
info-center loghost 192.168.15.254 vpn-instance management facility local2
info-center timestamp log date precision-time millisecond
info-center logbuffer channel 9 size 1024
Set the source-address and routing-instance
info-center loghost source GigabitEthernet0/0/0
More detailed configuration –> Syslog Configuration on Huawei Router
7. Configure NTP
-Network Time Protocol is networking protocol for clock synchronization. It is highly recommended to configure device date/time in a centralized NTP server within your network ( that includes your NMS pointing to the same NTP) as it will be helpful to see the accurate view if there’s any outage, technical or security incident, and in co-relating events.
Note: It is recommended to configure NTP with authentication. But it depends if your NTP server supports it.
Sample configuration: (Assuming 192.168.30.30 and 192.168.40.40 are NTP servers, and vpn instance is configured).
- Set the access-list to allow only authorized NTP servers
acl number 2999
rule 10 permit vpn-instance management source 192.168.30.30 0
rule 20 permit vpn-instance management source 192.168.40.40 0
rule 30 deny vpn-instance management
- Disable NTP service
ntp-service server disable
ntp-service ipv6 server disable
ntp-service server source-interface all disable
ntp-service ipv6 server source-interface all disable
- Configure the NTP servver
ntp-service access peer 2999
ntp-service unicast-server 192.168.30.30 vpn-instance management
ntp-service unicast-server 192.168.40.40 vpn-instance management
- Set the source-interfaceand vpn instance
ntp-service server source-interface GigabitEthernet0/0/0
display ntp-service status
display ntp-service sessions
Optional: Configure Timezone
clock timezone [STRING<1-32>] add [ HH:MM:SS]
Related link –> NTP Configuration on Huawei Router
8. Configure MOTD or Banners
-MOTD or Message of the Day will display before login, this is advisable to configure to notify unauthorized users for possible penalties upon accessing the device.
header login information <TEXT>
[~Huawei]header login information ?
TEXT<1-480> Set header text, take the first character as the specified start
and end character, the string between the start character and
the end character is the header to be displayed
[~Huawei]header login information %
FOR AUTHORIZED USERS ONLY!