The common improper configurations that affect the system security are as follows:
The ring network detection function and the anti-MAC address-spoofing function or anti-IP address-spoofing function are disabled. When the anti-MAC address-spoofing function or the anti-IP address-spoofing function is disabled, the ******* user sends the PPPoE and DHCP control packets by forging the MAC address or IP address of a legal user. In this case, the security of the system is affected.
Run the ring check command to enable the ring network detection function on the user side
Run the security anti-macspoofing enable command to enable the anti-MAC address-spoofing function.
Run the security anti-ipspoofing enable command to enable the anti-IP address-spoofing function
The devices are managed by IP addresses of the public network and the access rights are not limited strictly when the ACL rule is configured. In this case, the network is attacked.
To ensure the security of devices, manage the devices by using the IP addresses of the private network. When configuring the ACL rule, you must comply with the principle of the minimum authorization to configure the accessible address segment. The accessible address segment can contain only the mandatory IP addresses of the management network segment. Other IP addresses cannot access the device management interface.
Run the acl command to create a basic ACL and enter the ACL mode. The number of a basic ACL can only be in the range of 2000-2999.
In the basic ACL mode, run the rule command to create a basic ACL rule. The parameters are as follows:
rule-id: Indicates the ACL rule ID. To create an ACL rule with a specified ID, use this parameter.
permit: Indicates the keyword for allowing the data packets that meet the related conditions to pass.
deny: Indicates the keyword for discarding the data packets that meet the related conditions.
time-range: Indicates the keyword of the time range during which the ACL rule is effective.
The packets that access the device management interface are not controlled so that the device is attacked by the packets. In this case, the system is caused to be busy and the services are affected.
Run the firewall packet-filter command to apply the packet filtering rules of the firewall to the interface to filter the packets that access the interface. In this case, the packet attack is prevented.
Huawei MA5616 Gold Line
Huawei MA5616 Silver Line