Huawei: Protection of the control plane
The article discusses aspects of protecting the control plane of the Huawei NE Series routers. Examples are given for the NE40e, with software: VRP V800R008. On other types of routers (for example, NE5k) and with a different software version, the configuration may differ slightly.
For a more detailed study of this issue, I can recommend further acquaintance with RFC 6192 (Protecting the router Control Plane).
In VRP, there are a number of ways to automatically diagnose and protect the control plane of routers. However, given the scarcity and opacity of the documentation, I recommend still adhering to the traditional method of protection: creating whitelists for the necessary protocols and services and closing the rest of the traffic.
The main policy section is as follows:
cpu-defend policy 1 process-sequence whitelist user-defined-flow blacklist cp-acl ip-pool enable whitelist disable blacklist acl 3900 blacklist ipv6 acl 3950 application-apperceive disable ip urpf loose The process-sequence determines the sequence of policy operation: whitelist (which is turned off in our case), user-defined-flow, blacklist (rule 3900 for IPv4 and 3950 for IPv6).
Considering that we will determine the allowed protocols ourselves, the rest of the traffic will be filtered by the black list - there is no need for application-apperceive analysis.
The mechanism of URPf (Unicast Reverse Path Forwarding) is enabled at a conservative loose level.
The blacklists for IPv4 and IPv6 look like this:
acl number 3900 description --- ACL For IPv4 Discard --- rule 5 deny tcp rule 10 deny udp rule 15 deny ip # acl ipv6 number 3950 description --- ACL For IPv6 Discard --- rule 5 deny tcp rule 10 deny udp rule 15 deny ipv6 The policy must be applied on each slot:
slot 1 cpu-defend-policy 1 # slot 2 cpu-defend-policy 1 … "Default" includes the following protection mechanisms:
udp-packet-defend enable fragment-flood enable abnormal-packet-defend enable tcpsyn-flood enable attack-source-trace enable It is recommended to close all unused protocols and services in the ma-defend section. This option can be enabled, both globally and by slots. For example:
system-view ma-defend global-policy protocol OSPF deny protocol RIP deny or
system-view ma-defend slot-policy 1 protocol … deny The following describes the user-defined policy. The general rules are summarized in the table below. The values ​​for speed / priority are indicated as an example and do not claim to be “ultimate truth”. The maximum number of elements in a user-defined policy is 64.
| Type of traffic | Speed | A priority | Rule number |
|---|---|---|---|
| Bgp | 1 Mb / s | High | 3901 |
| LDP | 1 Mb / s | High | 3902 |
| IS-IS | N \ a | N \ a | N \ a |
| VRRP | 1 Mb / s | High | 3904 |
| Bfd | 1 Mb / s | High | 3905 |
| MCAST | 1 Mb / s | High | 3906 |
| Ssh | 512 Kb / s | Middle | 3907 |
| FTP | 5 Mb / s | Low | 3908 |
| DNS | 512 Kb / s | Low | 3909 |
| SNMP | 1 Mb / s | Middle | 3910 |
| TACACS + | 1 Mb / s | Low | 3911 |
| NTP | 512 Kb / s | Low | 3912 |
| ICMP, trace, lsp-ping | 512 Kb / s | Low | 3913 |
Next, consider the ACL filters for the corresponding protocols \ services.
3901. BGP protocol.
The rule for filtering the BGP protocol can look either in a simplified form:
acl number 3901 rule permit tcp destination-port eq bgp rule permit tcp source-port eq bgp or for each feast separately:
acl ip-pool BGP-Peers ip address 10.1.1.1 0.0.0.0 acl number 3901 rule permit tcp source-pool BGP-Peers 0 destination-port eq bgp rule permit tcp source-pool BGP-Peers 0 source-port eq bgp 3902. LDP protocol.
rule 5 permit tcp source-pool Lo0_P2P destination-port eq 646 rule 10 permit tcp source-pool Lo0_P2P source-port eq 646 rule 15 permit udp source-pool Lo0_P2P destination-port eq 646 rule 20 permit udp source-pool Lo0_P2P source-port eq 646 3904. VRRP
acl ip-pool VRRP_Peers ip address 10.1.1.1 0.0.0.0 acl number 3904 rule permit 112 source-pool VRRP_Peers 3905. BFD
acl number 3343 rule permit udp source-pool Lo0_P2P destination-port eq 3784 rule permit udp source-pool Lo0_P2P source-port eq 3784 3906. All MCAST (IGMP, PIM, MSDP)
acl number 3906 rule permit 103 rule permit igmp rule permit udp destination-port eq 639 rule permit udp source-port eq 639 rule permit tcp destination-port eq 639 rule permit tcp source-port eq 639 3907. SSH
acl number 3907 description ### SSH access ### rule 5 permit tcp source-pool MGMT source-port eq 22 rule 10 permit tcp source-pool MGMT destination-port eq 22 rule 15 permit tcp source-pool MGMT destination-port eq 830 3908. FTP. FTP-data
acl port-pool ftp eq 20 eq 21 acl number 3908 rule 10 permit tcp source-pool MGMT source-port-pool ftp rule 15 permit tcp source-pool MGMT destination-port-pool ftp 3909. DNS
acl ip-pool DNS ip address 1.1.1.1 0.0.0.0 ip address 8.8.8.8 0.0.0.0 acl number 3909 rule 5 permit udp source-pool DNS source-port eq dns 3910. SNMP
acl number 3909 rule 5 permit udp source-pool SNMP source-port eq snmp rule 10 permit udp source-pool SNMP destination-port eq snmp 3911. TACACS +
acl number 3911 rule 5 permit tcp source-pool TACACS source-port eq tacacs rule 10 permit udp source-pool TACACS source-port eq tacacs-ds 3912. NTP
acl number 3911 rule 5 permit udp source-pool NTP source-port eq ntp rule 10 permit udp source-pool NTP destination-port eq ntp 3913. ICMP
acl number 3342 rule permit icmp icmp-type echo rule permit icmp icmp-type echo-reply rule permit icmp icmp-type ttl-exceeded rule permit icmp icmp-type port-unreachable rule permit icmp icmp-type Fragmentneed-DFset rule permit icmp rule permit udp destination-port range 33434 33678 rule permit udp destination-port eq 3503 3951. BGP for IPv6
acl ipv6 number 3951 rule 5 permit tcp destination-port eq bgp 3952. ICMPv6
acl ipv6 number 3952 rule 30 permit icmpv6 rule 35 permit udp destination-port range 33434 33678 To apply sheets, they need to be bound to the cpu-defend policy as follows:
cpu-defend policy 1 ... user-defined-flow 1 acl 3901 user-defined-flow 2 acl 3902 user-defined-flow 4 acl 3904 user-defined-flow 5 acl 3905 user-defined-flow 6 acl 3906 user-defined-flow 7 acl 3907 user-defined-flow 8 acl 3908 user-defined-flow 9 acl 3909 user-defined-flow 10 acl 3910 user-defined-flow 11 acl 3911 user-defined-flow 12 acl 3912 user-defined-flow 13 acl 3913 user-defined-flow 51 ipv6 acl 3951 user-defined-flow 52 ipv6 acl 3952 car blacklist cir 0 cbs 0 car user-defined-flow 1 cir 1000 car user-defined-flow 2 cir 1000 car user-defined-flow 4 cir 1000 car user-defined-flow 5 cir 1000 car user-defined-flow 6 cir 1000 car user-defined-flow 7 cir 512 car user-defined-flow 8 cir 5000 car user-defined-flow 9 cir 512 car user-defined-flow 10 cir 1000 car user-defined-flow 11 cir 1000 car user-defined-flow 12 cir 512 car user-defined-flow 13 cir 512 car user-defined-flow 51 cir 10000 car user-defined-flow 52 cir 512 priority user-defined-flow 1 high priority user-defined-flow 2 high priority user-defined-flow 4 high priority user-defined-flow 5 high priority user-defined-flow 6 high priority user-defined-flow 7 middle priority user-defined-flow 8 low priority user-defined-flow 9 low priority user-defined-flow 10 middle priority user-defined-flow 11 low priority user-defined-flow 12 low priority user-defined-flow 13 low priority user-defined-flow 51 high priority user-defined-flow 52 low To issue trashholding alerts, you can use the following function:
cpu-defend policy 1 ... alarm drop-rate user-defined-flow 7 threshold 100 interval 60 here the value of threshhold is set in packets, and the interval in seconds.
Statistics on the operation of CoPP filters can be viewed in the display cpu-defend section ...
After making the settings, it is also worth scanning the router.
In conclusion, I would like to note that Huawei (like any modern vendor) offers all the necessary methods to protect the control plane of its routers. And periodically appearing reports about found vulnerabilities show that these tools should not be neglected.
')
Source: https://habr.com/ru/post/431334/
All Articles