WLAN
Security Hardening Guide
Issue
07
Date
2021-08-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
https://e.huawei.com
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
i
WLAN
Security Hardening Guide
Preface
Preface
Purpose
This document describes the policies for hardening network and WLAN security in
terms of attack behavior, security policies, and configuration methods. It also
provides hardening guidance in terms of the management, control, and
forwarding planes.
Intended Audience
This document is intended for network engineers responsible for WLAN
configuration and management. You should be familiar with basic Ethernet
knowledge and have extensive experience in network deployment and
management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates a potentially hazardous
situation which, if not avoided, could
result in equipment damage, data loss,
performance deterioration, or
unanticipated results.
NOTICE is used to address practices
not related to personal injury.
Supplements the important
information in the main text.
NOTE is used to address information
not related to personal injury,
equipment damage, and environment
deterioration.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
ii
WLAN
Security Hardening Guide
Contents
Contents
Preface........................................................................................................................................... ii
1 Overview....................................................................................................................................1
1.1 Security Isolation and Defense Mechanisms................................................................................................................. 1
1.2 Security Hardening Principles............................................................................................................................................. 2
1.3 Security Hardening Policy Levels....................................................................................................................................... 3
2 (Mandatory) Level-1 Security Hardening Policies...........................................................4
2.1 Default Accounts and Passwords....................................................................................................................................... 4
2.2 Management Plane................................................................................................................................................................ 4
2.2.1 Device Login Security......................................................................................................................................................... 4
2.2.1.1 Login Through the Console Port................................................................................................................................. 4
2.2.1.2 Login Through SSH.......................................................................................................................................................... 6
2.2.1.3 Login Through the Web NMS...................................................................................................................................... 7
2.2.2 AAA User Management Security.................................................................................................................................... 9
2.2.3 SNMP Device Management Security............................................................................................................................ 9
2.2.4 Service Plane Access Prohibition of Insecure Management Protocols............................................................ 11
2.3 Control Plane.......................................................................................................................................................................... 11
2.3.1 Wireless User Access Security....................................................................................................................................... 11
2.3.1.1 WPA/WPA2....................................................................................................................................................................... 11
2.3.1.2 WPA3.................................................................................................................................................................................. 13
2.3.1.3 WAPI................................................................................................................................................................................... 14
2.3.1.4 STA Blacklist and Whitelist......................................................................................................................................... 16
2.3.1.5 PMF..................................................................................................................................................................................... 17
2.3.1.6 Brute-Force Attack Defense and Dynamic Blacklist...........................................................................................17
2.3.2 Local Attack Defense........................................................................................................................................................ 19
2.3.3 Attack Defense Through Service and Management Isolation........................................................................... 20
2.3.4 Attack Defense................................................................................................................................................................... 22
2.3.4.1 Defense Against Malformed Packet Attacks........................................................................................................ 22
2.3.4.2 Defense Against Fragment Attacks..........................................................................................................................23
2.3.4.3 Defense Against TCP SYN Flood Packets............................................................................................................... 24
2.3.4.4 Defense Against UDP Flood Attacks....................................................................................................................... 24
2.3.4.5 Defense Against ICMP Flood Attacks...................................................................................................................... 25
2.4 Forwarding Plane.................................................................................................................................................................. 25
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
iii
WLAN
Security Hardening Guide
Contents
2.4.1 Traffic Suppression............................................................................................................................................................ 25
2.4.2 Trusted Path-based Forwarding................................................................................................................................... 26
3 (Optional) Level-2 Security Hardening Policies............................................................ 27
3.1 Management Plane.............................................................................................................................................................. 27
3.1.1 Information Center Security.......................................................................................................................................... 27
3.1.2 CAPWAP Control Tunnel Encryption........................................................................................................................... 28
3.2 Control Plane.......................................................................................................................................................................... 28
3.2.1 Wireless Attack Detection and Containment...........................................................................................................28
3.2.2 URL Filtering........................................................................................................................................................................30
3.2.3 Intrusion Prevention......................................................................................................................................................... 30
3.2.4 Antivirus................................................................................................................................................................................ 31
3.2.5 ARP Security........................................................................................................................................................................ 33
3.2.5.1 Defense Against ARP Spoofing Attacks.................................................................................................................. 33
3.2.5.2 Defense Against ARP Flood Attacks........................................................................................................................ 35
3.2.6 DHCP Security.....................................................................................................................................................................37
3.2.6.1 Defense Against Bogus DHCP Server Attacks...................................................................................................... 37
3.2.6.2 Defense Against DHCP Flood Attacks.....................................................................................................................38
3.2.7 Routing Protocol Security............................................................................................................................................... 39
3.2.7.1 BGP/BGP4+....................................................................................................................................................................... 39
3.2.7.2 OSPF/OSPFv3.................................................................................................................................................................. 41
3.2.7.3 RIP/RIPng.......................................................................................................................................................................... 43
3.2.7.4 IS-IS (IPv4)/IS-IS (IPv6)................................................................................................................................................ 44
3.2.8 Multicast Security.............................................................................................................................................................. 45
3.2.8.1 Layer 2 Multicast............................................................................................................................................................ 45
3.2.8.2 Layer 3 Multicast............................................................................................................................................................ 46
3.3 Forwarding Plane.................................................................................................................................................................. 47
3.3.1 ACL......................................................................................................................................................................................... 47
3.3.2 MAC Address Anti-flapping............................................................................................................................................49
3.3.3 Port Isolation....................................................................................................................................................................... 50
3.3.4 Port Security and Trusted Port...................................................................................................................................... 51
3.3.5 Navi AC................................................................................................................................................................................. 52
3.3.6 CAPWAP Data Tunnel Encryption................................................................................................................................ 54
4 Reference Documents...........................................................................................................55
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
iv
WLAN
Security Hardening Guide
1 Overview
1
Overview
About This Chapter
This document describes the policies for hardening network and WLAN security in
terms of attack behavior, security policies, and configuration methods. It also
provides hardening guidance in terms of the management, control, and
forwarding planes.
NOTE
This document is applicable to all product versions. The functions supported may vary
according to versions. For details, see the configuration guide.
1.1 Security Isolation and Defense Mechanisms
1.2 Security Hardening Principles
1.3 Security Hardening Policy Levels
1.1 Security Isolation and Defense Mechanisms
WLAN devices comply with the three-layer three-plane security isolation
mechanism of X.805. Figure 1-1 shows the security isolation architecture.
Data flows at different importance levels face different security threats that have
different impacts on users. To avoid mutual impacts between data flows, three
security planes are planned on WLAN devices.
●
Management plane: This plane focuses on the security of application and
service data for management users, that is, security of operation,
maintenance, and management information.
●
Control plane: WLAN devices must run various protocols to transmit service
traffic. The services must be protected against attacks or spoofing.
●
Forwarding plane: WLAN devices use the destination MAC and IP addresses of
packets to search for routes for forwarding the packets. Security measures
must be taken in the forwarding routes to prevent attacks on WLAN devices
and spreading of attack traffic over the IP network.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
1
WLAN
Security Hardening Guide
1 Overview
By isolating the control, management, and forwarding planes, WLAN devices can
ensure that attacks on any of the planes do not affect other planes.
Figure 1-1 Three-layer three-plane security isolation architecture of X.805
1.2 Security Hardening Principles
Before performing security hardening on WLAN devices, get familiar with the
following information to well understand security hardening policies in this
document.
Security must be hardened continuously and can never be achieved once and
forever. Any attempt to achieve permanent security using a single policy or
through one-off security hardening configuration will fail.
Before carrying out security hardening procedures, perform the following steps:
1.
2.
3.
4.
Fully understand service requirements: Security is always service-oriented. An
appropriate security hardening policy can be developed only after the security
protection requirements of the service system are clearly understood.
Evaluate risks comprehensively: Analyze security threats to the service system,
identify weak points of the service system, balance the service system value
against security hardening costs, and comprehensively evaluate security risks.
Provide defense measures against unacceptable security risks. Treat
acceptable risks as remaining risks, and periodically review them throughout
the service system lifecycle to determine whether to reevaluate their risk
levels.
Design a security hardening solution: Based on the comprehensive risk
evaluation, design a solution that meets service requirements. Security is
ensured by design, but not configuration. Every security hardening engineer
should adequately understand this principle.
Implement security hardening policies: Before the implementation, evaluate
the policy impact on services to prevent service loss.
After security hardening is complete, continuous monitoring and maintenance on
the service system are required, which can help locate faults promptly, adjust
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
2
WLAN
Security Hardening Guide
1 Overview
security hardening policies, and ensure that the policies have taken effect as
expected. To sum up, security hardening is a process requiring continuous
improvement.
1.3 Security Hardening Policy Levels
Based on network security requirements, security hardening policies for WLAN
devices can be classified into two levels.
●
Level 1: security hardening policies that must be configured
●
Level 2: enhanced security hardening policies which can be configured based
on service requirements
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
3
WLAN
Security Hardening Guide
2
2 (Mandatory) Level-1 Security Hardening Policies
(Mandatory) Level-1 Security Hardening
Policies
About This Chapter
2.1 Default Accounts and Passwords
2.2 Management Plane
2.3 Control Plane
2.4 Forwarding Plane
2.1 Default Accounts and Passwords
The default username and password are available in WLAN Default Usernames
and Passwords (Enterprise Network or Carrier). If you have not obtained the
access permission of the document, see Help on the website to find out how to
obtain it.
2.2 Management Plane
2.2.1 Device Login Security
2.2.1.1 Login Through the Console Port
Attack Behavior
Console ports are physical interfaces. After an attacker accesses the console port
on a WLAN device, the WLAN device is exposed to the attacker, causing security
risks to the WLAN device. The attacker can damage the WLAN device even
without a user name and a password.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
4
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
When the console port is used for login, a potential attacker may attempt to crack
the user name and password over network connections and obtain the system
administrator rights.
Security Policy
To defend against the preceding attack, configure the following security policies
on a WLAN device:
When a WLAN device is used for the first time, configure it through the console
port.
1.
Connect the DB9 connector of the console cable to the serial port of the PC.
During the startup of the WLAN device, press CTRL+B, use the preset
password to access the BootROM menu, and change the BootROM password.
2.
The device generates configurations. Change the console port login password
and record the new password.
By default, the console port uses non-authentication and has no user name or
password configured. After you connect a PC to the console port, start the
terminal emulation software on the PC, create a connection, set the
connected interface and communication parameters, and press Enter to log in
to the device. The system prompts you to configure a password and confirm
it. After the password is successfully configured, you can enter the CLI. To
ensure console port security, you are advised to change the authentication
mode for the console user interface to Authentication, Authorization and
Accounting (AAA) authentication and configure the correct user name and
password in the AAA view.
NOTE
● The default username and password are available in WLAN Default Usernames and
Passwords (Enterprise Network or Carrier). If you have not obtained the access
permission of the document, see Help on the website to find out how to obtain it.
● After the upgrade to V200R019C00 or later, you can access the BIOS menu only after
changing the default BIOS password.
● After the password for the user interface is set successfully during the first login,
properly keep the password. You must enter this password for authentication when you
relog in to the system in password authentication mode on this user interface.
Configuration Method
●
Change the BootROM password.
The display in the following example is for reference only, which may vary
according to the device version. The display on the actual device shall prevail.
When "Press CTRL+B to enter BIOS menu:" is displayed during the startup,
press Ctrl+B within 3 seconds to access the BootROM main menu. After you
enter the correct BootROM password, the following BootROM main menu is
displayed:
Press CTRL+B to enter BIOS menu: 1
Password:
Info: You are advised to change the password to ensure security.
BIOS Menu (Version: 072)
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
5
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
1. Boot with default mode
2. Enter serial submenu
3. Enter startup submenu
4. Enter ethernet submenu
5. Enter file system submenu
6. Modify BOOTROM password
7. Clear password for console user
8. Config HigMem to Flash Flag
9. Reboot
(Press CTRL+E to enter Diag menu)
Enter your choice(1-9): 6
// Change the password.
Confirm old password :
// Enter the old password.
Please enter new password :
// Enter the new password.
Please confirm new password : // Enter the new password again.
The password is changed successfully.
●
Configure AAA authentication.
Set the authentication mode of the console user interface to AAA
authentication. In the AAA view, set the user name admin1234 and password
to Helloworld@6789.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[HUAWEI-aaa] local-user admin1234 service-type terminal
2.2.1.2 Login Through SSH
Attack Behavior
●
Brute-force password crack
An attacker attempts to access a WLAN device after obtaining the Secure
Shell (SSH) port number. When the device asks for authentication, the
attacker may crack the password to pass authentication and obtain the access
right.
●
Denial of service (DoS) attack
The SSH server supports a limited number of users. When the number of
login users reaches the upper limit, no more users can log in to the SSH
server. This situation may appear when users properly use the FTP server or
when the SSH server is attacked.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
Performing password authentication and public-key authentication
The SSH server supports password authentication and public-key
authentication. Only authenticated users can log in to a WLAN device and
enter the CLI.
●
Disabling the SSH server
When the SSH server is enabled, the socket service is enabled on the device.
In this case, the device is prone to scanning by attackers. Therefore, disable
the SSH server if it is not needed.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
6
WLAN
Security Hardening Guide
●
2 (Mandatory) Level-1 Security Hardening Policies
Changing the port number
By default, the SSH server uses port 22, which is a well-known port and prone
to scanning and attacks. Configure the SSH server to use a private port to
reduce the scanning and attack possibility.
●
Configuring an Access Control List (ACL)
In the user interface view, configure an ACL for Virtual Type Terminal (VTY)
channels to limit the client IP addresses that can be used for login.
Configuration Method
●
Configure password authentication or Rivest-Shamir-Adelman (RSA)
authentication.
–
Password authentication: Set the authentication mode of user testuser to
password authentication.
<HUAWEI> system-view
[HUAWEI] ssh user testuser authentication-type password
–
RSA authentication: Set the authentication mode of user testuser to RSA
authentication (using a key of 2048 bits or more).
<HUAWEI> system-view
[HUAWEI] ssh user testuser authentication-type rsa
●
Disable the SSH service.
NOTE
After the SSH service is disabled, you cannot log in to the device using STelnet.
Perform this operation only after confirming that the SSH service is not needed.
<HUAWEI> system-view
[HUAWEI] undo stelnet server enable
●
Change the SSH server port number (for example, to 55535).
●
Configure ACL 2000 to allow users with the source IP address of 10.1.1.1 to
log in to the WLAN device.
<HUAWEI> system-view
[HUAWEI] ssh server port 55535
<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] user-interface vty 14
[HUAWEI-ui-vty14] acl 2000 inbound // To prevent users with a specified IP address or IP address
segment from logging in to the WLAN device, specify inbound. To prevent a login user from logging
in to other WLAN devices, specify outbound.
[HUAWEI-ui-vty14] quit
2.2.1.3 Login Through the Web NMS
Attack Behavior
●
DoS attack
The web server supports a limited number of users. When the number of
login users reaches the upper limit, no more users can log in to the web
server. This situation may appear when users properly use the web server or
when the web server is attacked.
●
Slow connection attack
Content-Length with a large value is defined in the HTTP packet header,
which is the length of the packet's content. After committing the header, an
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
7
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
attacker does not send the packet body. After receiving Content-Length, the
web server waits for the rest content. Then the attacker remains the
connection and sends a large number of packets by transmitting a byte per 10
to 100 seconds to exhaust resources.
Once the web server is attacked, users may encounter various problems, such
as slow login, logout, frequent disconnection, and login failures.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
Performing AAA authentication
The web server supports AAA authentication. Only authenticated users can
log in to a WLAN device and enter the CLI. Users are required to enter the
user name, password, and randomly generated verification code for login,
reducing the password cracking possibility.
●
Disabling the web server
When the web server is enabled, the socket service is enabled on the WLAN
device. In this case, the device is prone to scanning by attackers. Therefore,
disable the web server if it is not needed.
●
Changing the port number
By default, the web server uses port 80, which is a well-known port and prone
to scanning and attacks. Configure the web server to use a private port to
reduce the scanning and attack possibility.
●
Configuring an ACL
In the system view, configure an ACL for the web server to limit the source IP
addresses that can be used for login.
●
Using HTTP over SSL (HTTPS)
HTTP over Secure Sockets Layer (SSL) provides secure transfer to protect
transmitted data against theft. Because HTTP has security risks, WLAN devices
from V200R005 allow for web Network Management System (NMS) login
using HTTPS.
Configuration Method
●
Configure AAA authentication.
Set the authentication mode to AAA authentication. In the AAA view, set the
user name to client001 and password to Helloworld@6789.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[HUAWEI-aaa] local-user client001 privilege level 15
[HUAWEI-aaa] local-user client001 service-type http
●
●
●
Issue 07 (2021-08-30)
Disable the HTTP service.
<HUAWEI> system-view
[HUAWEI] undo http server enable
Change the port number of the web server to 55536.
<HUAWEI> system-view
[HUAWEI] http server port 55536
Configure ACL 2000 to allow only users with the source IP address of
10.10.10.1 to log in to the WLAN device through HTTP.
Copyright © Huawei Technologies Co., Ltd.
8
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule 5 permit source 10.10.10.1 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] http acl 2000
●
Configure HTTPS.
<HUAWEI> system-view
[HUAWEI] ssl policy userserver type server
[HUAWEI-ssl-policy-userserver] quit
[HUAWEI] http secure-server ssl-policy userserver
[HUAWEI] http secure-server enable
2.2.2 AAA User Management Security
Attack Behavior
An attack attempts to obtain system administrators' login access rights by
traversing key information, such as user names and passwords.
Security Policy
To defend against such common user name and password attack and cracking
attempts, configure the maximum number of authentication failures and the
authentication interval to prevent login of unauthorized users. Then users who fail
in authentication for the maximum number of times will be blocked for a period,
decreasing the attempt success rate and hardening WLAN device security.
Configuration Method
Enable local account locking. Set the authentication retry interval to 6 minutes,
maximum number of consecutive incorrect password attempts to 4, and account
locking period to 6 minutes.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user wrong-password retry-interval 6 retry-time 4 block-time 6 // By default,
local account locking is enabled, the retry interval is 5 minutes, the maximum number of consecutive
incorrect password attempts is 3, and the account locking period is 5 minutes.
2.2.3 SNMP Device Management Security
Attack Behavior
Common Simple Network Management Protocol (SNMP) attacks are as follows:
●
An attacker obtains the rights of authorized users by modifying the source IP
address of sent packets to perform unauthorized management operations.
●
An attacker listens on the communication between the NMS and SNMP
agents to obtain information, such as user names, passwords, and community
names, therefore gaining unauthorized rights.
●
An attacker intercepts and then reorders, delays, or retransmits SNMP
messages to affect normal operations, until obtaining unauthorized access
rights.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
9
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
Security Policy
SNMP is used to manage network devices and has three versions: SNMPv1,
SNMPv2c, and SNMPv3.
SNMPv1 and SNMPv2c have low security, and support ACL and view-based access
control model (VACM). Associate an ACL and a MIB view with a community name
to limit the NMSs and nodes that can access a WLAN device, enhancing system
security to some extent.
SNMPv3 supports the user-based security model (USM). By authenticating and
encrypting communication data, SNMPv3 resolves security issues, such as message
forging, tampering, and leakage.
NOTE
From V200R019C00, MD5 and DES are supported only when a weak-encryption-algorithm
plug-in is installed. From V200R020C10, SHA is supported only when a weak-encryptionalgorithm plug-in is installed.
For details about the plug-in, see section Weak-Encryption-Algorithm Plug-in Management
in the Configuration Guide.
Configuration Method
For the sake of security, you are advised to configure an SNMPv3 user requiring
authentication and encryption, use the SNMPv3 authentication and encryption
mode to manage the WLAN device, and associate an ACL and a MIB view with the
user to limit the user's access rights.
1.
Configure ACL 2001 to reject packets from 10.138.20.123 and allow packets
from 10.138.90.111.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 deny source 10.138.20.123 0
[HUAWEI-acl-basic-2001] rule 10 permit source 10.138.90.111 0
[HUAWEI-acl-basic-2001] quit
2.
Configure a MIB view named iso-view to access nodes in the subtree of
whose root node is the International Organization for Standardization (ISO).
[HUAWEI] snmp-agent mib-view iso-view include iso
3.
Configure an SNMPv3 group named v3group, set the associated read, write,
and notify views to iso-view, and apply ACL 2001 to the SNMPv3 group to
filter users by user group.
[HUAWEI] snmp-agent group v3 v3group privacy read-view iso-view write-view iso-view notifyview iso-view acl 2001
4.
Configure an SNMPv3 user named v3user who belong to v3group. Set the
authentication mode of the user to sha2-256, authentication password to
hello1234, encryption mode to aes256, and encryption password to
hello2012. Apply ACL 2001 to the user to implement user-based and user
group-based filtering.
[HUAWEI] snmp-agent usm-user version v3
[HUAWEI] snmp-agent usm-user version v3
Please configure the authentication password
Enter Password:
Confirm password:
[HUAWEI] snmp-agent usm-user version v3
Please configure the privacy password (8-64)
Enter Password:
Confirm password:
Issue 07 (2021-08-30)
v3user group v3group acl 2001
v3user authentication-mode sha2-256
(8-64)
v3user privacy-mode aes256
Copyright © Huawei Technologies Co., Ltd.
10
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
2.2.4 Service Plane Access Prohibition of Insecure
Management Protocols
Security Policy
Service interfaces on WLAN devices support management protocols by default,
and management protocols can be used to log in to the WLAN devices through
the dedicated management Ethernet port. If the customer network has planned a
management plane that manages devices only through the management Ethernet
port, you can prohibit device login using management protocols over service
interfaces.
Configuration Method
To prohibit service plane access using management protocols for a WLAN device
with a dedicated management Ethernet port, run the deny command in the
attack defense policy view to set the action on Telnet, SSH, HTTP, SNMP, FTP, and
ping (ICMP) packets sent to the CPU to discard.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] deny
[HUAWEI-cpu-defend-policy-1] deny
[HUAWEI-cpu-defend-policy-1] deny
[HUAWEI-cpu-defend-policy-1] deny
[HUAWEI-cpu-defend-policy-1] deny
[HUAWEI-cpu-defend-policy-1] deny
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1
packet-type
packet-type
packet-type
packet-type
packet-type
packet-type
telnet-client wired
ssh-client wired
http-client wired
snmp wired
ftp-client wired
icmp wired
2.3 Control Plane
2.3.1 Wireless User Access Security
Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi
Protected Access (WPA), WPA2, WPA3, and WLAN Authentication and Privacy
Infrastructure (WAPI). WEP uses a shared key to authenticate users and encrypt
service packets. Since the shared key is easy to decipher, the WEP security policy is
not recommended due to its low security.
WLAN devices support the STA blacklist and whitelist function to filter STAs based
on specified rules and ensure that only authorized STAs can access the WLAN,
preventing unauthorized STAs from accessing the WLAN.
2.3.1.1 WPA/WPA2
Security Policy
WEP shared key authentication uses the Rivest Cipher 4 (RC4) symmetric stream
cipher to encrypt data. Therefore, the same static key must be preconfigured on
the server and clients. Both the encryption mechanism and algorithm, however,
are prone to security threats. The Wi-Fi Alliance developed WPA to overcome WEP
defects. In addition to the RC4 algorithm, WPA defines the Temporal Key Integrity
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
11
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
Protocol (TKIP) encryption algorithm on the basis of WEP, uses the 802.1X identity
authentication framework, and supports Extensible Authentication ProtocolProtected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer
Security (EAP-TLS) authentication. Later, 802.11i defined WPA2. WPA2 uses a more
secure encryption algorithm: Counter Mode with CBC-MAC Protocol (CCMP).
Both WPA and WPA2 support 802.1X access authentication and the TKIP or CCMP
encryption algorithm, giving better compatibility. With almost the same security
level, they mainly differ in the protocol packet format.
The WPA/WPA2 security policy involves four phases: link authentication, access
authentication, key negotiation, and data encryption.
Two authentication methods are available: WPA/WPA2-PSK authentication and
WPA/WPA2-802.1X authentication.
●
WPA/WPA2-PSK authentication
Both WPA and WPA2 support PSK authentication and the TKIP or AES
encryption algorithm. They have almost the same security level and mainly
differ in the protocol packet format.
WPA/WPA2-PSK authentication applies to individual, home, and Small Office
and Home Office (SOHO) networks that do not require high security. No
authentication server is required. If STAs support only WEP encryption, PSK
+TKIP can be implemented without a hardware upgrade, whereas PSK+AES
may be implemented only after a hardware upgrade.
●
WPA/WPA2-802.1X authentication
Both WPA and WPA2 support 802.1X authentication and the TKIP or AES
encryption algorithm. They have almost the same security level and mainly
differ in the protocol packet format.
WPA/WPA2-802.1X authentication applies to networks that require high
security, such as enterprise networks. An independent authentication server is
required. If STAs support only WEP encryption, 802.1X+TKIP can be
implemented without a hardware upgrade, whereas 802.1X+AES may be
implemented only after a hardware upgrade.
STAs vary and support different authentication and encryption modes. To enable
various types of STAs to access the network and facilitate management by
network administrators, configure both WPA and WPA2. If the security policy is
WPA-WPA2, STAs supporting WPA or WPA2 can be authenticated. If the
encryption mode is TKIP-AES, any STAs supporting TKIP or AES can encrypt service
packets.
Configuration Method
●
Configure WPA/WPA2-PSK authentication.
Configure WPA-WPA2, TKIP-AES, and PSK authentication.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 psk pass-phrase abcdfffffg123 aes-tkip
●
Configure WPA/WPA2-802.1X authentication.
Configure WPA-WPA2, TKIP-AES, and 802.1X authentication.
<HUAWEI> system-view
[HUAWEI] wlan
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
12
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
2.3.1.2 WPA3
Security Policy
Compared with WPA and WPA2, WPA3 has the following improvements:
●
WPA3 introduces Simultaneous Authentication of Equals (SAE), which is a
more secure handshake protocol. Theoretically, SAE provides forward secrecy.
Even if an attacker knows the password on a network, the attacker cannot
decrypt the obtained traffic. A WPA2 network, however, is vulnerable to
password cracking attacks. That is, an attacker can decrypt obtained traffic
using the password. Therefore, the use of SAE makes WPA3 much more
secure than earlier WPA standards.
●
The algorithm strength is enhanced and support Suite B cryptography. That is,
WPA3 supports AES-GCM with a 256-bit key and 384-bit curve elliptic curve
encryption. GCM is short for Galois/Counter Mode.
Based on application scenarios and security requirements, there are two WPA3
modes: WPA3-Enterprise and WPA3-Personal, that is, WPA3-802.1X and WPA3SAE.
WPA3-Personal introduces the SAE handshake protocol. Compared with WPA/
WPA2-PSK authentication, WPA3-SAE can effectively defend against offline
dictionary attacks and mitigate brute force cracking posed by weak passwords. In
addition, the SAE handshake protocol provides forward secrecy. Even if an attacker
knows the password on the network, the attacker cannot decrypt the obtained
traffic, greatly improving the security of a WPA3-Personal network.
WPA3-Enterprise still uses the authentication system of WPA2-Enterprise and uses
the Extensible Authentication Protocol (EAP) for identity authentication. However,
WPA3 enhances the algorithm strength by replacing the original cryptography
suite with the Commercial National Security Algorithm (CNSA) Suite defined by
the Federal Security Service (FSS). The CNSA Suite has a powerful encryption
algorithm and applies to scenarios with extremely high security requirements.
WPA3-Enterprise supports Suite B, which uses 192-bit minimum-strength security
and supports Galois Counter Mode Protocol-256 (GCMP-256), Galois Message
Authentication Code-256 (GMAC-256), and SHA-384.
WPA2 is still widely used. To enable WPA3-incapable STAs to access a WPA3configured network, the Wi-Fi Alliance defines the WPA3 transition mode. That is,
WPA3 and WPA2 can coexist for a period of time in the future. This mode applies
only to WPA3-Personal.
For open Wi-Fi networks, the Wi-Fi Alliance proposes Opportunistic Wireless
Encryption (OWE) authentication based on open-system authentication of WPA3.
OWE authentication is a Wi-Fi Enhanced Open authentication mode that allows
for network access without the need to enter the password. In OWE
authentication mode, a device uses the AES encryption algorithm to encrypt data
on the network, thereby protecting data exchange between STAs and the Wi-Fi
network.
The process of OWE authentication is similar to that of SAE. The difference is that
OWE authentication eliminates the need for password maintenance. This
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
13
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
authentication mode uses the Diffie-Hellman protocol to exchange keys to
generate a PMK used for the subsequent four-way handshake. In addition to
retaining the convenience of open networks, OWE authentication ensures data
security for these networks.
The OWE transition mode provides backward compatibility with STAs that do not
support OWE authentication. That is, non-OWE STAs access the network in opensystem authentication mode, while OWE STAs access the network in OWE
authentication mode. The OWE transition mode supports only the AES encryption
mode.
In V200R019C00, ACs and APs support WPA3 authentication. In V200R019C10,
only ACs support WPA3 authentication.
OWE authentication is available since V200R020C10.
Configuration Method
●
Configure WPA3-SAE authentication and set the user password to
huawei@123.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa3 sae pass-phrase huawei@123 aes
●
●
Configure the WPA3-802.1X authentication mode.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa3 dot1x gcmp256
Configure WPA2-WPA3 authentication and set the user password to
huawei@123.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2-wpa3 psk-sae pass-phrase huawei@123 aes
●
●
Configure OWE authentication.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security enhanced-open aes
Set the authentication mode to the OWE transition mode and the SSID using
the open-system authentication mode to wlan-net.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security enhanced-open aes transition-ssid wlan-net
2.3.1.3 WAPI
Security Policy
WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national
security standard for WLANs, which was developed based on IEEE 802.11. WAPI
provides higher security than WEP and WPA and consists of the following parts:
●
Issue 07 (2021-08-30)
WLAN Authentication Infrastructure (WAI): authenticates user identities and
manages keys.
Copyright © Huawei Technologies Co., Ltd.
14
WLAN
Security Hardening Guide
●
2 (Mandatory) Level-1 Security Hardening Policies
WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and
provides the data encryption, data verification, and anti-replay functions.
WAPI uses the elliptic curve cryptography (ECC) algorithm based on the public-key
cryptography and the block cipher algorithm based on the symmetric-key
cryptography. The ECC algorithm is used for digital certificates, certificate
authentication, and key negotiation of wireless devices. The block cipher algorithm
is used to encrypt and decrypt data transmitted between wireless devices. The two
algorithms implement identity authentication, link authentication, access control,
and user information encryption.
Two authentication methods are available: WAPI-PSK authentication and WAPIcertificate authentication.
●
WAPI-PSK authentication
WAPI-PSK authentication applies to home networks or small-scale enterprise
networks. No additional certificate system is required.
●
WAPI-certificate authentication
WAPI-certificate authentication applies to large-scale enterprise networks or
carrier networks where expensive certificate systems need to be deployed and
maintained. WAPI uses X.509 V3 certificates encoded in Base64 binary mode
and saved in PEM format. The extension of an X.509 V3 certificate file is .cer.
Before importing a certificate for WAPI, ensure that the certificate file has
been stored in the root directory of the memory.
WAPI defines a dynamic key negotiation mechanism, but there are still security
risks if STAs use the same encryption key for a long time. WAPI provides the timebased key update mechanism. Both the Unicast Session Key (USK) and Multicast
Session Key (MSK) have a lifetime and need to be updated when the lifetime
ends.
Configuration Method
●
●
Issue 07 (2021-08-30)
Configure WAPI-PSK authentication.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wapi psk pass-phrase testpassword123 // Set the
authentication method to PSK authentication and enter the key.
Configure WAPI-certificate authentication.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wapi certificate // Set the authentication method to WAPIcertificate authentication.
[HUAWEI-wlan-sec-prof-p1] wapi import certificate ac format pem file-name flash:/ae.cer //
Load the AC certificate.
[HUAWEI-wlan-sec-prof-p1] wapi import certificate asu format pem file-name flash:/as.cer //
Load the ASU certificate.
[HUAWEI-wlan-sec-prof-p1] wapi import certificate issuer format pem file-name flash:/as.cer //
Load the issuer certificate.
[HUAWEI-wlan-sec-prof-p1] wapi import private-key format pem file-name flash:/ae.cer //
Import the AC private key file.
[HUAWEI-wlan-sec-prof-p1] wapi asu ip 10.164.10.10 // Set the IP address of the ASU server to
10.164.10.10.
Copyright © Huawei Technologies Co., Ltd.
15
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
2.3.1.4 STA Blacklist and Whitelist
Security Policy
On a WLAN, a STA blacklist or whitelist can be configured to filter access requests
from STAs based on specified rules, allowing authorized STAs to access the WLAN
and rejecting unauthorized STAs.
●
STA whitelist
A STA whitelist contains MAC addresses of STAs that are allowed to connect
to a WLAN. After the STA whitelist function is enabled, only the STAs
matching the whitelist can connect to the WLAN.
●
STA blacklist
A STA blacklist contains MAC addresses of STAs that are not allowed to
connect to a WLAN. After the STA blacklist function is enabled, STAs matching
the blacklist cannot connect to the WLAN.
NOTE
If the STA whitelist or blacklist function is enabled but the whitelist or blacklist is empty, all
STAs can connect to the WLAN.
Configuration Method
Multiple STA whitelist and blacklist profiles can be configured on a WLAN device
and applied to different virtual access point (VAP) profiles or AP system profiles.
In a VAP profile or an AP system profile, either the STA whitelist profile or STA
blacklist profile takes effect at one time.
●
Configure a STA whitelist.
a.
b.
Configure a STA whitelist profile.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta-whitelist-profile name sta-whitelist-profile1 // Create a whitelist
profile named sta-whitelist-profile1.
[HUAWEI-wlan-whitelist-prof-sta-whitelist-profile1] sta-mac 2C27-D720-746B // Add the MAC
address of a STA.
[HUAWEI-wlan-whitelist-prof-sta-whitelist-profile1] quit
Apply the STA whitelist profile to a VAP profile or an AP system profile
based on site requirements.
▪
▪
●
Apply the STA whitelist profile to an AP system profile.
[HUAWEI-wlan-view] ap-system-profile name ap-system1 // Create an AP system
profile named ap-system1.
[HUAWEI-wlan-ap-system-prof-ap-system1] sta-access-mode whitelist sta-whitelistprofile1 // Bind the STA whitelist profile sta-whitelist-profile1 to the AP system profile
ap-system1.
Configure a STA blacklist.
a.
Issue 07 (2021-08-30)
Apply the STA whitelist profile to a VAP profile.
[HUAWEI-wlan-view] vap-profile name vap1 // Create a VAP profile named vap1.
[HUAWEI-wlan-vap-prof-vap1] sta-access-mode whitelist sta-whitelist-profile1 // Bind
the STA whitelist profile sta-whitelist-profile1 to the VAP profile vap1.
Configure a STA blacklist profile.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta-blacklist-profile name sta-blacklist-profile1 // Create a blacklist
Copyright © Huawei Technologies Co., Ltd.
16
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
profile named sta-blacklist-profile1.
[HUAWEI-wlan-blacklist-prof-sta-blacklist-profile1] sta-mac 3C27-D720-746B // Add the MAC
address of a STA.
[HUAWEI-wlan-blacklist-prof-sta-blacklist-profile1] quit
b.
Apply the STA whitelist profile to a VAP profile or an AP system profile
based on site requirements.
▪
▪
Apply the STA whitelist profile to a VAP profile.
[HUAWEI-wlan-view] vap-profile name vap1 // Create a VAP profile named vap1.
[HUAWEI-wlan-vap-prof-vap1] sta-access-mode blacklist sta-blacklist-profile1 // Bind
the STA blacklist profile sta-blacklist-profile1 to the VAP profile vap1.
Apply the STA whitelist profile to an AP system profile.
[HUAWEI-wlan-view] ap-system-profile name ap-system1 // Create an AP system
profile named ap-system1.
[HUAWEI-wlan-ap-system-prof-ap-system1] sta-access-mode blacklist sta-blacklistprofile1 // Bind the STA blacklist profile sta-blacklist-profile1 to the AP system profile
ap-system1.
2.3.1.5 PMF
Attack Behavior
If management frames are not encrypted on a WLAN, security problems may be
generated.
Security Policy
The Protected Management Frames (PMF) standard is released by Wi-Fi Alliance
based on IEEE 802.11w. It aims to apply security measures defined in WPA2 to
unicast and multicast management action frames to improve network
trustworthiness.
Deploying PMF can solve the following attacks:
●
Hackers intercept management frames exchanged between APs and STAs.
●
Hackers forge APs and send Disassociation and Deauthentication frames to
disconnect STAs.
●
Hackers forge STAs and send Disassociation frames to APs to disconnect the
STAs.
Configuration Method
Configure PMF in mandatory mode to allow only PMF-supported STAs to access
the network.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 psk pass-phrase abcdfffffg aes
[HUAWEI-wlan-sec-prof-p1] pmf mandatory
2.3.1.6 Brute-Force Attack Defense and Dynamic Blacklist
Attack Behavior
During a brute force attack, the attacker searches for a password by trying to use
all possible password combinations. This method is also called the exhaustive
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
17
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
attack method. For example, a password that contains only 4 digits may have a
maximum of 10,000 combinations. Therefore, the password can be decrypted after
a maximum of 10,000 attempts. Theoretically, the brute force method can decrypt
any password. Attackers, however, are always looking for ways to shorten the time
required to decrypt passwords. When a WLAN uses WPA/WPA2-PSK, WAPI-PSK, or
WEP-Shared-Key as the security policy, attackers can use the brute force method
to decrypt the password.
Security Policy
Defense against brute-force key cracking can prolong the time needed to decrypt
passwords. An AP checks whether the number of key negotiation failures during
WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the
configured threshold. If the threshold is exceeded, the AP considers that the user is
using the brute force method to decrypt the password and reports an alarm to the
AC. If the dynamic blacklist function is enabled, the AP adds the user to the
dynamic blacklist and discards all the packets of the user until the dynamic
blacklist entry is aged.
Configuration Method
Set the maximum number of key negotiation failures allowed within a brute-force
key cracking attack detection period (100 seconds) to 60. Enable the dynamic
blacklist function so that when the number of key negotiation failures from a user
exceeds 60, the user is added to the blacklist.
In V200R019C00 and earlier versions:
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa-psk
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa2-psk
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wapi-psk
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wep-share-key
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name default
[HUAWEI-wlan-wids-prof-default] brute-force-detect interval 100
[HUAWEI-wlan-wids-prof-default] brute-force-detect threshold 60
[HUAWEI-wlan-wids-prof-default] dynamic-blacklist enable
In versions later than V200R019C00:
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect wpa-psk enable
[HUAWEI-wlan-group-radio-office/0] wids attack detect wpa2-psk enable
[HUAWEI-wlan-group-radio-office/0] wids attack detect wapi-psk enable
[HUAWEI-wlan-group-radio-office/0] wids attack detect wep-share-key enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name default
[HUAWEI-wlan-wids-prof-default] brute-force-detect interval 100
[HUAWEI-wlan-wids-prof-default] brute-force-detect threshold 60
[HUAWEI-wlan-wids-prof-default] undo dynamic-blacklist disable
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
18
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
2.3.2 Local Attack Defense
Attack Behavior
The CPU of a device needs to process a large number of packets including valid
packets and malicious attack packets on a network. If the malicious attack packets
overwhelm the CPU, services will be affected and the system will break down. In
addition, excessive valid packets can also lead to high CPU usage, which degrades
the CPU's performance and interrupts services.
Security Policy
To ensure that CPUs process services properly, WLAN devices provide the local
attack defense function. When a device is undergoing an attack, this function
ensures uninterrupted service transmission and minimizes the impact on network
services.
Local attack defense falls into CPU attack defense and attack source tracing.
●
CPU attack defense
CPU attack defense can limit the rate of packets sent to the CPU so that only
a limited number of packets are sent to the CPU within a certain period of
time. This ensures that the CPU can properly process services.
The core of CPU attack defense is Control Plane Committed Access Rate
(CPCAR). CPCAR limits the rate of protocol packets sent to the control plane
to ensure security of the control plane.
●
Attack source tracing
Attack source tracing defends against denial of service (DoS) attacks. The
device enabled with attack source tracing analyzes packets sent to the CPU,
collects statistics about the packets, and specifies a threshold for the packets.
Excess packets are considered to be attack packets. The device finds the
source user address or source interface of the attack by analyzing the attack
packets and generates logs or alarms. Accordingly, the network administrator
can take measures to defend against the attacks or configure the device to
discard packets from the attack source.
Configuration Method
●
Modify the CPCAR value of protocol packets.
NOTE
Improper CPCAR settings will affect services on your network. To adjust the CPCAR
values, contact technical support personnel.
Decrease the CPCAR value of protocol packets or set the CPCAR action to
deny to prevent packets that have low priorities or do not need to be
processed from being sent to the CPU, ensuring proper system running.
Configure the rate limit for ARP Request packets sent to the CPU. This limits
the rate of ARP Request packets within a small rate range, and thereby
reduces the impact on CPU processing of normal services.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] packet-type arp-request rate-limit 80 wired
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
19
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
[HUAWEI-cpu-defend-policy-1] packet-type arp-request rate-limit 80 wireless
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1
●
Configure attack source tracing to automatically detect the attack source and
defend against attack traffic.
Attack source tracing allows devices to automatically detect the attack source
and defend against attack traffic, improving network running security. When
an attack occurs, the attack source can be isolated to reduce attack impact on
services.
Configure a device to consider ARP packets with a rate higher than 50 pps as
attack packets and automatically punish users sending the packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] auto-defend
[HUAWEI-cpu-defend-policy-1] auto-defend
[HUAWEI-cpu-defend-policy-1] auto-defend
[HUAWEI-cpu-defend-policy-1] auto-defend
[HUAWEI-cpu-defend-policy-1] auto-defend
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1
enable
threshold 50
trace-type source-ip source-mac source-portvlan
protocol arp
action deny timer 300
2.3.3 Attack Defense Through Service and Management
Isolation
Attack Behavior
As shown in Figure 2-1, devices on the 192.168.10.X network segment are
connected to the independent management Ethernet port on the WLAN device,
and devices on the 192.168.20.X network segment are connected to the service
interface GE1/0/0 on the WLAN device. They can access the switch properly.
If the management interface is not isolated, the devices on 192.168.20.X can ping
devices on 192.168.10.X. As a result, the management interface address is leaked
and vulnerable to attacks.
Figure 2-1 Networking diagram
Security Policy
To improve network security and prevent attacks from unauthorized users, you
can configure interface policies and routing policies for the management interface
and service interfaces to isolate them.
To prevent STAs from accessing the device through Telnet and isolate the service
plane from the management plane, configure security protection.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
20
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
Configuration Method
●
Configure interface policies.
–
For devices with a management interface, for example, Meth0/0/1 on an
AC6605, configure isolation of the management plane and management
interface.
<HUAWEI> system-view
[HUAWEI] management-port isolate enable
[HUAWEI] management-plane isolate enable
–
For devices without a management interface, for example, an AC6005,
configure interface policies for the management protocol. The
management protocol takes effect only on the management interface.
For example, Telnet, SSH, FTP, or HTTP allows users to access the device
only through GE0/0/1 but not through other interfaces.
<HUAWEI> system-view
[HUAWEI] telnet server permit interface gigabitethernet 0/0/1
[HUAWEI] ssh server permit interface gigabitethernet 0/0/1
[HUAWEI] ftp server permit interface gigabitethernet 0/0/1
[HUAWEI] http server permit interface gigabitethernet 0/0/1
–
If the device is managed through a VLANIF interface, configure the
VLANIF interface as a management interface to implement triple-plane
isolation. After a VLANIF interface is specified as a management
interface, you can only manage the device through the specified VLANIF
interface but not through other VLANIF interfaces.
Versions earlier than V200R010C00:
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] management-interface
V200R010C00 and later versions:
<HUAWEI> system-view
[HUAWEI] mgmt isolate disable //Only the AC6805, AC6605, AirEngine 9700-M, and ACU2
support this function. You do not need run this command on other models.
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] management-interface
●
Configure a routing policy.
Configure the management IP address and service IP addresses on different
network segments. Configure a routing policy to prevent routes of the
management IP address from being advertised to external networks through
service interfaces.
For example, on a network running OSPF, the AC receives routes from
upstream service interfaces and advertises the routes only through the service
interfaces. The IP address segments are as follows:
–
Upstream service interface VLANIF 10: 10.1.1.1/24
–
Downstream service interface VLANIF 20: 10.1.2.1/24
–
Management interface VLANIF 100: 10.2.1.1/24
Configure a routing policy to prevent the network segment of the
management interface from being advertised to the upstream network.
<HUAWEI> system-view
[HUAWEI] ip ip-prefix a2b index 10 deny 10.2.1.0 24
[HUAWEI] ospf
[HUAWEI-ospf-1] filter-policy ip-prefix a2b export
●
Configure security defense.
–
Issue 07 (2021-08-30)
If AAA local authentication is used to authenticate service users, the
access type of users must be 8021X or web.
Copyright © Huawei Technologies Co., Ltd.
21
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user user1@vipdomain service-type 8021x web
–
If AAA remote authentication is used to authenticate service users, for
example, RADIUS authentication, set the user access type on the RADIUS
authentication server not to a management access protocol, including
FTP, HTTP, SSH, Telnet, and terminal.
–
You can also configure local attack defense to discard management
packets from the wireless side and isolate wireless services from the
management layer. Note that wireless services need to be configured
with tunnel forwarding, and Portal authentication cannot be used in the
user authentication policy.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] deny
[HUAWEI-cpu-defend-policy-test] deny
[HUAWEI-cpu-defend-policy-test] deny
[HUAWEI-cpu-defend-policy-test] deny
[HUAWEI-cpu-defend-policy-test] deny
[HUAWEI-cpu-defend-policy-test] deny
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test
packet-type
packet-type
packet-type
packet-type
packet-type
packet-type
ftp-client wireless
http-client wireless
https-client wireless
ssh-client wireless
telnet-client wireless
snmp wireless
2.3.4 Attack Defense
Attack defense is an important network security feature that enables WLAN
devices to analyze the content and behavior of packets sent to CPUs, identify
packets with attack characteristics, and take defense measures on these packets.
Attack defense can defend against malformed packet attacks, fragment attacks,
and flood attacks.
2.3.4.1 Defense Against Malformed Packet Attacks
Attack Behavior
In a malformed packet attack, the attacker sends defective IP packets to the target
WLAN device. The target WLAN device may encounter errors or crash when
handling such packets.
Malformed packet attacks are classified into the following types:
●
Flood attack without IP payload
●
IGMP null packet attack
●
Local Area Network Denial (LAND) attack
●
Smurf attack
●
Invalid TCP flag attack
Security Policy
A WLAN device may break down in the case of malformed packet attacks. To
prevent this situation and ensure non-stop network services, configure defense
against malformed packet attacks on the WLAN device. WLAN devices enabled
with the defense function can identify and discard malformed packets.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
22
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
Configuration Method
Enable defense against malformed packet attacks. By default, the function is
enabled.
<HUAWEI> system-view
[HUAWEI] anti-attack abnormal enable
2.3.4.2 Defense Against Fragment Attacks
Attack Behavior
An attacker sends error packet fragments to a WLAN device, which consume a
large number of CPU resources.
Fragment attacks are classified into the following types:
●
Excess-fragment attack
●
Excess-offset attack
●
Repeated fragment attack
●
Teardrop attack
●
Syndrop attack
●
Newtear attack
●
Bonk attack
●
Nesta attack
●
Rose attack
●
Fawx Attack
●
Ping of death attack
●
Jolt attack
Security Policy
A WLAN device may break down in the case of fragment attacks. To prevent this
situation and ensure non-stop network services, configure defense against
fragment attacks on the WLAN device. The device enabled with the defense
function can limit the rate of fragmented packets to ensure that the CPU runs
properly when fragment attacks are launched.
Configuration Method
Enable defense against fragment attacks. By default, the function is enabled.
<HUAWEI> system-view
[HUAWEI] anti-attack fragment enable
[HUAWEI] anti-attack fragment car cir 8000 // Limit the rate of receiving fragmented packets. By
default, this rate is 155,000,000 bit/s.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
23
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
2.3.4.3 Defense Against TCP SYN Flood Packets
Attack Behavior
TCP SYN flood attacks are often used. They are DoS attacks, depending on the
establishment method of TCP connections.
An attacker sends a SYN packet to a WLAN device but does not respond to the
SYN-ACK packet from the WLAN device. The WLAN device, however, keeps waiting
for an ACK packet from the attacker. As a result, a half-connection is generated.
The attacker keeps sending SYN packets to set up a large number of halfconnections, wasting considerable resources of the WLAN device.
Security Policy
To prevent TCP SYN flood attacks, enable defense against TCP SYN flood attacks
and set a rate limit for TCP SYN packets. This prevents system resources from
being exhausted when TCP SYN flood attacks occur.
Configuration Method
Enable defense against TCP SYN flood attacks. By default, this function is enabled.
<HUAWEI> system-view
[HUAWEI] anti-attack tcp-syn enable
[HUAWEI] anti-attack tcp-syn car cir 8000 // Limit the rate of receiving TCP SYN packets. By default, this
rate is 155,000,000 bit/s.
2.3.4.4 Defense Against UDP Flood Attacks
Attack Behavior
●
Fraggle attack
Attackers use UDP port 7 to launch Fraggle attacks. Similar to ICMP echo,
port 7 sends back the original received packet payload to test the network
connection between the source and destination. Fraggle attacks work similarly
to Smurf attacks. In a Fraggle attack, the IP address of the attacked device is
spoofed as the source IP address, the destination IP address is a broadcast
address, the destination port is port 7, and the source port may be port 7 or
another port. If the UDP echo service is enabled on a lot of hosts on the
broadcast network, the attacked device will receive a large number of
response packets and get attacked.
●
UDP diagnosis port attack
If an attacker randomly sends a large number of packets to UDP diagnosis
ports (7-echo, 13-daytime, and 19-Chargen) simultaneously, a flood is caused,
and network devices may fail to work properly. Many vendors enable some
ports by default for network diagnosis or device management, which results
in potential attacks.
Security Policy
To prevent UDP flood attacks, configure defense against UDP flood attacks on
WLAN devices to enable them to discard UDP packets over ports 7, 13, and 19.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
24
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
Configuration Method
Enable defense against UDP flood attacks. By default, this function is enabled.
<HUAWEI> system-view
[HUAWEI] anti-attack udp-flood enable
2.3.4.5 Defense Against ICMP Flood Attacks
Attack Behavior
An attacker sends a large number of ICMP Echo Request packets to a WLAN
device in a short period so that the WLAN device is busy responding to these
packets and fails to process normal services.
Security Policy
To prevent ICMP flood attacks, enable defense against ICMP flood attacks on
WLAN devices and set a rate limit for ICMP packets.
Configuration Method
Enable defense against ICMP flood attacks. By default, the function is enabled.
<HUAWEI> system-view
[HUAWEI] anti-attack icmp-flood enable
[HUAWEI] anti-attack icmp-flood car cir 8000 // Limit the rate of receiving ICMP flood attack packets. By
default, this rate is 155,000,000 bit/s.
2.4 Forwarding Plane
2.4.1 Traffic Suppression
Security Policy
When a Layer 2 Ethernet interface on a WLAN device receives broadcast,
multicast, or unknown unicast packets, the WLAN device forwards these packets
to other Layer 2 Ethernet interfaces in the same VLAN if the outbound interfaces
cannot be determined based on the destination MAC addresses of these packets.
In this case, a broadcast storm may occur, degrading forwarding performance of
the device.
Traffic suppression is used to control these packets and prevent broadcast storms.
Traffic suppression limits traffic based on the configured threshold.
Configuration Method
Configure traffic suppression on an interface.
To limit the rate of broadcast, multicast, or unknown unicast packets on an
interface and prevent broadcast storms, configure traffic suppression for packets
of these types on the interface.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
25
WLAN
Security Hardening Guide
2 (Mandatory) Level-1 Security Hardening Policies
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression packets 30
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression packets 30
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression packets 30
[HUAWEI-GigabitEthernet0/0/1] quit
2.4.2 Trusted Path-based Forwarding
Security Policy
Unicast Reverse Path Forwarding (URPF) searches the routing table for the route
to the source IP address of a packet and checks whether the inbound interface of
the packet is the same as the outbound interface of the route. If no route to the
source IP address exists in the routing table or the inbound interface of the packet
is different from the outbound interface of the route, URPF discards the packet to
prevent IP spoofing. The security policy is effective for DoS attacks with forged
source IP addresses.
Configuration Method
In a complex networking environment, asymmetric routes may exist. That is, the
routes recorded on the local and remote WLAN devices are different. URPFenabled WLAN devices may discard packets received through valid paths and
forward packets received through invalid paths. WLAN devices provide the
following URPF modes to resolve this problem:
●
Strict mode
In this mode, the route to the source IP address of a packet must exist in the
routing table, and the inbound interface of the packet must be the same as
the outbound interface of the route.
The strict mode is recommended if route symmetry is ensured. For example, if
there is only one path between two network edge WLAN devices, the strict
mode can help ensure network security.
●
Loose mode
In this mode, the route to the source IP address of a packet must exist in the
routing table, and the inbound interface of the packet can be the same as or
different from the outbound interface of the route.
The loose mode is recommended if route symmetry is not ensured. For
example, if there are multiple paths between two network edge WLAN
devices, the loose mode can help defend against network attacks and prevent
valid packets from being discarded.
Enable URPF in strict mode on VLANIF 100, and allow the route to the source IP
address of a packet to be the default route.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] urpf strict allow-default-route
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
26
WLAN
Security Hardening Guide
3
3 (Optional) Level-2 Security Hardening Policies
(Optional) Level-2 Security Hardening
Policies
About This Chapter
3.1 Management Plane
3.2 Control Plane
3.3 Forwarding Plane
3.1 Management Plane
3.1.1 Information Center Security
Security Policy
To query information generated on a remotely deployed WLAN device, configure
the WLAN device to export configuration information to a log host, so that you
can view device information on the log host. You can run the info-center loghost
command to configure the device to export configuration information to a log
host. To improve log transmission security, specify the ssl-policy policy-name
parameter in the info-center loghost command to configure TCP-based SSL
encryption.
Configuration Method
Configure a WLAN device to send information to a log host with the IPv4 address
192.168.2.2. Configure the device to transmit information in TCP mode and
encrypt packets using the SSL policy named huawei123.
<HUAWEI> system-view
[HUAWEI] ssl policy huawei123 type client
[HUAWEI-ssl-policy-huawei123] quit
[HUAWEI] info-center loghost 192.168.2.2 transport tcp ssl-policy huawei123
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
27
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
3.1.2 CAPWAP Control Tunnel Encryption
Security Policy
When an AP establishes a CAPWAP tunnel with an AC, you can configure CAPWAP
control tunnel encryption using Datagram Transport Layer Security (DTLS) to
ensure integrity and privacy of management packets. Currently, devices can
encrypt management packets only using the pre-shared key (PSK).
Configuration Method
Enable CAPWAP control tunnel encryption using DTLS and set the PSK for DTLS
encryption to huawei@123.
<HUAWEI> system-view
[HUAWEI] capwap dtls psk huawei@123
[HUAWEI] capwap dtls control-link encrypt
NOTE
From V200R021C00, the command format for enabling DTLS encryption is changed to
capwap dtls control-link encrypt on.
3.2 Control Plane
3.2.1 Wireless Attack Detection and Containment
Security Policy
WLANs are vulnerable to threats from unauthorized APs, STAs, and ad-hoc
networks. Huawei WLAN devices use the following technologies to detect and
contain rogue and interfering devices:
●
The Wireless Intrusion Detection System (WIDS) can detect rogue and
interfering APs, bridges, and STAs, as well as ad-hoc devices.
●
The Wireless Intrusion Prevention System (WIPS) can disconnect authorized
users from rogue APs, disconnect rogue and interfering devices from the
WLAN, and contain such devices.
The WIDS and WIPS can also detect attacks such as flood attacks, weak IV attacks,
spoofing attacks, brute force WPA/WPA2/WAPI PSK cracking, and brute force WEP
shared key cracking in a timely manner. The two systems then record logs,
statistics, and alarms to notify network administrators of such attacks. The WLAN
device adds devices that initiate flood attacks and brute force key cracking attacks
to the dynamic blacklist and rejects packets from such devices within the aging
time of the dynamic blacklist.
Configuration Method
Detect and contain the following rogue and interfering devices:
●
Rogue or interfering AP using open authentication
●
Rogue or interfering AP with a spoofing SSID
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
28
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
●
Rogue or interfering STA
●
Ad-hoc device
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] radio 0
[HUAWEI-wlan-group-radio-ap-group1/0] work-mode normal
[HUAWEI-wlan-group-radio-ap-group1/0] wids device detect enable
[HUAWEI-wlan-group-radio-ap-group1/0] wids contain enable
[HUAWEI-wlan-group-radio-ap-group1/0] quit
[HUAWEI-wlan-view] wids-profile name default
[HUAWEI-wlan-wids-prof-default] contain-mode open-ap
[HUAWEI-wlan-wids-prof-default] contain-mode spoof-ssid-ap
[HUAWEI-wlan-wids-prof-default] contain-mode client
[HUAWEI-wlan-wids-prof-default] contain-mode adhoc
[HUAWEI-wlan-wids-prof-default] quit
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] wids-profile default
[HUAWEI-wlan-ap-group-ap-group1] quit
Configure attack detection and a dynamic blacklist. The device can detect flood
attacks, weak IV attacks, spoofing attacks, and brute force key cracking attacks,
and adds devices that initiate flood attacks and brute force key cracking attacks
into the dynamic blacklist.
In V200R019C00 and earlier versions:
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] radio 0
[HUAWEI-wlan-group-radio-ap-group1/0] wids attack detect enable all
[HUAWEI-wlan-group-radio-ap-group1/0] quit
[HUAWEI-wlan-ap-group-ap-group1] quit
[HUAWEI-wlan-view] wids-profile name default
[HUAWEI-wlan-wids-prof-default] dynamic-blacklist enable
[HUAWEI-wlan-wids-prof-default] quit
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] wids-profile default
[HUAWEI-wlan-ap-group-ap-group1] quit
In V200R019C10:
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] radio 0
[HUAWEI-wlan-group-radio-ap-group1/0] wids attack detect all enable
[HUAWEI-wlan-group-radio-ap-group1/0] quit
[HUAWEI-wlan-ap-group-ap-group1] quit
[HUAWEI-wlan-view] wids-profile name default
[HUAWEI-wlan-wids-prof-default] undo dynamic-blacklist disable
[HUAWEI-wlan-wids-prof-default] quit
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] wids-profile default
[HUAWEI-wlan-ap-group-ap-group1] quit
In versions later than V200R019C10:
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] radio 0
[HUAWEI-wlan-group-radio-ap-group1/0] wids attack detect all enable
[HUAWEI-wlan-group-radio-ap-group1/0] quit
[HUAWEI-wlan-ap-group-ap-group1] quit
[HUAWEI-wlan-view] wids-profile name default
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
29
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[HUAWEI-wlan-wids-prof-default] undo dynamic-blacklist disable
[HUAWEI-wlan-wids-prof-default] quit
3.2.2 URL Filtering
Attack Behavior
With the rapid development of Internet applications and the popularity of
computer networks, acquisition, sharing, and dissemination of information have
become more widespread than ever, which brings unprecedented threats to
enterprises.
●
Visiting non-work-related websites during working hours reduces work
efficiency.
●
Visiting illegitimate or malicious websites may result in confidential
information leakage or even threats such as worms, viruses, and Trojan
horses.
●
When the intranet is congested, employees may be unable to access workrelated websites, such as the company homepage and search engine,
deteriorating working efficiency.
Security Policy
When users send HTTP or HTTPS requests for accessing URLs, URL filtering can be
used to permit, generate alarms for, or block the requests. After URL filtering is
enabled:
●
Users' access requests to legitimate websites are permitted.
●
Users' access requests to illegitimate websites are blocked.
Configuration Method
Configure URL filtering to enable users to access only www.example.com/working
or www.example.org.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] profile type url-filter name url_wlan
[HUAWEI-profile-url-filter-url_wlan] default action block
[HUAWEI-profile-url-filter-url_wlan] add whitelist url www.example.com/working
[HUAWEI-profile-url-filter-url_wlan] add whitelist host www.example.org
[HUAWEI-profile-url-filter-url_wlan] quit
[HUAWEI] engine configuration commit
[HUAWEI] defence-profile name defence_wlan
[HUAWEI-defence-profile-defence_wlan] profile type url-filter url_wlan
[HUAWEI-defence-profile-defence_wlan] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name wlan-vap
[HUAWEI-wlan-vap-prof-wlan-vap] defence-profile defence_wlan
3.2.3 Intrusion Prevention
Security Policy
Intrusion prevention is a security mechanism that detects intrusions (including
buffer overflow attacks, Trojan horses, and worms) by analyzing network traffic,
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
30
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
and terminates intrusion behavior in real time using certain response methods,
protecting enterprise information systems and network architectures from being
attacked. Intrusion prevention has the following advantages:
●
Real-time attack block: A WLAN device is deployed on a network in in-line
mode. When detecting intrusion, the device blocks intrusion and network
attack traffic in real time, minimizing impacts of network intrusions.
●
In-depth protection: New attacks are hidden at the application layer of the
TCP/IP protocol. Intrusion prevention can detect the content of applicationlayer packets, reassemble network data flows for protocol analysis and
detection, and determine the traffic that must be blocked based on the attack
type and policy.
●
All-round protection: Intrusion prevention provides protection measures
against attacks such as worms, viruses, Trojan horses, botnets, spyware,
adware, Common Gateway Interface (CGI) attacks, cross-site scripting attacks,
injection attacks, directory traversal attacks, information leakage, remote file
inclusion attacks, overflow attacks, code execution, DoS attacks, and scanning
tools. All-round protection comprehensively helps defend against various
attacks and protect network security.
●
Internal and external protection: Intrusion prevention can protect enterprises
from both external and internal attacks. The intrusion prevention system (IPS)
can detect the traffic passing through and protect servers and clients.
●
Continuous upgrade and precise protection: The IPS signature database is
updated continuously to maintain the highest security level. You can
periodically upgrade the IPS signature database of a device from the upgrade
center to ensure effective intrusion prevention.
Configuration Method
Configure the intrusion prevention function.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] profile type ips name profile_ips_pc
[HUAWEI-profile-ips-profile_ips_pc] collect-attack-evidence enable
[HUAWEI-profile-ips-profile_ips_pc] signature-set name filter1
[HUAWEI-profile-ips-profile_ips_pc-sigset-filter1] target both
[HUAWEI-profile-ips-profile_ips_pc-sigset-filter1] severity high
[HUAWEI-profile-ips-profile_ips_pc-sigset-filter1] protocol all
[HUAWEI-profile-ips-profile_ips_pc-sigset-filter1] category all
[HUAWEI-profile-ips-profile_ips_pc-sigset-filter1] application all
[HUAWEI-profile-ips-profile_ips_pc-sigset-filter1] quit
[HUAWEI-profile-ips-profile_ips_pc] quit
[HUAWEI] engine configuration commit
[HUAWEI] defence-profile name defence_wlan
[HUAWEI-defence-profile-defence_wlan] profile type ips profile_ips_pc
[HUAWEI-defence-profile-defence_wlan] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name wlan-vap
[HUAWEI-wlan-vap-prof-wlan-vap] defence-profile defence_wlan
[HUAWEI-wlan-vap-prof-wlan-vap] quit
3.2.4 Antivirus
Attack Behavior
Viruses are a type of malicious codes. Typically, viruses can infect or attach to
application programs or files and are spread through mail or file sharing protocols,
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
31
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
threatening security of hosts and networks. Viruses perform various types of
harmful activities on infected hosts, such as exhausting host resources, occupying
network bandwidth, controlling host permissions, stealing data, and even
corrupting host hardware.
Security Policy
Antivirus is a security mechanism that can identify and process virus files to
ensure network security and avoid data corruption, permission change, and
system crash caused by virus files.
ACs use the advanced Intelligent Awareness Engine (IAE) and constantly updated
virus signature database to detect and remove viruses. Figure 3-1 shows the
antivirus mechanism.
Figure 3-1 Antivirus mechanism
Configuration Method
Configure the antivirus function.
●
When users attempt to download virus-infected files using HTTP, the
download connection is interrupted.
●
When users download important software in which virus 16424404 is
detected, the download connection will not be interrupted.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] defence-profile name defence_wlan
[HUAWEI-defence-profile-defence_wlan] quit
[HUAWEI] profile type av name av_http
[HUAWEI-profile-av-av_http] http-detect direction both action block
[HUAWEI-profile-av-av_http] exception av-signature-id 16424404
[HUAWEI-profile-av-av_http] undo ftp-detect
[HUAWEI-profile-av-av_http] undo smtp-detect
[HUAWEI-profile-av-av_http] undo pop3-detect
[HUAWEI-profile-av-av_http] undo imap-detect
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
32
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[HUAWEI-profile-av-av_http] undo nfs-detect
[HUAWEI-profile-av-av_http] undo smb-detect
[HUAWEI-profile-av-av_http] quit
[HUAWEI] defence-profile name defence_wlan
[HUAWEI-defence-profile-defence_wlan] profile type av av_http
[HUAWEI-defence-profile-defence_wlan] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name wlan-vap
[HUAWEI-wlan-vap-prof-wlan-vap] defence-profile defence_wlan
3.2.5 ARP Security
3.2.5.1 Defense Against ARP Spoofing Attacks
Attack Behavior
An ARP spoofing attack is initiated when an attacker sends forged ARP packets to
modify ARP entries on valid gateways or hosts. As a result, valid ARP packets
cannot be transmitted properly. The attacker can damage a network in the
following aspects by initiating ARP spoofing attacks:
●
A gateway learns incorrect ARP entries based on the received forged ARP
packets.
●
Users learn incorrect ARP entries based on the received forged ARP packets.
●
A WLAN device learns incorrect ARP entries based on the received malformed
ARP packets.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
Fixed ARP
WLAN devices support three fixed ARP modes: fixed-mac, fixed-all, and
send-ack. These three modes are applicable to different scenarios and are
mutually exclusive.
●
–
The fixed-mac mode applies to networks where user MAC addresses do
not change but user access locations often change. When a user connects
to a different interface on the WLAN device, the device updates interface
information in the ARP entry of the user in a timely manner.
–
The fixed-all mode applies to networks where both user MAC addresses
and user access locations do not change.
–
The send-ack mode applies to networks where both user MAC addresses
and user access locations often change.
Dynamic ARP inspection (DAI)
When a DAI-capable WLAN device receives an ARP packet, it matches the
source IP address, source MAC address, VLAN ID, and interface number of the
ARP packet against binding entries. If a match is found, the device considers
the ARP packet valid and allows it to pass through. Otherwise, the device
discards the packet. Binding entries are dynamically generated through DHCP
snooping or manually configured.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
33
WLAN
Security Hardening Guide
●
3 (Optional) Level-2 Security Hardening Policies
ARP gateway anti-collision
To defend against attacks from bogus gateways, enable ARP gateway anticollision on the WLAN device functioning as a gateway if user hosts directly
connect to the gateway. A WLAN device considers that an ARP gateway
collision occurs if it receives an ARP packet meeting either of the following
conditions:
–
The source IP address of the ARP packet is the same as the IP address of
the VLANIF interface matching the inbound interface of the packet.
–
The source IP address of the ARP packet is the virtual IP address of the
inbound interface, but the source MAC address is not the VRRP virtual
MAC address.
The WLAN device generates an ARP anti-collision entry and discards the
received packets with the same source MAC address and VLAN ID as
those of the ARP packet within a specified period of time. This function
prevents ARP packets with a bogus gateway address from being
broadcast in a VLAN.
●
Gratuitous ARP packet sending
You can enable gratuitous ARP packet sending on the WLAN device that
functions as a gateway. The device then periodically sends gratuitous ARP
packets to update the ARP entries of authorized users so that the ARP entries
contain the correct MAC address of the gateway.
●
MAC address consistency check in an ARP packet
After receiving an ARP packet, the WLAN device checks whether the source
and destination MAC addresses in the Ethernet frame header match those in
the ARP packet. If the source and destination MAC addresses in an ARP
packet are different from those in the Ethernet frame header, the device
regards the packet as an attack and discards it. If the source and destination
MAC addresses in an ARP packet are the same as those in the Ethernet frame
header, the device performs ARP learning. MAC address consistency check in
an ARP packet effectively protects the network or WLAN devices from
malformed ARP packet attacks.
●
ARP packet validity check
To avoid ARP attacks, you can enable ARP packet validity check on a WLAN
device that functions as an access device or gateway to filter out ARP packets
with invalid IP or MAC addresses. The WLAN device checks validity of an ARP
packet based on each or any combination of the following items:
Issue 07 (2021-08-30)
–
Source and destination IP addresses: The WLAN device checks the source
and destination IP addresses in an ARP packet. If the source or
destination IP address is all 0s, all 1s, or a multicast IP address, the device
considers the packet invalid and discards it. The device checks both the
source and destination IP addresses in an ARP Reply packet but checks
only the source IP address in an ARP Request packet.
–
Source MAC address: The WLAN device compares the source MAC
address in an ARP packet with that in the Ethernet frame header. If they
are the same, the packet is valid. If they are different, the device discards
the packet.
–
Destination MAC address: The WLAN device compares the destination
MAC address in an ARP packet with that in the Ethernet frame header. If
they are the same, the packet is valid. If they are different, the device
discards the packet.
Copyright © Huawei Technologies Co., Ltd.
34
WLAN
Security Hardening Guide
●
3 (Optional) Level-2 Security Hardening Policies
Strict ARP learning
After the strict ARP learning function is enabled, the WLAN device learns ARP
entries only for ARP Reply packets in response to ARP Request packets sent by
itself. In this way, the device can defend against most ARP attacks.
Configuration Method
●
Configure fixed ARP.
Enable fixed ARP in fixed-mac mode.
<HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable
●
Configure DAI.
Enable DAI on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
●
Configure ARP gateway anti-collision.
Enable ARP gateway anti-collision.
<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable
●
Configure gratuitous ARP packet sending.
Enable gratuitous ARP packet sending on VLANIF 10.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable //Configure this command globally or on the
VLANIF interface as required.
●
Configure MAC address consistency check in an ARP packet.
Enable MAC address consistency check in an ARP packet on the specified
interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac
●
Configure ARP packet validity check.
Enable ARP packet validity check and configure the WLAN device to check the
source MAC address in an ARP packet.
<HUAWEI> system-view
[HUAWEI] arp anti-attack packet-check sender-mac
●
Configure strict ARP learning.
Enable strict ARP learning on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable //Configure this command globally or on the
VLANIF interface as required.
3.2.5.2 Defense Against ARP Flood Attacks
Attack Behavior
If a large number of ARP packets are broadcast on the network, the gateway
cannot process other services due to CPU overload. Processing too many ARP
packets will occupy considerable bandwidth, leading to network congestion and
affecting network communication.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
35
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
ARP entry limit
The device limits the number of ARP entries that an interface can learn to
prevent ARP entry overflow and improve ARP entry security.
●
ARP rate limit
The device counts the number of received ARP packets within a specified
period. If the number of received ARP packets exceeds the upper limit, the
device does not process the excess ARP packets. This function prevents ARP
entry overflow.
●
Strict ARP learning
The WLAN device learns the MAC addresses only of the ARP Reply packets in
response to the ARP Request packets sent by itself. This prevents attacks
initiated by sending ARP Request packets and ARP Reply packets in response
to the request packets that the device itself has sent.
●
ARP port-level protection
The device monitors the ARP packet rate based on ports. When the rate of
ARP packets sent from one port to the control plane exceeds the specified
threshold, the device sends these ARP packets to the control plane through an
independent channel. This function avoids impact of the attack on valid ARP
packets. Alternatively, the device can block ARP packets on the attacked port
for a certain period of time, instead of sending the packets through an
independent channel.
●
ARP user-level protection
The device monitors the rate of ARP packets sent to the control plane based
on users (MAC or IP addresses). When the rate of ARP packets from a user
exceeds the specified threshold, the device discards this user's ARP packets for
a certain period of time.
Configuration Method
●
Configure ARP entry limit.
Configure the maximum number of ARP entries that a specified interface can
learn.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp-limit maximum 20
●
ARP rate limit
Limit the ARP packet rate to 50 pps based on source IP addresses.
<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip maximum 50
●
Configure strict ARP learning.
Strict ARP learning can be configured globally or on a specified interface and
takes effect as follows:
–
Issue 07 (2021-08-30)
If strict ARP learning is configured globally and on a specified interface,
only the configuration on the interface takes effect.
Copyright © Huawei Technologies Co., Ltd.
36
WLAN
Security Hardening Guide
–
3 (Optional) Level-2 Security Hardening Policies
If strict ARP entry learning is not configured on an interface, the global
configuration takes effect.
Enable strict ARP learning globally.
<HUAWEI> system-view
[HUAWEI] arp learning strict
Enable strict ARP learning on a specified interface.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable
●
Configure ARP port-level protection.
Configure GE0/0/1 to allow a maximum of 50 ARP packets to pass through
per second. When the ARP packet rate exceeds the threshold, the device
discards ARP packets on this interface for 60 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit 50 60
●
Configure ARP user-level protection.
Configure ARP user-level protection based on users' MAC or IP addresses.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy antiatk
[HUAWEI-cpu-defend-policy-antiatk] auto-defend enable
[HUAWEI-cpu-defend-policy-antiatk] auto-defend threshold 30
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend trace-type source-portvlan
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend protocol tcp telnet ttl-expired igmp icmp
dhcpv6 nd
[HUAWEI-cpu-defend-policy-antiatk] auto-defend action deny timer 300
[HUAWEI-cpu-defend-policy-antiatk] quit
[HUAWEI] cpu-defend-policy antiatk
3.2.6 DHCP Security
3.2.6.1 Defense Against Bogus DHCP Server Attacks
Attack Behavior
Due to lack of an authentication mechanism between DHCP servers and DHCP
clients, once a DHCP server is newly configured on a network, it can allocate IP
addresses and other network parameters to DHCP clients even if it is a bogus one.
A bogus DHCP server is connected to the aggregation WLAN device through a
Layer 2 network. When a client connected to the WLAN device applies for an IP
address through DHCP, and the bogus DHCP server responds before other servers
and assigns an IP address to the client, an IP address conflict will occur on the
network, affecting network services.
Security Policy
To defend against the preceding attacks, enable DHCP snooping on the WLAN
device and configure the interface connected to the valid DHCP server as a trusted
interface to filter out rogue DHCP servers.
Configuration Method
Configure packet validity check based on DHCP snooping.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
37
WLAN
Security Hardening Guide
1.
3 (Optional) Level-2 Security Hardening Policies
Configure the interface connected to the valid DHCP server as a trusted
interface.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted
[HUAWEI-GigabitEthernet0/0/1] quit
2.
Enable DHCP snooping on another user-side interface or in a VLAN.
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] dhcp snooping enable
3.2.6.2 Defense Against DHCP Flood Attacks
Attack Behavior
When a WLAN device functioning as a DHCP server or relay agent receives a large
number of DHCP packets sent by a malicious user, the WLAN device cannot
process valid DHCP packets because it is focusing its DHCP processing capability
on such malicious packets. As a result, clients cannot obtain or renew IP addresses.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
DHCP port-level protection
The WLAN device monitors DHCP packet rate based on ports. When the rate
of DHCP packets sent to the control plane from one port exceeds the specified
threshold, the device sends these DHCP packets to the control plane through
an independent channel. This function avoids impact of the attack on valid
DHCP packets.
●
DHCP user-level protection
The WLAN device monitors the rate of DHCP packets sent to the control
plane based on users (MAC or IP addresses). When the rate of DHCP packets
from a user exceeds the specified threshold, the device discards this user's
DHCP packets for a certain period of time.
Configuration Method
●
Configure DHCP port-level protection.
Set the maximum rate of DHCP packets sent from GE0/0/1 to the DHCP
packet processing unit to 30. The WLAN device then discards packets
exceeding the rate.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-rate enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-rate 30
[HUAWEI-GigabitEthernet0/0/1] quit
●
Issue 07 (2021-08-30)
Configure DHCP user-level protection based on users' MAC or IP addresses.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy antiatk
Copyright © Huawei Technologies Co., Ltd.
38
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[HUAWEI-cpu-defend-policy-antiatk] auto-defend enable
[HUAWEI-cpu-defend-policy-antiatk] auto-defend threshold 30
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend trace-type source-portvlan
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend protocol tcp telnet ttl-expired igmp icmp
dhcpv6 mld nd
[HUAWEI-cpu-defend-policy-antiatk] auto-defend action deny timer 300
[HUAWEI-cpu-defend-policy-antiatk] quit
[HUAWEI] cpu-defend-policy antiatk
3.2.7 Routing Protocol Security
3.2.7.1 BGP/BGP4+
Attack Behavior
●
DoS attacks
An attacker can send various types of packets to attack a WLAN device. If the
packets are multicast protocol packets or are destined for an interface
(including the loopback interface) on the WLAN device, the device directly
sends these packets to the CPU. This is a waste of CPU and system resources,
leading to DoS attacks.
●
Construction of error BGP packets
An attacker constructs error packets with an extra-long AS_path attribute to
attack a WLAN device.
●
Quintuple attacks of data packets
BGP uses TCP as the transmission protocol, and BGP considers a data packet
valid as long as the source address, destination address, source port,
destination port, and TCP sequence number of the packet are correct.
However, most parameters in a data packet can be easily obtained by
attackers.
●
GTSM attacks
An attacker simulates BGP and continuously sends attack packets to a WLAN
device. As a result, the WLAN device is extremely busy in processing such
attack packets, rocketing CPU usage.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
CPCAR
After a BGP session is created, the system delivers a whitelist. The applicationlayer association module checks the received protocol packets and sends
protocol packets that match the whitelist at a large bandwidth and high rate.
The module sends protocol packets that do not match the whitelist at the
default bandwidth and rate to prevent DoS attacks. In addition, CPCAR is used
on interfaces to limit the transmission rate of BGP packets, protect the CPU
against attacks, and ensure normal running of the network.
●
Limitation on the number of AS numbers in the AS-path attribute
When a BGP-capable WLAN device receives a route, the device checks
whether the number of AS numbers in the AS-path attribute exceeds the
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
39
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
threshold. If so, the WLAN device discards the route. During route
advertisement, the WLAN device also checks whether the number of AS
numbers in the AS-path attribute exceeds the threshold. If so, the WLAN
device does not advertise the route to prevent maliciously-constructed error
packets with an extra-long AS-path attribute from attacking the WLAN
device.
●
BGP MD5 authentication and BGP keychain authentication
To protect BGP from attacks, use MD5 authentication or keychain
authentication between BGP peers to reduce the possibility of attacks.
●
–
The MD5 algorithm is easy to configure and generates a single password
that needs to be manually changed. To ensure high security, you are not
advised to use MD5 authentication.
–
The keychain algorithm is complex to configure and generates a set of
passwords. Keychain authentication allows passwords to be changed
automatically based on configurations. Therefore, keychain
authentication is applicable to networks requiring high security.
BGP GTSM
To protect a WLAN device against the attacks initiated using forged BGP
packets, you can configure GTSM to check whether the TTL value in the IP
packet header is within the specified range. In actual networking, packets
whose TTL values are not within the specified range are either allowed to
pass or discarded by the GTSM. When the default action to be taken on
packets is set to drop in GTSM, set a proper TTL range according to the
network topology. Then packets with TTL values outside of the specified range
are discarded, preventing attackers from simulating BGP packets to attack the
WLAN device.
Configuration Method
●
Modify the CPCAR value of BGP.
NOTE
Improper CPCAR settings will affect services on your network. To adjust the CPCAR
values, contact technical support personnel.
Change the rate at which BGP packets are sent to the CPU to 64 kbit/s.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] packet-type bgp rate-limit 64 wired
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1
●
Set the maximum number of AS numbers in the AS-path attribute.
Set the maximum number of AS numbers in the AS-path attribute to 200.
<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] as-path-limit 200
●
Configure keychain authentication.
Configure the keychain authentication named huawei for BGP peers.
<HUAWEI> system-view
[HUAWEI] keychain huawei mode absolute
[HUAWEI-keychain-huawei] key-id 1
[HUAWEI-keychain-huawei-keyid-1] algorithm sha-256
[HUAWEI-keychain-huawei-keyid-1] key-string cipher Huawei@1234
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
40
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[HUAWEI-keychain-huawei-keyid-1] quit
[HUAWEI-keychain-huawei] quit
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 10.1.1.2 as-number 200
[HUAWEI-bgp] peer 10.1.1.2 keychain huawei
●
Configure BGP GTSM.
Configure GTSM for the peer.
<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 10.1.1.2 as-number 200
[HUAWEI-bgp] peer 10.1.1.2 valid-ttl-hops 1
For packets that do not match the GTSM policy, you can specify pass in the
gtsm default-action { drop | pass } command or run the undo gtsm
default-action drop command to allow these packets to pass through, or
specify drop in the command to discard them. You can also enable the
logging function using the gtsm log drop-packet all command to record
information about dropped packets for further fault locating.
3.2.7.2 OSPF/OSPFv3
Attack Behavior
●
GTSM attacks
An attacker simulates OSPF/OSPFv3 and continuously sends packets to a
WLAN device. As a result, the WLAN device is extremely busy in processing
such attack packets, rocketing CPU usage.
●
Forged packet attacks
An attacker may attack a WLAN device using forced packets as follows:
–
Changes the aging time of a packet to the maximum aging time so that
all WLAN devices discard the packet.
–
Advertises the LSAs with valid Max Sequence Numbers or with sequence
numbers close to the Max Sequence Number.
–
Changes the sequence number when a peer WLAN device resets the state
of the encryption sequence number during a restart.
–
Changes the peer list in Hello packets.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
OSPF/OSPFv3 GTSM
The Generalized TTL Security Mechanism (GTSM) checks TTL values to defend
against GTSM attacks. GTSM only checks TTL values of the packets that
match the GTSM policy. The packets that do not match the GTSM policy can
be dropped or allowed to pass through. If the default action to be taken on
packets is drop, configure all possible device connections in the GTSM policy.
Packets sent from a device that is not specified in the GTSM policy will be
dropped. As a result, the connection cannot be established.
●
OSPF/OSPFv3 packet authentication
OSPF/OSPFv3 packet authentication prevents forged packet attacks. A WLAN
device can set up neighbor relationships only with authenticated devices. If
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
41
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
area authentication is used, configure the same authentication mode and
password for all WLAN devices in an area. For example, the authentication
mode of all WLAN devices in Area 0 is simple authentication and the
password is abc. Interface authentication is used to set the authentication
mode and password used between neighboring WLAN devices. It takes
precedence over area authentication.
Configuration Method
To configure OSPF GTSM, OSPF area authentication, and OSPF interface
authentication, perform the following steps:
●
Configure OSPF GTSM.
Enable OSPF GTSM and set the maximum number of TTL hops to 5 for OSPF
packets that can be received from a public network.
<HUAWEI> system-view
[HUAWEI] ospf valid-ttl-hops 5
For packets that do not match the GTSM policy, you can specify pass in the
gtsm default-action { drop | pass } command or run the undo gtsm
default-action drop command to allow these packets to pass through, or
specify drop in the command to discard them. You can also enable the
logging function using the gtsm log drop-packet all command to record
information about dropped packets for further fault locating.
●
Configure OSPF area authentication.
Configure HMAC-SHA256 authentication for OSPF area 0.
<HUAWEI> system-view
[HUAWEI] ospf 100
[HUAWEI-ospf-100] area 0
[HUAWEI-ospf-100-area-0.0.0.0] authentication-mode hmac-sha256
●
Configure OSPF interface authentication.
Configure OSPF HMAC-SHA256 authentication on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ospf authentication-mode hmac-sha256
To configure OSPFv3 GTSM, OSPFv3 area authentication, OSPFv3 process
authentication, and OSPFv3 interface authentication, perform the following steps:
●
Configure OSPFv3 GTSM.
Enable OSPFv3 GTSM and set the maximum number of TTL hops to 5 for the
OSPFv3 packets that can be received from a public network.
<HUAWEI> system-view
[HUAWEI] ospfv3 valid-ttl-hops 5
For packets that do not match the GTSM policy, you can specify pass in the
gtsm default-action { drop | pass } command or run the undo gtsm
default-action drop command to allow these packets to pass through, or
specify drop in the command to discard them. You can also enable the
logging function using the gtsm log drop-packet all command to record
information about dropped packets for further fault locating.
●
Configure OSPFv3 area authentication.
Configure HMAC-SHA256 authentication for OSPFv3 area 0.
<HUAWEI> system-view
[HUAWEI] ospfv3 100
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
42
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[HUAWEI-ospfv3-100] area 0
[HUAWEI-ospfv3-100-area-0.0.0.0] authentication-mode hmac-sha256 key-id 10 cipher huawei
●
Configure OSPFv3 process authentication.
Configure HMAC-SHA256 authentication for OSPFv3 process 100.
<HUAWEI> system-view
[HUAWEI] ospfv3 100
[HUAWEI-ospfv3-100] authentication-mode hmac-sha256 key-id 10 cipher huawei
●
Configure OSPFv3 interface authentication.
Configure OSPFv3 HMAC-SHA256 authentication on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ipv6 enable
[HUAWEI-Vlanif100] ospfv3 1 area 0
[HUAWEI-Vlanif100] ospfv3 authentication-mode hmac-sha256 key-id 10 cipher huawei
3.2.7.3 RIP/RIPng
Attack Behavior
●
Injection of incorrect routing information
RIP/RIPng will accept any packet from a valid packet source address that
matches the configured network. RIP will carry direct route data in its RIP/
RIPng packet. As a result, an attack with invalid or incorrect route information
in route data of the RIP/RIPng packet may be initiated. With this information,
the calculated routing database will not be correct and can cause network
failures.
●
Replay attack
An attacker intercepts RIP packets and sends them to the WLAN device
repeatedly, increasing the load on the WLAN device.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
RIP authentication
RIPv2 can be used to authenticate protocol packets to prevent incorrect
routing data, error packets, and replay attacks. Three authentication modes
are available: simple authentication, MD5 authentication, and HMAC-SHA256
authentication. Simple authentication and MD5 authentication pose potential
risks. Therefore, HMAC-SHA256 ciphertext authentication is recommended.
●
CPCAR
The CPCAR limits the rate of RIP/RIPng packets sent to the control plane to
ensure security of the control plane.
Configuration Method
●
Configure RIP authentication.
Configure HMAC-SHA256 authentication, set the authentication password to
admin@1234, and set the authentication identifier to 255.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
43
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] rip authentication-mode hmac-sha256 cipher admin@1234 255
●
Modify the CPCAR value of RIP/RIPng.
NOTE
Improper CPCAR settings will affect services on your network. To adjust the CPCAR values,
contact technical support personnel.
Change the rate at which RIP packets are sent to the CPU to 64 kbit/s.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] packet-type rip rate-limit 64 wired
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1
Change the rate at which RIPng packets are sent to the CPU to 64 kbit/s.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy 1
[HUAWEI-cpu-defend-policy-1] packet-type ripng rate-limit 64 wired
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy 1
3.2.7.4 IS-IS (IPv4)/IS-IS (IPv6)
Attack Behavior
An attacker can obtain correct Hello packets or link state packets from the
network, forge attack packets that can be identified by IS-IS, and send these
packets to a WLAN device.
Security Policy
IS-IS authentication is an encryption method based on network security
requirements and can prevent the preceding attacks.
In IS-IS authentication, authentication fields are added in IS-IS packets for
encryption. When a local WLAN device receives an IS-IS packet from a remote
WLAN device, the local device discards the packet if the authentication password
is different from the local one. This process protects the local device against
potential attacks. IS-IS authentication includes the following types:
●
Interface authentication: encapsulates authentication information into Hello
packets to confirm the validity and correctness of neighbor relationships.
●
Area or routing domain authentication: encapsulates the authentication
password into IS-IS packets in the area. Only authenticated packets are
received.
The authentication modes are classified into simple authentication, MD5
authentication, and HMAC-SHA256 authentication. Simple authentication and
MD5 authentication pose potential security risks. Therefore, HMAC-SHA256
authentication is recommended.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
44
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
Configuration Method
●
Configure interface authentication.
Set the HMAC-SHA256 authentication password to admin@1234 and key ID
to 33 on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] isis
[HUAWEI-isis-1] network-entity 01.0000.0000.0001.00
[HUAWEI-isis-1] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] isis enable 1
[HUAWEI-Vlanif100] isis authentication-mode hmac-sha256 key-id 33 cipher admin@1234
●
Configure area or routing domain authentication.
a.
b.
Create IS-IS process 1.
<HUAWEI> system-view
[HUAWEI] isis 1
Perform the following operations in any sequence as required.
▪
Set the area authentication mode to HMAC-SHA256, authentication
password to admin@1234, and key ID to 33.
[HUAWEI-isis-1] area-authentication-mode hmac-sha256 key-id 33 cipher
admin@1234
▪
Set the routing domain authentication mode to HMAC-SHA256,
authentication password to admin@1234, and key ID to 33.
[HUAWEI-isis-1] domain-authentication-mode hmac-sha256 key-id 33 cipher
admin@1234
3.2.8 Multicast Security
3.2.8.1 Layer 2 Multicast
Attack Behavior
●
Malicious users access a WLAN device using changed multicast addresses over
invalid multicast channels. As a result, many invalid entries are generated on
the device and occupy a large number of system resources, and program
requests of authorized users cannot succeed.
●
Attacks are initiated through query packets. A multicast port is configured on
the WLAN device to receive traffic from all multicast groups. As a result, a
large amount of traffic is sent over this port, occupying large interface
bandwidth.
Security Policy
To defend against the preceding attacks, configure the following security policies
on a WLAN device:
●
You can set group policies to restrict the access of multicast groups (multicast
source groups) to a VLAN or an interface to prevent malicious users from
accessing the WLAN device using invalid multicast channels.
●
You can configure WLAN device ports not to be learned through protocol
packets to prevent query packet attacks.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
45
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
Configuration Method
●
Configure a multicast group policy.
You can configure a multicast group policy in the VLAN view or VSI view.
(Multicast group policies based on the IPTV multicast group address range are
recommended according to service deployment requirements.)
Allow hosts in VLAN 2 to join the multicast group 225.1.1.123.
<HUAWEI> system-view
[HUAWEI] acl number 2000
[HUAWEI-acl-basic-2000] rule permit source 225.0.0.0 0.0.0.255
[HUAWEI-acl-basic-2000] quit
[HUAWEI] igmp-snooping enable
[HUAWEI] vlan 2
[HUAWEI-vlan2] igmp-snooping enable
[HUAWEI-vlan2] igmp-snooping group-policy 2000
●
Configure ports not to be learned.
You can configure WLAN device ports not to be learned through protocol
packets in the VLAN view or interface view.
Disable dynamic WLAN device port learning on GE0/0/1 in VLAN 10.
<HUAWEI> system-view
[HUAWEI] igmp-snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] igmp-snooping enable
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo igmp-snooping router-learning vlan 10
3.2.8.2 Layer 3 Multicast
Security Policy
WLAN devices support the following security policies:
●
PIM neighbor filtering
ACL rules can be configured on interfaces to filter received Hello packets.
Neighbor relationships can be established only after packet filtering.
When there are a large number of malicious Hello packets, configure rules on
interfaces so that the interfaces allow only specified Hello packets to pass
through and discard malicious Hello packets.
●
PIM Join packet filtering
ACL rules can be configured on interfaces to filter received Join packets. This
can prevent attacks initiated using malicious Join packets.
When there are a large number of malicious Join packets, configure rules on
interfaces so that the interfaces allow only specified Join packets to pass
through and discard malicious Join packets.
Configuration Method
●
Configure PIM neighbor filtering.
In a public network instance, set up a PIM neighbor relationship between
VLANIF 10 and the WLAN device at 10.4.4.4.
<HUAWEI> system-view
[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.4.4.4 0.0.0.0
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
46
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[HUAWEI-acl-basic-2001] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] pim neighbor-policy 2001
●
PIM Join packet filtering
In a public network instance, configure VLANIF 10 to receive Join packets with
multicast addresses on the network segment 225.1.0.0/16.
<HUAWEI> system-view
[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 225.1.0.0 0.0.255.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] multicast routing-enable
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] pim join-policy asm 2001
3.3 Forwarding Plane
3.3.1 ACL
Security Policy
An Access Control List (ACL) accurately identifies and controls packets on the
network to manage network access behavior, prevent network attacks, and
improve bandwidth use efficiency. In this way, ACL ensures security and high
service quality on networks.
An ACL is a collection of one or more rules. A rule refers to a judgment statement
that describes a packet matching condition, which may be a source address, a
destination address, or a port number of a packet. An ACL classifies packets by
using these rules. When the rules are applied to a WLAN device, the device
determines whether packets are permitted or denied in accordance with these
rules. For example, an ACL can be configured to reject all Telnet access to the local
server or allow each STA to send emails to the local server using Simple Mail
Transfer Protocol (SMTP).
Multiple rules can be defined in each ACL. ACLs are classified into the following
types based on their functions: basic ACL, basic ACL6, advanced ACL, advanced
ACL6, Layer 2 ACL, user ACL, and user ACL6.
Table 3-1 describes ACL classification based on ACL rule definition methods.
Table 3-1 ACL classification based on ACL rule definition methods
ACL
Type
IP Version
Rule Definition Description
ACL Number
Range
Basic
ACL
IPv4
Defines rules based on the
source IP address,
fragmentation information,
and time range of packets.
2000-2999
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
47
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
ACL
Type
IP Version
Rule Definition Description
ACL Number
Range
Advance
d ACL
IPv4
Defines rules based on the
source IP address, destination
IP address, IP priority, Type of
Service (ToS) value, DiffServ
Code Point (DSCP) value, IP
protocol type, Internet Control
Message Protocol (ICMP) type,
TCP source interface/
destination interface, and User
Datagram Protocol (UDP)
source interface/destination
interface of IPv4 packets.
3000-3999
Layer 2
ACL
IPv4
Defines rules based on the
information in Ethernet frame
headers of packets, such as the
source MAC address,
destination MAC address, and
Ethernet frame protocol type.
4000-4999
User ACL
IPv4
Defines rules based on the
source IP address, source user
group, destination IP addresses,
destination user group,
destination domain name, IP
priority, ToS value, DSCP value,
IP protocol type, ICMP type,
TCP source interface/
destination interface, and UDP
source interface/destination
interface of IPv4 packets.
6000-6999
Basic
ACL6
IPv6
Defines rules based on the
source IPv6 address,
fragmentation information,
and time range of IPv6
packets.
2000-2999
Advance
d ACL6
IPv6
Defines rules based on the
source IP address, destination
IP address, protocol over IP,
and protocol-specific features
such as the TCP source
interface/destination interface,
ICMPv6 protocol type, and
ICMPv6 code of IPv6 packets.
3000-3999
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
48
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
ACL
Type
IP Version
Rule Definition Description
ACL Number
Range
User
ACL6
IPv6
Defines rules based on the
source IP address, destination
IP address, destination domain
name, protocol over IP, and
protocol-specific features such
as the TCP source interface/
destination interface, ICMPv6
protocol type, and ICMPv6
code of IPv6 packets.
The user IPv6 ACL
is called ACL6 or
UCL6 for short.
The ACL number
ranges from 6000
to 6999.
Configuration Method
Configure ACL 2001 to allow packets with the source IP address 192.168.32.1 to
pass through.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.32.1 0
3.3.2 MAC Address Anti-flapping
Security Policy
MAC address flapping occurs on a network when the network has a loop or
undergoes certain attacks. You can use the following methods to prevent MAC
address flapping:
●
Increase the MAC address learning priority of an interface.
MAC address flapping occurs when a MAC address is learned by two
interfaces in the same VLAN and the MAC address entry learned later
overrides the earlier one. To prevent MAC address flapping, set different MAC
address learning priorities for interfaces. When two interfaces learn the same
MAC address entries, the MAC address entries learned by the interface with a
higher priority override the MAC address entries learned by the other
interface.
●
Prevent MAC address flapping between interfaces with the same priority.
An uplink interface of a WLAN device is connected to a server, and a downlink
interface is connected to a user. To prevent unauthorized users from using the
server MAC address to connect to the WLAN device, you can run the undo
mac-learning priority allow-flapping command to forbid MAC address
flapping between interfaces with the same priority. A MAC address then will
not be learned by multiple interfaces, and unauthorized users cannot use the
MAC address of a valid device to attack the WLAN device.
Configuration Method
●
Issue 07 (2021-08-30)
Configure a MAC address learning priority for an interface.
Copyright © Huawei Technologies Co., Ltd.
49
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
For example, GE0/0/1 is a network-side port and GE0/0/2 is a user-side port.
Set the MAC address learning priority of GE0/0/1 to 3, which is higher than
that of GE0/0/2. GE0/0/2 retains the default priority 0.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-learning priority 3
●
Forbid MAC address flapping between interfaces with the same priority. (By
default, MAC address flapping can occur between interfaces with the same
priority.)
Forbid MAC address flapping between interfaces with priority 1.
<HUAWEI> system-view
[HUAWEI] undo mac-learning priority 1 allow-flapping
3.3.3 Port Isolation
Security Policy
To implement Layer 2 isolation between packets, you can add different ports to
different VLANs. However, this wastes VLAN resources. Port isolation can isolate
ports in the same VLAN. That is, you only need to add ports to a port isolation
group to implement Layer 2 isolation between these ports. Port isolation provides
secure and flexible networking schemes for customers.
To isolate broadcast packets in the same VLAN but allow users connecting to
different ports to communicate at Layer 3, you can set the port isolation mode to
Layer 2 isolation and Layer 3 interworking. To prevent users connecting to ports in
the same VLAN from communicating at either Layer 2 or Layer 3, you can set the
port isolation mode to Layer 2 and Layer 3 isolation.
Configuration Method
Port isolation includes bidirectional and unidirectional isolation. By default, the
port isolation mode is Layer 2 isolation and Layer 3 interworking. To set the port
isolation mode to Layer 2 and Layer 3 isolation, run the port-isolate mode all
command.
●
Configure a port isolation group.
Configure port isolation on GE0/0/1 and GE0/0/2.
Configure port isolation on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] port-isolate mode all
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-isolate enable group 3
Configure port isolation on GE0/0/2.
<HUAWEI> system-view
[HUAWEI] port-isolate mode all
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] port-isolate enable group 3
●
Configure unidirectional isolation.
Configure unidirectional isolation on GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] port-isolate mode all
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] am isolate gigabitethernet 0/0/2
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
50
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
3.3.4 Port Security and Trusted Port
Security Policy
●
Port security
If a network requires high access security, you can configure port security on
specified ports. MAC addresses learned by these ports then are changed to
secure dynamic MAC addresses, secure static MAC addresses, or sticky MAC
addresses. When the number of learned MAC addresses reaches the upper
limit, the ports do not learn new MAC addresses. In this case, the WLAN
device communicates only with devices with these learned MAC addresses.
This prevents hosts with untrusted MAC addresses from communicating with
the WLAN device through these ports, securing the WLAN device and
network. You can enable port security on the ports of ACs and wired ports of
APs.
●
Trusted port
The wired port of an AP directly or indirectly connected to an authorized
DHCP server needs to be configured as a DHCP-trusted port. The AP then
receives and forwards DHCP Offer/ACK/NAK packets sent only by the
authorized DHCP server to STAs, so that the STAs can obtain valid IP
addresses and go online properly.
Similarly, the wired port of an AP directly or indirectly connected to an
authorized ND server needs to be configured as an ND-trusted port. The AP
then receives and forwards ND Offer/ACK/NAK packets sent only by the
authorized ND server to STAs, so that the STAs can obtain valid IPv6
addresses and go online properly.
Configuration Method
●
Configure port security on the AC.
–
Configure the secure MAC address function on a port of the AC.
Configure GE0/0/1 to allow a maximum of two STAs to access. Therefore,
set the maximum number of secure MAC addresses to 2.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 2
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action restrict
[HUAWEI-GigabitEthernet0/0/1] quit
–
Configure the sticky MAC address function on a port of the AC.
Configure the sticky MAC address function on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 5
[HUAWEI-GigabitEthernet0/0/1] quit
●
Configure AP wired port security.
–
Configure the AP wired port as a trusted port.
NOTE
This function applies only to downstream AP wired ports.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
51
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wired-port-profile name wired-port1
[HUAWEI-wlan-wired-port-wired-port1] dhcp trust port
[HUAWEI-wlan-wired-port-wired-port1] nd trust port
[HUAWEI-wlan-wired-port-wired-port1] quit
[HUAWEI-wlan-view] ap-group name group1
[HUAWEI-wlan-ap-group-group1] wired-port-profile wired-port1 gigabitethernet 1
–
Configure port security on the AP wired port.
NOTE
This function takes effect only for the AP wired ports working in endpoint mode.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wired-port-profile name wired-port1
[HUAWEI-wlan-wired-port-wired-port1] mode endpoint
[HUAWEI-wlan-wired-port-wired-port1] port-security enable
[HUAWEI-wlan-wired-port-wired-port1] port-security mac-address sticky
[HUAWEI-wlan-wired-port-wired-port1] port-security max-mac-num 5
[HUAWEI-wlan-wired-port-wired-port1] quit
[HUAWEI-wlan-view] ap-group name group1
[HUAWEI-wlan-ap-group-group1] wired-port-profile wired-port1 gigabitethernet 0
3.3.5 Navi AC
Security Policy
When a large enterprise deploys a WLAN to provide access services for internal
employees, the enterprise also needs to provide wireless access services for guests.
However, guest data may pose security threats over the network. You can
configure the Navi AC function to direct guest traffic to a specified access control
point for centralized management, so that internal employees and guests are
isolated from each other.
As shown in Figure 3-2, traffic of enterprise employees is forwarded on the
intranet and employees can access intranet servers. Traffic of guests is forwarded
to a secure DMZ through a CAPWAP tunnel. The guests then obtain IP addresses
and are authenticated in a unified manner in the DMZ, and can access only
servers in the DMZ and the Internet.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
52
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
Figure 3-2 Typical networking of the Navi AC
Configuration Method
1.
On the Navi AC, create and configure a VAP profile, enable the Navi AC
function, specify the local AC address, and bind the VAP profile to the
specified local AC.
a.
Create and configure a VAP profile on the Navi AC.
b.
Enable the Navi AC function.
c.
2.
[Navi_AC-wlan-view] navi-ac enable
Specify the local AC and bind the VAP profile to the local AC.
[Navi_AC-wlan-view] navi-ac
[Navi_AC-wlan-view-navi-ac] local-ac ac-id 1 ip-address 10.23.102.3 description LocalAC1
[Navi_AC-wlan-view-navi-ac] vap-profile navi-ac wlan 1
On the local AC, specify the Navi AC address, create and configure a VAP
profile, and bind the VAP profile to the AP group. The VAP profile
configuration on the local AC must be the same as that on the Navi AC.
a.
b.
Issue 07 (2021-08-30)
<Navi_AC> system-view
[Navi_AC] wlan
[Navi_AC-wlan-view] ssid-profile name ssid1
[Navi_AC-ssid-prof-ssid1] ssid guset
[Navi_AC-ssid-prof-ssid1] quit
[Navi_AC-wlan-view] vap-profile name navi-ac
[Navi_AC-vap-prof-navi-ac] ssid-profile ssid1
[Navi_AC-vap-prof-navi-ac] service-vlan vlan-id 100
[Navi_AC-vap-prof-navi-ac] forward-mode tunnel
[Navi_AC-vap-prof-navi-ac] quit
Specify the Navi AC.
<Local_AC> system-view
[Local_AC] wlan
[Local_AC-wlan-view] navi-ac ac-id 1 ip-address 10.23.101.3 description NaviAC
Create and configure a VAP profile on the local AC.
Copyright © Huawei Technologies Co., Ltd.
53
WLAN
Security Hardening Guide
3 (Optional) Level-2 Security Hardening Policies
[Local_AC-wlan-view] ssid-profile name ssid1
[Local_AC-ssid-prof-ssid1] ssid guset
[Local_AC-ssid-prof-ssid1] quit
[Local_AC-wlan-view] vap-profile name navi-ac
[Local_AC-vap-prof-navi-ac] ssid-profile ssid1
[Local_AC-vap-prof-navi-ac] service-vlan vlan-id 100
[Local_AC-vap-prof-navi-ac] forward-mode tunnel
[Local_AC-vap-prof-navi-ac] type service-navi navi-ac-id 1 navi-wlan-id 1
[Local_AC-vap-prof-navi-ac] quit
c.
Bind the VAP profile to the AP group.
[Local_AC-wlan-view] ap-group name group1
[Local_AC-wlan-ap-group-group1] vap-profile navi-ac wlan 2 radio all
3.3.6 CAPWAP Data Tunnel Encryption
Security Policy
When the data forwarding mode is tunnel forwarding, service data packets
between an AP and an AC are transmitted over a CAPWAP data tunnel. To
improve service data security, you can run the capwap dtls data-link encrypt
enable command to enable CAPWAP data tunnel encryption using DTLS. This
configuration ensures that packets are encrypted and then transmitted over the
CAPWAP data tunnel.
CAPWAP data tunnel encryption using DTLS can be configured in both the system
view and AP system profile view. The difference is that the function configured in
the system view takes effect for APs that go online through an AC and support
this function, while the function configured in the AP system profile view takes
effect for APs configured with the AP system profile. The function in the AP
system profile view takes precedence over that in the system view. When this
function is enabled in both the views, the configuration in the AP system profile
view takes effect.
Configuration Method
Enable CAPWAP data tunnel encryption using DTLS in the AP system profile view.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-system-profile name system1
[HUAWEI-wlan-ap-system-prof-system1] capwap dtls data-link encrypt enable
Enable CAPWAP data tunnel encryption using DTLS in the system view.
<HUAWEI> system-view
[HUAWEI] capwap dtls data-link encrypt
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
54
WLAN
Security Hardening Guide
4 Reference Documents
4
Reference Documents
For details about the functions described in this document, visit Huawei official
website to obtain the wireless access controller (AC and Fit AP) product
documentation.
Issue 07 (2021-08-30)
Copyright © Huawei Technologies Co., Ltd.
55