Shulou(Shulou.com)06/01 Report--

1. The management mode of Huawei firewall equipment 1. Introduction of AAA

AAA is the abbreviation of three English words: Authentication, Authorization and Accounting. It is a server program that can handle users' access requests. The main purpose is to manage users' access to the network server and provide services for users with access rights. Where:

Verify which users can access the network server.

Authorization: what services and permissions are available to users with access rights.

Bookkeeping: how to audit users who are using network resources.

AAA server usually works with network access control, gateway server, database and user information directory. If you want to access network resources, you must first authenticate users, so that you can access network resources. The process of authentication is to verify the legitimacy of the user's identity; after the authentication is completed, the user can be authorized to access the network resources, and the user can access the network resources for billing management.

The AAA authentication methods of network devices can be divided into two categories: local authentication (local) and remote authentication. Local authentication is done by creating and validating the user name and password locally, while remote authentication is done through each vendor's own AAA server, which requires the device to be associated with the AAA server.

Huawei firewall allows users to configure both locally and remotely. Today, only local authentication is introduced.

2. The common management methods of Huawei firewall are:

Managed through Console: it belongs to out-of-band management, does not occupy user bandwidth, and is suitable for the first configuration scenario of new devices.

Management through Telnet: it belongs to in-band management, with simple configuration, low security and low resource consumption, which is mainly suitable for scenarios with low security and poor device performance.

Management through Web: it belongs to in-band management, can be based on graphical management, and is more suitable for novice configuration devices.

Through SSH management, it belongs to in-band management, with complex configuration, high security and high resource consumption, which is mainly suitable for scenarios with high security requirements, such as remote management of company network equipment through the Internet. Second, the configuration of each management mode

For Console management, you only need to connect to the console line and connect to the client using hyperterminal. For specific operations, please refer to the relevant information. I won't say much about it here.

1. Manage through Telnet

Telnet management mode enables the terminal to log in to the device through Telnet through configuration to realize the configuration and management of the device.

(1) prepare before configuration

I use eNSP software, add a firewall in eNSP, a Cloud device (bridged virtual machine acts as a client) the firewall on the simulator needs to import the system, I use the firewall of USG6000 here, you can download the firewall system through the download location: https://pan.baidu.com/s/1K8867Y8aPRjP_WuwBaqDhg.

The firewall of USG6000, the interface with the lowest default number (that is, G0UniUniP0) has been configured with some related configurations of remote management and IP addresses, so there are many configurations that can be omitted. I will use the brand new interface G1UniUniUniver 0 to operate more comprehensively.

(2) start configuring the firewall:

Log in to the Console console for the first time and configure the initial administrative password as required:

System-view # switch to the system view [USG6000V1] int g1lash 0 # into G1UniGet0 interface [USG6000V1-GigabitEthernet1/0/0] ip add 192.168.100.10 24 # interface configuration IP address [USG6000V1-GigabitEthernet1/0/0] undo shutdown # activation interface [USG6000V1-GigabitEthernet1/0/0] quit # save exit [USG6000V1] int g1exe 0 # enter the interface [USG6000V1-GigabitEthernet1/0/0] service-manage enable # and enter the management mode [USG6000V1-GigabitEthernet1/0/0] service-manage telnet permit # to allow Telnet [USG6000V1-GigabitEthernet1/0/0] quit # to save and exit [USG6000V1] firewall zone trust # to enter the trust area [USG6000V1-zone-trust] add int g1ame0 / 0 # add G1source-zone trust 0 to trust zone [USG6000V1-zone-trust] quit # Save exit [USG6000V1] security-policy # set security policy [USG6000V1-policy-security] rule name allow_telnet # create security policy name: allow_ Telnet [USG6000V1-policy-security-rule-allow_telnet] source-zone trust # configure security policy source zone truth [USG6000V1-policy -security-rule-allow_telnet] destination-zone local # configure security policy target area [USG6000V1-policy-security-rule-allow_telnet] action permit # allow trust zone to access firewall local zone [USG6000V1-policy-security-rule-allow_telnet] quit # save exit [USG6000V1-policy-security] quit # as well as [USG6000V1] user-interface vty 0 4 # configure vty Allow 5 terminals to use telnet function [USG6000V1-ui-vty0-4] authentication-mode aaa # configure telnet to use AAA authentication [USG6000V1-ui-vty0-4] protocol inbound telnet # allow AAA authentication telnet [USG6000V1-ui-vty0-4] quit # save exit [USG6000V1] aaa # enter AAA certificate [USG6000V1-aaa] manager-user benet # AAA authentication account is Benet [USG6000V1-aaa-manager-user-benet] password cipher pwd@1234 # AAA authentication password is pwd@ 1234 [USG6000V1-aaa-manager-user-benet] service-type telnet # AAA provides authentication function to telnet [USG6000V1-aaa-manager-user-benet] level 15 # set telnet account Benet as administrator permission # "0" is the visit level Nothing can be done. "1" is the monitoring level and relevant configurations can be viewed; "2" is the configuration level and some parameters can be configured; "3-15" is the administrative level with maximum permissions [USG6000V1-aaa-manager-user-benet] quit [USG6000V1-aaa] quit

The configuration of Telnet management mode is completed, and the firewall can be connected through hyperterminal software such as CMD, CRT, Xshell, etc. As follows:

CMD connection:

Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.Login authenticationUsername:benet # enter the name of the account you just created Password: # enter the password you just set The password needs to be changed. Change now? [y Please enter old password N]: y # if you need to change the password for the first login, you can enter the old password Please enter new password: # enter the new password Please confirm new password: # confirm that the new password loses the connection to the host. # quit re-telnet and enter a new password

CRT connection:

Xshell connection:

2. Manage through SSH

Compared with Telnet and Web, SSH is more secure, so it is generally not recommended to log in to the device using Telnet, but to log in to the device through ssh. Start configuring SSH to log in to the device (reconfigure the environment)

Start the configuration:

System-view # switch to the system view [USG6000V1] int G _ 1G _ 1G _ 1G _ r _ 0 _ G _ 0 into the G _ 1ram _ 0 interface [USG6000V1-GigabitEthernet1/0/0] ip add 192.168.100.10 24 # interface configuration IP address [USG6000V1-GigabitEthernet1/0/0] service-manage enable # enters management mode [USG6000V1-GigabitEthernet1/0/0] service-manage ssh permit # allows ssh [USG6000V1-GigabitEthernet1/0/0 ] quit # save exit [USG6000V1] firewall zone trust # enter the trust area [USG6000V1-zone-trust] add int g1lash 0 # add the G1Charger 0 interface to the trust area [USG6000V1-zone-trust] quit [USG6000V1] security-policy # enter the security policy [USG6000V1-policy-security] rule name allow_ssh # create a security policy allow_ssh [USG6000V1-policy-security-rule-allow_ssh] source-zone trust # defines the security policy source zone as trust [USG6000V1-policy-security-rule-allow_ssh] destination-zone local # defines the security policy target area as local [USG6000V1-policy-security-rule-allow_ssh] action permit # allows the trust zone to access the local zone [USG6000V1-policy-security-rule-allow_ssh] quit [USG6000V1-policy-security] people [USG6000V1] rsa local-key-pair Create # set ssh key pair The longest 2048The key name will be: USG6000V1_HostThe range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, it will take a few minutes.Input the bits in the modulus [default = 2048]: 2048 # enter Generating keys.+....++....++++.++ [USG6000V1] user-interface vty 04 # to configure vty Allow 5 terminals [USG6000V1-ui-vty0-4] authentication-mode aaa # ssh to use AAA authentication [USG6000V1-ui-vty0-4] protocol inbound ssh # allow ssh to use AAA authentication [USG6000V1-ui-vty0-4] quitters [USG6000V1] ssh user test # to create authentication account test [USG6000V1] ssh user test authentication-type password # use password authentication [USG6000V1] ssh user test service-type stelnet # configuration Set the verification service type to SSH [USG6000V1] aaa # enter AAA [USG6000V1-aaa] manager-user test # AAA to verify that the user name is test [USG6000V1-aaa-manager-user-test] password cipher pwd@1234 # AAA verify the test account password is pwd@1234 [USG6000V1-aaa-manager-user-test] service-type ssh # AAA provide authentication [USG6000V1-aaa-manager-user-test] level 15 # settings to ssh Ssh verifies that the account opens ssh for administrator [USG6000V1-aaa-manager-user-test] quit [USG6000V1-aaa] quitts [USG6000V1] stelnet server enable #

After SSH management, the configuration is complete, and the Xshell or CRT connection tests are as follows:

CRT connection:

This is the login interface after changing the password. Enter the account created above (test) for the first time and log in with the password pwd@1234. When prompted to change the password, enter "Y" to change the password and reconnect.

Xshell connection:

Just now CRT login changed the password, this time there is no need to change. 、

3. Manage through Web:

Start the configuration:

System-view # switch system view [USG6000V1] int g1amp 0 service-manage https permit 0 # into G1 0 Charley 0 interface [USG6000V1-GigabitEthernet1/0/0] ip add 192.168.100.10 24 # interface configuration IP address [USG6000V1-GigabitEthernet1/0/0] service-manage http permit # allow http protocol remote [USG6000V1-GigabitEthernet1/0/0] service-manage https permit # allow https protocol remote [USG6000V1-GigabitEthernet1/0/ 0] quit [USG6000V1] firewall zone trust # enters the trust zone [USG6000V1-zone-trust] add int GigabitEthernet 1-0-0 # add the G1Unitable0 interface to the trust area [USG6000V1-zone-trust] quitters [USG6000V1] security-policy # enter the security policy [USG6000V1-policy-security] rule name allow_web # create a security policy named allow_ web [USG6000V1-policy -security-rule-allow_web] source-zone trust # Policy Source area is trust [USG6000V1-policy-security-rule-allow_web] destination-zone local # Policy Target area is local [USG6000V1-policy-security-rule-allow_web] action permit # allow trust area to access local area [USG6000V1-policy-security-rule-allow_web] quit [USG6000V1-policy-security] quitts [USG6000V1] web-manager security enable # enable web management function [USG6000V1] aaa # enter AAA configuration [USG6000V1-aaa] manager-user web # configure verification account name [USG6000V1-aaa-manager-user-web] password # set AAA authentication password Enter Password: # enter password Confirm Password: # re-enter [USG6000V1-aaa-manager-user-web] service-type web # allow web to authenticate [USG6000V1-aaa-manager-user-web] level 15 # set to administrator permission [USG6000V1-aaa-manager-user-web] quit [USG6000V1-aaa] quit

After the above configuration, you can now use web access test. The firewall opens https port 8443 by default. Use client access test. After the above configuration, you should use https://192.168.100.10:8443 for access. If the web page cannot be loaded, refresh it a few more times:

The configuration is completed with Web management.

After reading the whole blog post, you will find that the configuration of each way of management is not complex, and there are many repetitive commands.

This is the end of this blog post, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.