华为交换机路由器防火墙介绍 (华为h3c路由器管理密码)

系统边界内部称为“安全计算环境”，通常通过局域网将各种设备节点联结起来构成最为复杂的计算环境，构成节点包括网络设备、安全设备、服务器设备、终端设备、应用系统和其他设备等，涉及的对象包括各类操作系统、数据库系统、中间件系统及其他各类系统软件、应用软件和数据对象等，对这些节点和系统的安全防护构成了“一个中心，三重防御”的纵深防御体系最后一道防线。

安全计算环境针对边界内部提出了安全控制要求，主要对象为边界内部的所有对象，包括网络设备、安全设备、服务器设备、终端设备、应用系统、数据对象和其他设备等；涉及的安全控制点包括身份鉴别、访问控制、安全审计、入侵防范、恶意代码防范、可信验证、数据完整性、数据保密性、数据备份与恢复、利余信息保护和个人信息保护，现以三级网络设备等级保护对象为例，描述网络设备（华为、H3C、思科交换机/路由器）在安全计算环境各个控制要求项的加固措施。

华为交换机加固命令：

# 设置登录认证方式
sys
aaa
local-user qwer password irreversible-cipher your_password
local-user qwer service-type ssh
local-user qwer level 15
local-user qwer password validity 90
local-user qazx password irreversible-cipher your_password
local-user qazx service-type ssh
local-user qazx level 7
local-user qazx password validity 90
local-user wsxc password irreversible-cipher your_password
local-user wsxc service-type ssh
local-user wsxc level 1
local-user wsxc password validity 90
user-interface vty 0 4
authentication-mode aaa
idle-timeout 30
max-failed-times 5
lock-time 10


# 配置密码复杂度及修改周期
password-recovery enable
password-recovery parameters enforce-complexity
password-recovery parameters password-min-length 8
password-recovery parameters password-change-cycle 90


# 配置登录空闲超时
user-interface vty 0 4
idle-timeout 30


# 配置端口安全
interface GigabitEthernet0/0/1
port security enable
port security max-mac-num 1
port security lock-time 10


# 开启SSH，关闭Telnet、HTTP、HTTPS
ssh server enable
telnet server disable
http server disable
https server disable


# 关闭未使用的端口
interface GigabitEthernet0/0/2
shutdown
interface GigabitEthernet0/0/3
shutdown
interface GigabitEthernet0/0/4
shutdown


# 配置登录限制及白名单
user-interface vty 0 4
acl 2000 inbound
acl 2001 inbound
acl 2002 inbound
acl 2000 rule 0 permit source 192.168.1.5 0
acl 2000 rule 5 deny source any
acl 2001 rule 0 deny udp destination-port eq 134
acl 2001 rule 5 deny udp destination-port eq 445
acl 2001 rule 10 deny tcp destination-port eq 139
user-interface vty 0 4
packet-filter 2000 inbound
packet-filter 2001 inbound


# 配置日志及远程监控
info-center loghost source GigabitEthernet0/0/1 channel 1 log level informational
snmp-agent sys-info version v2c
snmp-agent community read cipher your_snmp_community
snmp-agent target-host trap address udp-domain 192.168.1.1 params securityname your_snmp_community
snmp-agent target-host trap address udp-domain 192.168.1.2 params securityname your_snmp_community
snmp-agent target-host trap address udp-domain 192.168.1.3 params securityname your_snmp_community

H3C交换机加固命令

# 设置登录认证方式
local-user qwer password irreversible-cipher your_password
local-user qwer service-type ssh
local-user qwer level 3
local-user qwer password validity 90
local-user qazx password irreversible-cipher your_password
local-user qazx service-type ssh
local-user qazx level 2
local-user qazx password validity 90
local-user wsxc password irreversible-cipher your_password
local-user wsxc service-type ssh
local-user wsxc level 1
local-user wsxc password validity 90
authentication password-control local
password-control policy rule 0 password-length 8
password-control policy rule 1 password-complexity all
password-control policy rule 2 password-alter interval 90
password-control policy rule 3 password-retry-times 5
password-control policy rule 4 password-retry-interval 10
service-type ssh
idle-timeout 30


# 开启SSH，关闭Telnet、HTTP、HTTPS
ssh server enable
telnet server disable
http server disable
https server disable


# 关闭未使用的端口
interface gigabitethernet1/0/1
shutdown
interface gigabitethernet1/0/2
shutdown
interface gigabitethernet1/0/3
shutdown


# 配置登录限制及白名单
acl number 2000
rule 5 permit icmp source any destination any
rule 10 permit tcp source 192.168.1.5 0 destination any
rule 15 deny tcp destination-port eq 134
rule 20 deny tcp destination-port eq 445
rule 25 deny tcp destination-port eq 139
interface vlan-interface 1
ip address x.x.x.x x.x.x.x
packet-filter 2000 inbound


# 配置日志及远程监控
info-center source default channel 1 log state on
info-center loghost 192.168.1.1
snmp-agent trap enable
snmp-agent trap enable feature-name lldp
snmp-agent sys-info version v2c
snmp-agent community read cipher your_snmp_community
snmp-agent target-host trap address udp-domain 192.168.1.2 params securityname your_snmp_community
snmp-agent target-host trap address udp-domain 192.168.1.3 params securityname your_snmp_community

思科交换机加固命令

# 配置登录认证方式
username qwer privilege 15 secret your_password
username qazx privilege 15 secret your_password
username wsxc privilege 15 secret your_password
enable secret your_enable_password
service password-encryption
security passwords min-length 8
security passwords complexity enable
security passwords aging warning 90


# 配置登录限制及锁定
login block-for 10 attempts 5 within 10
login on-failure log
login on-success log


# 配置登录空闲超时
line vty 0 15
exec-timeout 30


# 建立三个账户并实现权限分离
aaa new-model
aaa authentication login default local
username qwer privilege 15 secret your_password
username qazx privilege 7 secret your_password
username wsxc privilege 1 secret your_password
line vty 0 15
login authentication default


# 开启SSH，关闭Telnet、HTTP、HTTPS
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
no ip telnet server
no ip http server
no ip http secure-server


# 关闭未使用的端口
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
shutdown


# 配置登录限制及白名单
access-list 2000 permit icmp any any
access-list 2000 permit tcp host 192.168.1.5 any
access-list 2000 deny tcp any any eq 134
access-list 2000 deny tcp any any eq 445
access-list 2000 deny tcp any any eq 139
interface Vlan1
ip address x.x.x.x x.x.x.x
access-group 2000 in


# 配置日志及远程监控
logging host 192.168.1.1
snmp-server community your_snmp_community RO
snmp-server trap-source Vlan1
snmp-server host 192.168.1.2 version 2c your_snmp_community
snmp-server host 192.168.1.3 version 2c your_snmp_community
archive
path flash:backup-configs
write-memory

上述示例命令中的"your_password"、"your_snmp_community"、"192.168.1.5"、"192.168.1.1"、"192.168.1.2"、"192.168.1.3"等需要替换为实际的密码、SNMP community、IP地址等信息。此外，根据实际需求，还需要对命令进行适当的调整和配置。在执行任何更改之前，确保已对设备进行了备份，并具备足够的权限和理解。