Attack Defense Through Service and Management Isolation
Attack Behavior
As shown in Figure 1, devices on the 192.168.10.X network segment are connected to the independent management interface Ethernet0/0/0 on the switch, and devices on the 192.168.20.X network segment are connected to the service interface GE1/0/0 on the switch. They can access the switch properly.
If the management interface is not isolated, the devices on 192.168.20.X can ping devices on 192.168.10.X. As a result, the management network interface address is leaked and vulnerable to attacks.
Security Policy
To improve network security and prevent attacks launched by unauthorized users, a switch separates the management interface and plane from the service interface and plane by default.
The management-port isolate enable command enables management interface separation to prevent unauthorized users from attacking packet forwarding. After this command is run, the switch forbids packet exchange between the management and service interfaces. That is, the packets received by the management interface will not be sent out through a service interface, and the packets received by a service interface will not be sent out through the management interface.
The management-plane isolate enable command enables management plane separation to prevent unauthorized users from attacking the management network through the service network. After the command is run, the switch prevents unauthorized users from accessing the management interface through a service interface. That is, if the destination address of a packet received by a service interface is the management interface address, the user cannot access the switch. The access from the management interface to a service interface is not restricted.
The packets mentioned above are IP packets and MPLS packets.
Configuration Method
Enable management interface separation.
<HUAWEI> system-view [HUAWEI] management-port isolate enable //By default, this function is enabled.
Enable management plane separation.
<HUAWEI> system-view [HUAWEI] management-plane isolate enable //By default, this function is enabled.