Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Port Security Configuration
- 06-Public Key Configuration
- 07-PKI Configuration
- 08-SSH Configuration
- 09-SSL Configuration
- 10-User Isolation Configuration
- 11-Portal Configuration
- 12-IPsec Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Security Overview | 64.56 KB |
Network security services provide solutions to solve or reduce security threats. Network security threats are existing or potential threats to data confidentiality, data integrity, and data availability.
Network security threats
· Information disclosure—Information is leaked to an unauthorized person or entity.
· Data integrity damage—Data integrity is damaged by unauthorized modification or malicious destruction.
· Denial of service—Makes information or other network resources unavailable to their intended users.
· Unauthorized usage—Resources are used by unauthorized persons or in unauthorized ways.
Network security services
A security service is implemented by one or more network security technologies. One technology involves multiple services. The following are the most important security services:
· Identity authentication—Identifies users and determines if a user is valid. Typical methods include AAA-based username plus password authentication, and PKI digital certificate-based authentication.
· Access security—Prevents unauthorized access and use of network resources by implementing AAA-based identity authentication. Access security protocols such as 802.1X and MAC authentication work together with AAA to implement user identity authentication.
· Data security—Encrypts and decrypts data during data transmission and storage. Typical encryption mechanisms include symmetric encryption and asymmetric encryption, and their common applications are SSL and SSH. SSL and SSH protect data transfer based on TCP.
Network security technologies
Identity authentication
AAA
AAA provides a uniform framework for implementing network access management. It provides the following security functions:
· Authentication—Identifies network users and determines whether the user is valid.
· Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
· Accounting—Records all network service usage information, including the service type, start time, and traffic. The accounting function provides information for charging and user behavior auditing.
AAA can be implemented through multiple protocols, such as RADIUS and HWTACACS, among which RADIUS is used most often.
PKI
PKI is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
H3C's PKI system provides digital certificate management for SSL.
Access security
802.1X
802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources.
Port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to networks that require different authentication methods for different users on a port, such as a WLAN. Port security prevents unauthorized access to a network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic.
Portal authentication
With portal authentication, an access device redirects all unauthenticated users to a webpage. All users can access resources on the webpage without passing portal authentication. However, to access the Internet, a user must pass portal authentication on the portal authentication page.
Data security
Managing public keys
Public key configuration enables you to manage the local asymmetric key pairs (for example, creating or destroying a local asymmetric key pair, and displaying or exporting a local host public key), and configure the peer host public keys on the local device.
SSL
SSL is a security protocol that provides communication security for TCP-based application layer protocols by using the public key mechanism and digital certificates. SSL is independent of the application layer protocol, and enables an application layer protocol to use an SSL-based secure connection. A common application is HTTPS—HTTP over SSL or HTTP Secure.
SSH
SSH is a network security protocol that provides secure remote login and file transfer over an insecure network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing and plaintext password interception.
