EN WLC
Дерево страниц

Сравнение версий

Старая версия 3

changes.mady.by.user Отдел Документации

Сохранено

по сравнению с

Новая версия Текущий

changes.mady.by.user Отдел Документации

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.

...

  • It is recommended to always disable unused physical interfaces with the shutdown The command is described in detail in the Interface monitoring and configuration section of the CLI Command Reference.
  • It is recommended to always set the system clock to synchronize with trusted network time sources (NTP). The NTP setup algorithm is described in the NTP configuration section of this manual. For detailed information on the NTP configuration commands, see System timer management in the CLI Command Reference. 
  • It is recommended to disable the NTP broadcast client, which is enabled by default in the factory configuration.
  • It is not recommended to use the ip firewall disable command that disables firewalling. Always assign appropriate security zones to interfaces and configure the correct firewall rules. The firewall configuration algorithm is described in the Firewall configuration section of this manual. For detailed information on the Firewall configuration commands, see Firewall management in the CLI Command Reference.

Event logging system configuration

Event logging system configuration algorithms are described in the 'Syslog configuration' subsection of the Monitoring section of this manual.

For detailed information on the Event logging system configuration commands, see SYSLOG management section in the CLI Command Reference.

Recommendations

  • It is recommended to configure the event message storage in a syslog file on the device and transfer these events to an external syslog server.
  • It is recommended to limit the size of the syslog file on the device.
  • It is recommended to configure syslog file rotation on the device.
  • It is recommended to enable syslog message enumeration.
  • It is recommended that timestamp msec tags be added to syslog messages on ESR-1500 and ESR-1511.

...

The configuration algorithms for the password usage policy are described in the AAA configuration section of this manual.

For detailed information on the configuration commands for the password usage policy, see AAA configuration in the CLI Commands Reference.

Recommendations

  • It is recommended to always enable the default password change request for the admin user.
  • It is recommended to limit the lifetime of passwords and prohibit reusing at least the previous password.
  • It is recommended to set the minimum password length requirement greater than 8 characters.
  • It is recommended to set requirements for the use of lowercase and uppercase letters, numbers and special characters.

...

The algorithms for AAA policy are described in the AAA configuration section of this manual.

For detailed information on the commands for AAA policy, see AAA configuration in the CLI Commands Reference.

Recommendations

  • It is recommended to use a role-based access model on the device.
  • It is recommended to use personal accounts to authenticate on the device.
  • It is recommended to enable logging of commands entered by the user.
  • It is recommended to use several authentication methods for logging in to devices via console, remote login to devices and privilege escalation. A combination of RADIUS/TACACS/LDAP authentication and local authentication is considered optimal.
  • It is recommended to lower the built-in admin account privileges to 1.
  • It is recommended to configure logging of changes of local accounts.
  • It is recommended to configure AAA policy change logging.

...

Remote management configuration 

For more information on remote access configuration commands, see SSH, Telnet access configuration in the CLI command reference.

Recommendations

  • It is recommended to disable remote control via telnet.
  • It is recommended to use crypto-resistant sha2-512 authentication algorithms and disable all others.
  • It is recommended to use crypto-resistant aes256ctr encryption algorithms and disable all others.
  • It is recommended to use dh-group-exchange-sha256 crypto-proof encryption key exchange algorithm and disable all others.
  • It is recommended to use crypto-resistant Host-Key verification algorithm for SSH rsa and disable all others.
  • It is recommended to allow access to remote control of the device only from certain IP addresses;
  • It is recommended to regenerate the encryption keys before starting operation.

...

The algorithms for configuring the network attack protection mechanisms are described in the Logging and network protection configuration section of this manual.

For detailed information about the commands to configure the password policy, see Management of logging and protection against network attacks in the CLI Command Reference.

Recommendations

  • It is recommended to always enable protection against ip spoofing.
  • It is recommended to always enable protection against TCP packets with incorrectly set flags.
  • It is recommended to always enable protection against fragmented TCP packets with the SYN flag set.
  • It is recommended to always enable protection against fragmented ICMP packets.
  • It is recommended to always enable protection against large ICMP packets.
  • It is recommended to always enable protection against unregistered IP protocols.
  • It is recommended to enable logging of the protection mechanism against network attacks.

...