ToB企服应用市场:ToB评测及商务社交产业平台

标题: 华为路由器中安全风险告诫的解决 [打印本页]
作者: 万万哇    时间: 4 天前
标题: 华为路由器中安全风险告诫的解决
问题:
web管理端登录,提示
当前体系中存在弱加密算法,建议telnet大概CLI登录设备通过命令行display security risk检察并推荐使用安全的加密算法和协议。
控制台具体显示为
  1. [Huawei]display security risk
  2. Risk level       : high
  3. Feature name     : SSH_SERVER
  4. Risk information : Insecure key exchange algorithm is enabled in SSH server.
  5. Repair action    : It is recommended to disable the insecure key exchange algorithm.
  7. Risk level       : high
  8. Feature name     : SSL
  9. Risk information : Insecure cipher suite(rsa_aes128_sha256) is enabled in configuring a server-based SSL policy.
  10. Repair action    : It is recommended to disable the insecure cipher suite.
  12. Risk level       : high
  13. Feature name     : SSL
  14. Risk information : Insecure cipher suite(rsa_aes256_sha256) is enabled in configuring a server-based SSL policy.
  15. Repair action    : It is recommended to disable the insecure cipher suite.
  17. Risk level       : medium
  18. Feature name     : IPSEC
  19. Risk information : Insecure encryption-algorithm (aes-128) are enabled in IKE proposal.
  20. Repair action    : It is recommended to disable the insecure encryption-algorithms.
  22. Risk level       : medium
  23. Feature name     : IPSEC
  24. Risk information : Insecure encryption-algorithm (aes-192) are enabled in IKE proposal.
  25. Repair action    : It is recommended to disable the insecure encryption-algorithms.
  27. Risk level       : medium
  28. Feature name     : IPSEC
  29. Risk information : Insecure encryption-algorithm (aes-256) are enabled in IKE proposal.
  30. Repair action    : It is recommended to disable the insecure encryption-algorithms. 
复制代码
 
官方文档未给出具体操作。列一下个人的解决步骤:
原因出在默认配置中存在弱加密算法,存在安全隐患,具体修改时又层层计谋引用嵌套,需要自上而下解决。
IPSEC相关风险出在ike的计谋中:
  1. ike proposal default
  2. encryption-algorithm aes-gcm-128 aes-gcm-256 sm4
复制代码
  
ssh服务器:
  1. ssh server key-exchange dh_group14_sha256 dh_group15_sha512
复制代码
  
ssl的比较麻烦,最后查出来默认计谋是被https服务使用,先排除https服务即可:
  1. undo http secure-server enable
  2. undo http secure-server ssl-policy
  3. ssl policy default_policy
  4. ciphersuite ecdhe_rsa_aes128_gcm_sha256 ecdhe_rsa_aes256_gcm_sha384
  5. http secure-server ssl-policy default_policy
  6. http secure-server enable
复制代码
  
最后再检查,确认告警清除,但是web页依然提示临时忽略。
 

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。



欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/) Powered by Discuz! X3.4