Huawei Technical Support Channel Security Solution

Figure 1 Huawei technical support channel security solution

If you need Huawei technical support, install a Huawei dedicated bastion host to ensure O&M channel security. For details, see Figure 1.

The Huawei dedicated bastion host differs from an enterprise intranet bastion host in the following aspects:

• The Huawei dedicated bastion host is configured with two network interface cards (NICs). The two NICs belong to the subnets for the PRD management zone and DEV management zone, respectively.
• You need to configure an EIP for the Huawei dedicated bastion host so that Huawei technical support can use the EIP for access.

  The Huawei dedicated bastion host needs to allow access from the Internet. Therefore, you need to add inbound ACL rules to the subnet to which the NIC bound with the EIP belongs, allowing access from the Internet to the Huawei dedicated bastion host. You do not need to modify outbound ACL rules.

  If the NIC bound with the EIP belongs to the subnet for the DEV-management zone, you need to add the following inbound ACL rules.

  

  IP addresses and ports in this section are only used as examples. If necessary, add temporary ACL rules to allow access from other source IP addresses.

  Table 1 Inbound rules of network ACL NACL-DEV-MGMT

  Rule	Source IP Address	Protocol	Destination Port	Allow or Deny	Description
  For Huawei technical support	2.2.2.0/24	TCP	8443	Allow	Allows the administrator in Huawei technical support (from fixed source IP addresses) to access the Huawei dedicated bastion host.