No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Protection Against Attacks

Protection Against Attacks

Attackers may send attack packets to devices despite of the access control policy. In this case, the attacks can be stopped only by means of attack protection.

Access control is a type of active prevention conducted before attacks occur, whereas attack protection is a type of passive defense conducted after attacks occur.

Therefore, a sound access control policy is the prerequisite for security assurance and must be first guaranteed.

Local Attack Defense

CPU Protection by Limiting the Packet Rate Based on the CP-CAR
The packet rate is limited based on the CP-CAR as follows:
  • Packets sent to the CPU are classified based on protocol types.
  • The bandwidth, priority, length of packets that are sent from the forwarding plane to the CPU are controlled based on the CP-CAR.
  • The total forwarding bandwidth is controlled.
In this manner, the number of packets sent to the CPU is under control, and the bandwidth is ensured preferentially for services with higher priorities. In addition, CPU overload is prevented and an alarm is generated when an attack occurs.

Currently, services are negatively affected when the CPU is attacked because of the following reasons:

  1. Valid protocol packets are not distinguished from invalid protocol packets. The CPU is busy in processing a large number of invalid protocol packets. Consequently, the CPU usage rises sharply and valid packets cannot be processed properly.
  2. Packets of some protocols are sent to the CPU through the same channel. When a loopback occurs on a certain type of protocol packet, the channel is blocked, affecting the transmission of other protocol packets.
  3. The bandwidth of a channel is not set appropriately. When an attack occurs, processing of protocol packets on other channels is affected. To prevent security accidents caused by man-made errors or IT management, the following measures must be taken:
Attack Source Tracing

The roadmap for attack source tracing is as follows:

  • Collect and classify protocols related to services running on equipment.
  • Use ACLs to filter packets. Invalid protocol packets are put into the blacklist.
  • Plan the priorities, channel bandwidth, and alarm function of the blacklist.
  • Identify key services based on TCP application protocols and guarantee sufficient bandwidth for high-priority services.
  • Restrict the bandwidths for non-Layer-3 services, and disable services that are not deployed on the equipment.

In this document, common protocols are classified and related processing suggestions are proposed based on the services on the live network and the service attack information. This following describes specific configuration procedures.

Example for Configuring Local Attack Defense
Networking Requirements

As shown in Figure 1-14, users on different LANs access the Internet through RouterA. To locate attacks on RouterA, attack source tracing needs to be configured to trace the attack source. The following situations occur:

  • A user on Net1 frequently initiates attacks to RouterA.
  • The attacker sends a large number of ARP Request packets, degrading CPU performance.
  • The administrator needs to upload files to RouterA using FTP. An FTP connection between the administrator's host and RouterA needs to be set up.
  • Most LAN users obtain IP addresses using DHCP, whereas RouterA does not first process dhcp-client packets sent to the CPU.
  • The Telnet server is not enabled on the RouterA, whereas RouterA often receives a large number of Telnet packets.

Configurations need to be performed on RouterA to solve the preceding problems.

Figure 1-14  Networking diagram for configuring local attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a blacklist and add attackers on Net1 to the blacklist to prevent users on Net1 from accessing the network.
  2. Configure the rate limit for ARP Request packets sent to the CPU to ensure that the CPU can process normal services.
  3. Configure active link protection (ALP) for FTP so that file data can be transmitted between the administrator's host and RouterA.
  4. Configure a high priority for dhcp-client packets so that RouterA first processes dhcp-client packets sent to the CPU.
  5. Disable the Telnet server on the RouterA so that RouterA discards all received Telnet packets.

Procedure

  1. Configure an ACL to be referenced by the blacklist.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] acl number 4001
    [RouterA-acl-L2-4001] rule 5 permit source-mac 0001-c0a8-0102
    [RouterA-acl-L2-4001] quit
    

  2. Create an attack defense policy.

    [RouterA] cpu-defend policy devicesafety
    

  3. Configure the alarm threshold for attack source tracing.

    [RouterA-cpu-defend-policy-devicesafety] auto-defend enable
    [RouterA-cpu-defend-policy-devicesafety] auto-defend threshold 50

  4. Configure a blacklist.

    [RouterA-cpu-defend-policy-devicesafety] blacklist 1 acl 4001
    

  5. Configure the rate limit for ARP Request packets sent to the CPU.

    [RouterA-cpu-defend-policy-devicesafety] packet-type arp-request rate-limit 64
    

  6. Configure the rate limit for FTP packets after ALP is enabled.

    [RouterA-cpu-defend-policy-devicesafety] application-apperceive packet-type ftp rate-limit 2000
    

  7. Set the priority of dhcp-client packets.

    [RouterA-cpu-defend-policy-devicesafety] packet-type dhcp-client priority 3
    [RouterA-cpu-defend-policy-devicesafety] quit

  8. Apply the attack defense policy.

    # Enable ALP for FTP.

    [RouterA] cpu-defend application-apperceive ftp enable

    # Apply the attack defense policy to the main control board.

    [RouterA] cpu-defend-policy devicesafety

  9. Disable the Telnet server.

    [RouterA] undo telnet server enable
    NOTE:

    You do not need to disable application layer association. The Router discards all received Telnet packets after the Telnet server is disabled on the Router.

  10. Verify the configuration.

    # View information about the configured attack defense policy.

    [RouterA] display cpu-defend policy devicesafety
     Related slot : <0>                                                             
     BlackList Status :                                                             
       Slot<0> : Success                                                            
     Configuration :                                                                
       Blacklist 1 ACL number : 4001                                                
       Packet-type arp-request rate-limit : 64(pps)                               
       Packet-type dhcp-client priority : 3 
       Rate-limit all-packets : 2000(pps)(default)                                          
       Application-apperceive packet-type ftp : 2000(pps)                           
       Application-apperceive packet-type tftp : 2000(pps) 
    

    # View the rate limit configuration on the main control board. You can see that application layer association for Telnet is configured successfully and the rate limit for ARP Request packets sent to the CPU and the priority for dhcp-client packets are set successfully.

    <Huawei> display cpu-defend configuration sru
    Rate configurations on main board.                                              
    -----------------------------------------------------------------               
    Packet-type              Status        Rate-limit(PPS)  Priority                
    -----------------------------------------------------------------               
    8021X                     Disabled          160             2                   
    arp-miss                  Enabled            64             2                   
    arp-reply                 Enabled           128             2                   
    arp-request               Enabled            64             2                   
    bfd                       Disabled          512             4                   
    bgp                       Enabled           256             3                   
    bgp4plus                  Enabled           256             3                   
    capwap                    Enabled           512             1
    dhcp-client               Enabled           128             3                   
    ......
    telnet-server             Disabled          128             4                   
    ttl-expired               Enabled           256             1                   
    udp-helper                Disabled           32             2                   
    unknown-multicast         Enabled           128             1                   
    unknown-packet            Enabled           256             1                   
    voice                     Enabled           256             4                   
    vrrp                      Disabled          256             3                   
    wapi                      Enabled          1024             2
    x25                       Enabled          4096             1 
    -----------------------------------------------------------------    

    # The log about attack source tracing of Net1 indicates that attack source tracing has taken effect.

    Dec 18 2010 09:55:50-05:13 device %%01SECE/4/USER_ATTACK(l)[0]:User attack 
    occurred.(Slot=MPU, SourceAttackInterface=Ethernet2/0/1, OuterVlan/
    InnerVlan=0/0, UserMacAddress=0001-c0a8-0102, AttackPackets=48 packets per     
    second)      
    

    # View the statistics on packets sent to the SRU. The discarded packets indicate that the rate limit is set for ARP Request packets.

    <Huawei> display cpu-defend statistics
    -----------------------------------------------------------------------         
    Packet Type               Pass Packets        Drop Packets                      
    -----------------------------------------------------------------------         
    8021X                                0                   0                      
    arp-miss                             5                   0                      
    arp-reply                         8090                   0                      
    arp-request                    1446576              127773                      
    bfd                                  0                   0                      
    bgp                                  0                   0                      
    bgp4plus                             0                   0                      
    dhcp-client                        879                   0                      
    dhcp-server                          0                   0                      
    dhcpv6-reply                         0                   0                      
    dhcpv6-request                       0                   0                      
    dns                                  4                   0                      
    fib-hit                              0                   0                      
    ftp-client                           0                   0                      
    ftp-server                           0                   0                      
    ......
    udp-helper                           0                   0                      
    unknown-multicast                    0                   0                      
    unknown-packet                   66146                   0                      
    voice                                0                   0                      
    vrrp                                 0                   0                      
    ---------------------------------------------------------------------

Configuration Files

Configuration files on RouterA

#
sysname RouterA
#
acl number 4001
 rule 5 permit source-mac 0001-c0a8-0102
#
cpu-defend policy devicesafety                                                  
 blacklist 1 acl 4001                                                           
 packet-type arp-request rate-limit 64                                          
 packet-type dhcp-client priority 3                                             
 application-apperceive packet-type ftp rate-limit 2000                         
 auto-defend enable                                                             
 auto-defend threshold 50  
#
 cpu-defend-policy devicesafety
# 
return

IPv6 Attack Defense

When the network is running properly, devices can properly receive ICMPv6 packets. In the case of heavy traffic on the network, if host unreachable or port unreachable events frequently occur, the devices receive a large number of ICMPv6 packets. This burdens the network and degrades device performance. In addition, attackers may use ICMPv6 error packets to probe into the internal network topology.

To improve network performance and security, disable the system from receiving ICMPv6 Echo Reply packets, Host Unreachable packets, and Port Unreachable packets.

Procedure
  1. Disable the system from receiving ICMPv6 Echo Reply packets, Host Unreachable packets, and Port Unreachable packets.
    <Huawei> system-view
    [Huawei] undo ipv6 icmp echo-reply receive 
    [Huawei] undo ipv6 icmp port-unreachable receive 
    [Huawei] undo ipv6 icmp host-unreachable receive 
    
Precautions

When the network is running properly, you can run the ipv6 icmp receive command to enable the system to receive ICMPv6 packets.

After the system is disabled from receiving ICMPv6 Echo Reply packets, Host Unreachable packets, and Port Unreachable packets, the main interface cannot process these ICMPv6 packets. In addition, the system only collects the total number of discarded packets but does not collect statistics about these packets.

Configuring Hello Packet Attack Defense on a Multicast Network

Context

On a network running multicast services, multicast data flows can be transmitted normally from multicast sources to receivers. However, the network is facing risks of attacks, such as Hello packets from malicious users, which will cause interruption of multicast traffic forwarding.

Attack Hello packets are often found during DR election of the Protocol Independent Multicast (PIM) protocol. As shown in Figure 1-15, the attacker sends Hello packets carrying an IP address on a different network segment but larger than routers' IP addresses. As a result, the attacker is elected as the DR, and multicast data flows cannot be forwarded by the real DR. To enhance security of the multicast network, you can configure a neighbor filtering policy to filter out Hello packets from different network segments.

Figure 1-15  Hello packet attack defense on a multicast network

Procedure

  1. Configure a neighbor filtering policy.

    # As shown in Figure 1-15, the attacker connects to the shared network segment of the receiver. Configure a neighbor filtering policy on RouterA and RouterB to permit packets of the shared network segment and block Hello packets from other network segments. The configuration of RouterB is similar to the configuration of RouterA, and is not mentioned here.
    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] acl number 2001
    [RouterA-acl-basic-2001] rule permit source 172.16.2.0 0.0.0.255
    [RouterA-acl-basic-2001] quit
    [RouterA] multicast routing-enable
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] pim neighbor-policy 2001

  2. # Verify the configuration.

    # Run the display acl all command to view the ACL configuration.
    <RouterA> display acl all
     Total quantity of nonempty ACL number is 1                                     
                                                                                    
    Basic ACL 2001, 1 rule                                                          
    Acl's step is 5                                                                 
     rule 5 permit source 172.16.2.0 0.0.0.255     

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4842

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next