No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Defense Capabilities of the Forwarding Plane

Security Defense Capabilities of the Forwarding Plane

To ensure normal running of the CPU, the forwarding plane of devices provides the following security defense capabilities:
  • Access control list (ACL)
  • Unicast reverse path forwarding (URPF)
  • Layer 2 Address Resolution Protocol (ARP)/MAC entry restriction
  • Dynamic Host Configuration Protocol (DHCP) Snooping
  • ARP attack defense
  • Bidirectional ARP isolation

ACLs

An ACL includes a series of ordinal rule groups. A rule contains the source address, destination address, and port number of a packet. An ACL classifies packets by using rules. When the rules are applied to a device, the device determines the packets to be received and rejected.

For example, ACLs can be configured to reject all Telnet access to the local server to allow emails to be sent to the local server using Simple Mail Transfer Protocol (SMTP).

Multiple rules can be defined in each ACL. Based on rule functions, ACLs are classified into interface ACLs, basic ACLs, advanced ACLs, and Multiprotocol Label Switching (MPLS) ACLs. An ACL is a set of matching options. You can select and configure an ACL based on services.

ACLs can be classified from different perspectives. See the following table.

Table 1-2  ACL classification

ACL Classification Basis

ACL Type

Whether to support IPv4 or IPv6

  • ACL4
  • ACL6

Functions of ACL rules

  • Basic ACLs: specify the source addresses of packets. The ACL IDs range from 2000 to 2999. Therefore, 1000 basic ACLs are supported.
  • Advanced ACLs: specify the quintuplets of packets. A quintuple comprises the source address, destination address, protocol ID (TCP or User Datagram Protocol (UDP)), source port number, and destination port number.

    Advanced ACLs are classified into digital ACLs and name ACLs:

    • The IDs of digital ACLs range from 3000 to 3999. Therefore, 1000 digital advanced ACLs are supported.
    • The IDs of name ACLs range from 42768 to 75535. Therefore, 32768 name ACLs are supported.
  • Layer 2 ACL: matches packets based on packet Layer 2 information, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types. You can define the time range and flexibly configures the time that ACL rules take effect.

The following table lists the filter options supported by the three ACL types classified based on ACL functions.

Table 1-3  Filter options supported by different ACLs

ACL Type

Supported Filter Option

Basic ACLs

Source IP address: indicates the source address in an ACL. If no source address is configured, packets with any source addresses are allowed to pass.

Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured.

Advanced ACLs

Protocol type: indicates the type of a protocol represented by a name or digits. The value ranges from 1 to 255. When the protocol is represented by a name, the value can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. Different parameters can be set for different protocols. Source and destination port numbers can be set only for TCP and UDP.

Source IP address: indicates the source address in an ACL. If no source address is configured, packets with any source addresses are allowed to pass.

Destination IP address: indicates the destination address in an ACL. If no destination address is configured, packets with any destination addresses are allowed to pass.

Source and destination ports: specifies the source and destination port numbers of UDP or TCP packets. They are effective only for TCP or UDP. If no source or destination port number is configured, TCP or UDP packets with any source or destination addresses are allowed to pass.

Differentiated services code point (DSCP): It refers to the most significant six bits of the type of service (TOS) field in IP headers. The value ranges from 0 to 63.

Fragment packet type: indicates whether an ACL is effective only for fragment packets except the first fragment packets. When this parameter is available, the ACL is effective only for fragment packets except the first fragment packets.

Priority: indicates that packets can be filtered based on the priority field (most significant three bits of the TOS field in IP headers). The value is a keyword or number. When the value is a number, the value is an integer ranging from 0 to 7.

TCP flag: indicates the value of the TCP flag. The value ranges from 0 to 63.

TOS: indicates that packets can be filtered based on the TOS field.

ICMP: ICMP packets can be filtered based on the name, type, and code of the ICMP packets. The option is effective only for ICMP. If the option is not configured, all ICMP packets are allowed to pass.

Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured.

Layer 2 ACLs

Source MAC address: specifies the source address in an ACL. If the source MAC address is not specified, packets from any source address are matched.

Destination MAC address: specifies the destination address in an ACL. If the destination MAC address is not specified, packets with any destination IP address are matched.

Ethernet protocol type: specifies the type of Ethernet frames in an ACL. If the Ethernet protocol type is not specified, Ethernet packets of any type are matched.

VLAN ID: specifies the ID in an ACL. If the VLAN ID is not specified, packets from any VLAN are matched.

802.1p priority: specifies the 802.1p priority in an ACL. If the 802.1p priority is not specified, packets with any 802.1p priority are matched.

Validity period: indicates the period in which an ACL is effective. If the validity period is not set, the ACL takes effect immediately after being configured.

URPF

The URPF works in strict mode or loose mode. A URPF-capable Device queries forwarding information bases (FIBs) when Layer 3 IP packets arrive at the NP. If these packets take a local route, the device performs the URPF check before sending the packets to the CP. During the URPF check, whether the source IP addresses of packets are valid is checked based on the routing table.

The URPF can be set to work in strict mode or loose mode and supports matching of default routes:

  • In strict mode, if a packet matches a specific route and the inbound interface of the packet is the same as the outbound interface of the route, the packet is allowed to pass. Otherwise, the packet is discarded.
  • In loose mode, if a packet matches a specific route, the packet is allowed to pass. Otherwise, the packet is discarded. By default, matching of default routes is not performed unless configured.

Matching of default routes must work with strict URPF. When a packet matches a specific route or the default route and the inbound interface of the packet is the same as the outbound interface of the matched route, the packet is allowed to pass. Otherwise, the packet is discarded. Matching of default routes cannot be configured together with loose URPF because attack defense cannot be achieved in this way. Loose URPF and strict URPF are mutually exclusive.

DHCP Snooping

DHCP snooping is a DHCP security feature. Features such as MAC address limitation, DHCP snooping security binding, binding of IP addresses and MAC addresses, and Option82 can be used to filter untrusted DHCP messages. In this way, DHCP DoS attacks, DHCP server forgery, ARP man-in-the-middle attacks, and IP address/MAC address spoofing can be prevented for devices that use DHCP. DHCP snooping is similar to a firewall between a client and a DHCP server.

DHCP snooping is used to prevent the following attacks:

  • DHCP exhausting attacks
  • DHCP server forgery
  • Man-in-the-middle attacks and IP address and MAC address spoofing

DHCP snooping is designed with different working modes based on attack types. See the following table.

Attack Type

Working Mode of DHCP Snooping

DHCP exhausting attacks

MAC addresses that can be learned on an interface are limited to avoid exhausting of DHCP address pools.

DHCP server forgery

Interfaces are classified into trusted and untrusted interfaces. DHCP server messages from untrusted interfaces are discarded to prevent forged DHCP servers from granting false IP addresses to clients.

Man-in-the-middle attacks and IP address and MAC address spoofing

DHCP snooping is bound to tables. The binding relationships between IP addresses, MAC addresses, and interfaces are checked to discard packets with false IP addresses and prevent address spoofing.

DoS attacks that change the CHADDR value

The CHADDR field and source MAC addresses of DHCP packets are checked. If the addresses are different, the DHCP packets are viewed as spoofing packets and are directly discarded.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 5170

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next