No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Is Layered Security Maintenance

What Is Layered Security Maintenance

Three planes, namely, forwarding plane, control plane, and management plane are planned for IP devices. Network attacks are initiated on the three planes. Generally, network attacks are classified into the following types:

  • Remote attacks: Destination IP addresses are attacked across multi-hop devices.

  • Local attacks: When an attacker is physically connected to a destination device, the attacker attacks the device over the direct connection.

  • Man-in-the-middle attacks: Packets on a link are modified by embedded tools.

Typical attack modes are as follows:

  • Unauthenticated access, such as access over Telnet, Secure Shell Protocol, (SSH) Simple Network Management Protocol (SNMP), and Hypertext Transfer Protocol Secure (HTTPS)

  • Packet spoofing: attacks simulating valid protocol packets

  • Unauthenticated route import

  • Buffer overflow: attacks targeting at protocol or code vulnerabilities

  • Internet Control Message Protocol (ICMP) attacks, such as unreachable packets, redirection packets, and subnet ping

  • Ping of death: ping attacks using ping packets whose size exceeds 64 KB

  • TCP SYN Flood

  • Dictionary attacks

  • SNMP attacks

  • Time to live (TTL) attacks

There are also many other attacks. Nearly all attacks are intended to occupy device resources or redirect data flows.

Data flows of different importance are faced with different security threats, which have different impacts on enterprise users. To avoid mutual impacts between data flows, three security planes are planned on the versatile routing platform (VRP).

The three security planes are as follows:

  • Forwarding plane: A device uses the destination MAC address and IP address of a packet to search for a route before using the route to forward the packet. Security measures must be taken in the forwarding path to prevent attacks on forwarding devices and spreading of the attack traffic over the IP network.

  • Control plane: IP devices must run various protocols to implement services. The services must be protected against attacks or spoofing.

  • Management plane: The application and service data of management users must be secured. That is, management information (including operation, maintenance, and management information) must be secured.

Different security policies must be applied to the management, control, and forwarding planes to protect IP devices against network attacks.

Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4826

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next