No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Evaluation on Security Risks of the device on the Network

Evaluation on Security Risks of the device on the Network

Based on network security threats and device vulnerabilities, you can evaluate security risks encountered by the device and provide suggestions on suppressing security risks. The following table describes security risks encountered by the device and risk suppression measures.

Table 1-1  Security risks of the device and the risk suppression measure

Security Threat

Vulnerabilities of the device

Risk Evaluation

Risk Suppression Measure

Denial of service (DoS) attack

  1. Insufficient processing capabilities of control and management planes
  2. Failure to authenticate source addresses due to openness of IP networks, which causes traffic flooding and address spoofing

The processing capabilities of control and management planes are insufficient, and traffic flooding is likely to be triggered and damages the device greatly.

Risk evaluation: high

  1. Strengthen network access control.
  2. Limit the traffic to the control and management planes on the forwarding plane.

Information disclosure

  1. Many insecure access channels
  2. Insufficient access control capabilities due to openness of IP networks

Insecure access channels can be easily used by attackers to initiate attacks. For example, insufficient right control measures for device accounts and the openness of IP networks may easily cause attacks.

Risk evaluation: high

  1. Deactivate insecure access channels.
  2. Strengthen account and rights management.
  3. Plan access control policies properly.

Damaging information integrity

Lack of necessary integrity check measures during transmission of IP packets

Lots of communication protocols have no integrity check mechanism and the openness of IP networks causes information to be tampered with.

Risk evaluation: medium

  1. Use the message digest algorithm 5 (MD5) to check whether messages are complete.
  2. Use secure channels to transmit important information.

Unauthorized access

The device system is complex and fails to grant users permission for access to commands and management information bases (MIBs) on a per-user basis.

The diagnosis and debugging system needs to query internal system information, which also causes potential security risks.

An IP network is open and access paths to the IP network are uncontrollable. As a result, the IP network may suffer unauthorized access from untrusted networks.

After a user obtains the right at a level, the user may access information beyond the role due to lack of information isolation measures based on a smaller granularity.

The IP network is open, and therefore may encounter unauthorized access from untrusted networks.

Risk evaluation: medium

  1. Adopt the command authorization mechanism of the terminal access controller access control system (TACACS) to avoid the misuse of commands.
  2. Select Simple Network Management Protocol Version 3 (SNMPv3) and configure the MIB view to limit the access to MIBs.
  3. Strengthen network access control.

Identity spoofing

The device is unable to authenticate all source addresses due to openness of IP networks.

Address spoofing attacks may easily occur, which causes forwarding interruption or system overload.

Risk evaluation: medium

Enable unicast reverse path forwarding (URPF) and Dynamic Host Configuration Protocol (DHCP) Snooping to avoid attacks.

Replay attack

In the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, Layer 3 and lower layers cannot process serial numbers, which makes it easy to initiate replay attacks. In addition, the device has insufficient capability of processing session requests. As a result, system overload occurs.

The capability of processing session requests is insufficient, which may cause system overload.

Risk evaluation: high

Use the dynamic whitelist to suppress new sessions and retain existing sessions.

Computer viruses

The device has insufficient capability of processing traffic flooding caused by network viruses, and therefore system overload occurs.

Traffic flooding occurs after a computer is infected with network viruses, which exhausts bandwidth resources and causes CPU overload.

Risk evaluation: high

  1. Enhance carriers' IT management capabilities.
  2. Configure rate limitation to avoid overload.

Carelessness of engineers

The device system is extremely complex, and data configuration is prone to errors.

The device has insufficient capability of handling traffic flooding caused by topology flapping or loop topology.

Incorrect configurations may damage services.

Topology flapping and loop topology may cause the device to be overloaded.

Risk evaluation: medium

Strengthen trainings, improve skills, enhance carriers' IT management capabilities, and avoid man-made errors.

Configure loop detection and suppression mechanisms to intelligently prevent man-made errors.

Physical intrusion

The device allocates many permissions for users who access through the directly connected serial port or panel interface. Attackers can use these permissions to operate and configure the device system incorrectly.

If users who log in through the serial port and panel interface configure the device maliciously, major problems may be caused. Physical access to telecom networks is usually under strict control.

Risk evaluation: low

Enhance physical and environmental security control to avoid security accidents due to physical access and environment accidents.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4819

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next