No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Defense Capabilities of the Control Plane

Security Defense Capabilities of the Control Plane

To ensure the normal running of control protocols and services, the control plane of the device provides the following security defense capabilities:
  • Application layer association
  • Defense against malformed packet attacks
  • Routing protocol authentication and check (MD5 for OSPF and BGP)
  • Generalized TTL Security Mechanism (GTSM)
  • Attack source tracking and alarm reporting
  • CAR for packets sent to the CPU (CP-defend)
  • Blacklist and whitelist
  • ACL-based user-defined flow
  • Layer 2 loop detection and suppression

Application Layer Association

Application layer association refers to the association between the protocol flag status on the control plane and the protocol packet sending of the forwarding engines (FEs) on the physical layer. After the association is established between the control layer and the physical layer, the protocol flag status is kept consistent. For service protocols disabled on a device, the bottom-layer hardware sends corresponding protocol packets at a low bandwidth by default or even does not send these packets. As a result, the attack scope is narrowed, attack cost is increased, and device security risks are reduced.

For example, if the Border Gateway Protocol (BGP) is disabled on the device, BGP packets are discarded even if they are sent to the CPU. According to the application layer association, BGP packets can be configured to be discarded by the NP.

Defense Against Malformed Packet Attacks

Currently, devices can detect and discard the following malformed packets:

  • Flood packets without IP payloads
  • Null IGMP packets
  • LAND attack packets
  • Smurf attack
  • Packets with invalid TCP flag bits

Security Defense Based on Access Control

devices provide complete ACL capabilities. Based on ACLs, the devices implement CPCAR control, blacklist and whitelist policies, and stream customization.

The CPCAR classifies packets destined for the CPU and applies rate limiting rules to each type of packet. You can set the average rate, committed burst size (CBS), and priority of packets using the CP-CAR. Under the control of different CAR rules, packets of different protocols have smaller impact on each other, which helps protect the CPU. The CAR technology also allows you to set a threshold for the total packet rate. When the total rate exceeds the threshold value, packets to the CPU are discarded to avoid CPU overload.

The whitelist refers to groups of authorized users or high-priority users. It helps actively protect existing services and services of high-priority users. Authorized users or high-priority users can be whitelisted so that packets from these users are sent preferentially at a high rate.

The blacklist refers to groups of unauthorized users. Unauthorized users filtered by using ACLs can be blacklisted so that packets from these users are discarded or sent at a low rate.

Stream customization indicates that you can customize ACL rules for attack defense. Stream customization applies when unknown attacks are detected on a network. You can flexibly specify data characteristics of attack streams so that the data streams are not sent.


The Generalized TTL Security Mechanism (GTSM) checks whether the time to live (TTL) values carried in sent packets are valid to protect the CPU from CPU-utilization (CPU overload) attacks.

Based on the device networking, the number of hops (network nodes) of packets bound for the control plane is limited. You can set the number of hops based on the networking to prevent malicious users from initiating attacks from a remote node.

Layer 2 Loop Detection

Layer 2 loops often cause Internet attacks on devices. When a loop occurs, a device may suffer Address Resolution Protocol (ARP) flooding attacks, broadcast storm, and multicast flooding. In this case, the CPU may be overloaded, causing service interruption or network disconnection.

Devices can fast detect Layer 2 loops, precisely locate positions (interfaces or VLANs) where loops occur, execute proper policies to isolate the interfaces temporarily, and notify network maintenance personnel by reporting alarms.

Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4799

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next