No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


The following figure shows the security defense architecture of Routers.

Figure 1-1  Security defense architecture of Routers

On Routers, the security defense architecture comprises the following parts:

Security Defense of Forwarding Engines

The forwarding engines (FEs) of Routers provide high performance. Therefore, the best network security solution is to implement security check on the forwarding plane to identify and process invalid packets.

For example:

In malformed packet check, FEs detect and discard packets that obviously violate protocol rules.

In broadcast storm suppression, FEs discard the packets from the broadcast storm source at the forwarding plane or limit broadcast packet rate.

Unicast reverse path forwarding (URPF) directly checks a packet for whether the outbound port matches the source IP address. If the outbound port does not match the source IP address, the packet is discarded.

When fragmented packets floods on the network, the ACL can be configured to limit fragmented packet rate at the forwarding plane.

With high performance, FEs can effectively handle traffic flooding attacks. In this way, the CPU does not need to process flooded packets, and the device reliability is ensured.

Security Defense for the Channel from Forwarding Plane to Control Plane

The forwarding plane has a higher processing capacity than the control plane. Therefore, the forwarding plane can easily send mass packets to overload the control plane.

The rate of packets sent from the forwarding plane to the control plane must be limited. In addition,the packet rate of high-priority services and secure services should not be limited. In consideration of security and availability, the device uses the following mechanisms to improve service processing capacity without degrading the operating reliability.

  • cpu-defend policy: A bandwidth for sending packets to the control plane is set for each protocol. Different CPU CARs can be set for different messages of a protocol, for example ARP Request and ARP Reply.
  • Blacklist: When the device detects an attack or a access deny policy is configured, the blacklist rejects all packets to be sent to the CPU.
  • Whitelist: When sessions on the control plane are secure or trusted access objects are statically configured, the whitelist policy protects their packets from rate limitation.
  • autodefend: Attack sources on the network may send a large number of attack packets to the CPUs of network devices. The autodefend function detects whether the attack packets will form an attack, and notifies users of the attacks by sending logs or alarms.

The preceding measures ensure that packets sent from the forwarding plane to the control plane do not cause CPU overload and CPU use efficiency is improved.

Security Check and Defense of Application Layer Services

The forwarding plane cannot detect or control complex and in-depth attacks because it lacks the capability of perceiving the structure of every protocol.

The security defense on the channels between the forwarding and control planes only protects the CPU against overload, but does not check whether sent packets are secure.

In this case, security check engines need to be embedded into modules at the application layer. Each protocol stack module must be able to dynamically check the validity of packets and sessions and discard invalid packets or sessions in a timely manner to protect the protocol stacks.

Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4810

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next