No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Control Plane Security

Control Plane Security

A large number of control protocols, such as the TCP/IP protocol stack, Border Gateway Protocol (BGP), and Interior Gateway Protocol (IGP), are running on the control plane of IP equipment to deliver final services. These protocols may become objects of attacks or measures for attacking equipment. The following table lists the security policies for these protocols.

Table 2-1  Protocol security policies

Service Name

Function

Security Policy Availability

Security Policy Description

BGP

BGP session

Authentication

The MD5 and keychain authentication methods are added based on TCP sessions.

BGP

BGP session

Generalized TTL security mechanism (GTSM)

The TTL of packets are checked.

BGP

BGP session

Whitelist, blacklist, and user-defined streams

A dynamic whitelist can be generated based on BGP sessions. A blacklist can be configured to drop matched packets in advance. Multiple user-defined streams can be configured.

BGP

BGP session

CPCAR

The transmission rate of BGP packets sent to the CPU is limited.

BGP

Route

Route limit

The number of routes received by a peer is limited to prevent attacks caused by a large number of routes.

BGP

Route

AS-path limitation

The number of AS-paths is limited to avoid problems caused by extra-long AS-paths.

Open shortest path first (OSPF)

OSPF session

Authentication

The MD5, hmac-md5, and keychain authentication methods are added based on IP sessions.

OSPF

OSPF session

GTSM

The TTL of packets are checked.

OSPF

Route

Route limit

The number of routes sent to the resource manager (RM) is limited to prevent attacks caused by a large number of routes.

ISIS

IS-IS session

Authentication

Packets are authenticated by using the simple, MD5, and keychain authentication methods.

RIP

RIP session

Authentication

MD5 and keychain

RIP

Route control

Routing restriction

The number of route learning is limited.

RIPNG

Route control

Routing restriction

The number of route learning is limited.

NTP

NTP session

Authentication

MD5 and auto key

NTP (IPV6)

NTP(IPV6) session

Authentication

MD5 and auto key

Virtual Router Redundancy Protocol (VRRP)

VRRP backup group

CP-CAR

The transmission rate of VRRP packets sent to the CPU is limited.

VRRP

VRRP backup group

Authentication

MD5 and simple key

VRRP

VRRP backup group

Attack defense

No command is available. If the VRRP module receives more than five VRRP packets within one second, it starts to drop packets.

L2MC

Multicast group on-demand policy (VLAN)

Access control list (ACL)

The ACL is used to filter packets.

L2MC

Multicast group on-demand policy (interface)

ACL

The ACL is used to filter packets. Entry learning is not performed for denied entries.

L2MC

Multicast fast leave policy

ACL

The ACL is used to filter packets. Fast leave is not performed for denied entries.

L2MC

Multicast CAC policy

ACL

The ACL is used to filter packets. Statistics is not taken on permitted entries.

IPv4

The IP apply policy and ACL security policy are configured on the management network port. The software plane filters the received packets based on the ACL policy.

ACL

ACL policy

IPv4

Policy-based routing (PBR) using the ACL policy

ACL

The ACL is used to filter packets.

WebServer

HTTP connection

Authentication, ACL, port ID modification, and SSL

ACL controls the clients that are allowed to log in to the server. The HTTP port number can be changed. The SSL protocol can be used to ensure secure access of authorized clients.

RSVP-TE

All RSVP functions

Blacklist and whitelist

Application layer association is performed when the protocol is enabled.

RSVP-TE

RSVP peer

Authentication

RawIP-based MD5 and keychain authentication methods

MSDP

MSDP session

Authentication

The MD5 authentication and keychain authentication methods are added based on the TCP sessions.

Multicast

Multicast capacity limitation

limit

PAF/LCS, internal counting, CAC, and limit command line

Multicast

Multicast service boundary setting

Boundary

The multicast service boundary is configured.

Multicast

Filtering policy

ACL

The ACL is configured to filter packets.

Multicast

Inter-board communication, packet sending, and forwarded traffic control

rate limit

Inter-board communication, packet sending, and forwarded traffic control

LDP

LDP session

Authentication

The MD5 and keychain authentication methods are added based on TCP sessions.

LDP

LDP session

GTSM

The TTL of packets are checked.

LDP

LDP session

CP-CAR

The transmission rate of LDP packets sent to the CPU is limited.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4818

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next