No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Multicast

Multicast

Layer 2 Multicast

Security Policy Introduction

In Layer 2 multicast, group policies can be set to restrict the access of multicast groups (multicast source groups) to a VLAN or an interface.

Attack Method Introduction

Malicious users access the device using changed multicast addresses over invalid multicast channels. As a result, many invalid entries are created on the device and use system resources, and normal users cannot use services. Multicast group policies can be set to limit the range of multicast groups that users can access.

Attacks are conducted through query packets. A multicast router port is configured on the device to receive traffic from all multicast groups. As a result, a large amount of traffic is sent over this port and this occupies interface bandwidth. To resolve this problem, you can configure static ports and configure router ports not to be learned through packets.

Configuration Guide

Configure theIPTV group range rule 5 permit source 225.0.0.0 0.0.0.255 in the ACL 2000 view.

Configure igmp-snooping group-policy in the VLAN, or interface view to set multicast group policies.

Layer 3 Multicast

Security Policy Introduction
  • PIM neighbor filtering

    ACL rules can be configured on interfaces to filter received Hello packets. Neighbor relationships can be established only after packet filtering.

    When there are a large number of malicious Hello packets, configure rules on interfaces so that the interfaces allow only specified Hello packets and discard malicious Hello packets.

  • PIM Join packet filtering

    ACL rules can be configured on interfaces to filter received Join packets. This can prevent attacks that are conducted through malicious Join packets.

    When there are a large number of malicious Join packets, configure rules on interfaces so that the interfaces allow only specified Join packets and discard malicious Join packets.

  • MSDP MD5 Authentication

    Message Digest 5 (MD5) authentication can be configured on MSDP peers to provide security protection. Make sure you enable MD5 authentication and the same authentication password for both MSDP peers. After this function is enabled, the transmitting peer sends an MD5-encrypted MSDP message, which is transferred to the receiving peer over a TCP connection. The receiving peer decrypts the MSDP message by following the uniform MD5 encryption rules and the key contained the message. After decrypting the message successfully, the transmitting peer reports the message to the MSDP module for processing.

    Only MSDP packets passing MD5 authentication are processed. This effectively prevents attacks that are conducted through malicious packets.

  • MSDP keychain authentication

    Keychain and new TCP extension options enable each TCP connection to be configured with a password. You can set different encryption algorithms and validity periods for passwords. In addition, passwords can be changed at any time. This significantly improves security of encrypted packets.

    Only MSDP packets passing keychain authentication are processed. This effectively prevents attacks that are conducted through malicious packets.

Attack Method Introduction

N/A

Configuration Guide
  • Configuring PIM neighbor filtering

    # Under a public network instance, configure a PIM neighbor relationship between VLANIF10 and the router with the IP address 4.4.4.4.

    <Huawei> system-view
    [Huawei] acl number 2001
    [Huawei-acl-basic-2001] rule permit source 4.4.4.4 0.0.0.0
    [Huawei-acl-basic-2001] quit
    [Huawei] interface vlanif 10
    [Huawei-Vlanif10] pim neighbor-policy 2001
  • Configuring PIM Join packet filtering

    # Under a public network instance, configure VLANIF10 to receive Join packets within the multicast range 225.1.0.0/16.

    <Huawei> system-view
    [Huawei] acl number 2001
    [Huawei-acl-basic-2001] rule permit source 225.1.0.0 0.0.255.255
    [Huawei-acl-basic-2001] quit
    [Huawei] interface vlanif 10
    [Huawei-Vlanif10] pim join-policy asm 2001
  • Configuring MSDP keychain authentication

    # Configure MSDP keychain authentication between the local router and the peer with the IP address 1.1.1.1. Set the keychain name to huawei.

    <Huawei> system-view
    [Huawei] msdp
    [Huawei-msdp] peer 1.1.1.1 keychain huawei
Configuration Suggestion

N/A

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4781

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next