No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Comparison Between IPSG and Other Features

Comparison Between IPSG and Other Features

IPSG, Dynamic ARP Inspection (DAI), static ARP, and port security are network security technologies. This section describes the differences between IPSG and DAI, IPSG and static ARP, and IPSG and Port Security.

IPSG and DAI

IPSG and DAI use binding tables (static or DHCP snooping binding tables) to filter packets. Table 12-3 lists their differences.

Table 12-3  Differences between IPSG and DAI

Feature

Description

Usage Scenario

IPSG

Filters IP packets by using binding tables. The device matches IP packets received by interfaces against binding entries, and forwards the IP packets matching the binding entries.

Prevent IP address spoofing attacks. For example, a malicious host steals an authorized host's IP address to access the network or initiate attacks.

DAI

Filters ARP packets by using binding tables. The device matches ARP packets received by interfaces against binding entries, and forwards the ARP packets matching the binding entries.

Prevent man-in-the-middle attacks. Man-in-the-middle attacks are generally initiated through ARP spoofing. That is, the attacker leads traffic to itself to intercept other hosts' information.

IPSG cannot prevent address conflicts. For example, when a malicious host steals an online host's IP address, the ARP request packets sent by the malicious host will be sent to the online host through broadcast, causing an address conflict. Therefore, to prevent IP address conflicts, you can configure both IPSG and DAI.

For DAI configuration details, see ARP Security Configuration.

IPSG and static ARP

Both IPSG based on a static binding table and static ARP support IP and MAC binding. Table 12-4 lists their differences.

Table 12-4  Differences between IPSG and static ARP

Feature

Description

Usage Scenario

IPSG

Builds a static binding table to bind IP addresses to MAC addresses. The device checks the packets received by interfaces, and forwards the packets matching the binding entries.

IPSG is generally configured on the access switch connected to users or on the aggregation or core switch to prevent IP address spoofing attacks from the intranet. For example, a malicious host steals an authorized host's IP address to access the network.

Static ARP

Builds a static ARP table to bind IP addresses to MAC addresses. A static ARP table is not dynamically updated. The device processes received packets according to the static ARP table.

Generally, static ARP is configured on the gateway. The static ARP table stores the ARP entries of key servers to prevent ARP spoofing attacks and ensure normal communication between hosts and servers.

Figure 12-7 shows an example of IPSG and static ARP usage.
  • IPSG is configured on the switch to prevent malicious hosts from changing their own IP addresses or stealing authorized hosts' IP addresses to access the network.
  • Static ARP entries of servers are configured on the gateway to prevent unauthorized servers from initiating ARP attacks or incorrectly updating ARP entries, so that hosts and authorized servers can communicate with each other normally.
Figure 12-7  IPSG and Static ARP

The differences between IPSG and static ARP are as follows:
  • Static ARP cannot prevent IP address spoofing attacks.

    Assume that IPSG is not configured on the switch, and static ARP entries of hosts are configured on the gateway. When a malicious host steals an authorized host's IP address to access the Internet, the packet forwarding process is as follows:

    1. The packet sent by the malicious host reaches the switch.
    2. The switch forwards the packet to the gateway.
    3. The gateway forwards the packet to the Internet.
    4. The return packet from the Internet reaches the gateway.
    5. The gateway searches for the static ARP entry according to the destination IP address (the IP address of the authorized host). If an entry is found, the gateway considers the MAC address corresponding to this IP address as the authorized host's MAC address. The gateway then encapsulates and forwards the packet to the switch.
    6. The switch forwards the packet to the authorized host according to the destination MAC address.

    If the malicious host changes its IP address to that of an authorized host, static ARP can prevent access of the malicious host. However, the authorized host will receive a large number of invalid reply packets. If the malicious host keeps sending such packets, the authorized host will be attacked.

    The malicious host can successfully initiate an attack and receive return packets if it uses an idle IP address that has not been added to the static ARP table. To use static ARP to prevent the theft of IP addresses, you need to add all the IP addresses on the network, including idle IP addresses, to the static ARP table. This is a very time-consuming process.

    In addition, static ARP is configured on the gateway, so IP address spoofing attacks on the network connected to the switch cannot be prevented.

    To prevent IP address spoofing attacks on an intranet, it is recommended that you configure IPSG on the switch.

  • IPSG cannot prevent ARP spoofing attacks.

    Assume that IPSG is configured on the switch, and static ARP entries of hosts are not configured on the gateway.
    1. A malicious host steals an authorized host's IP address to send a fake ARP request packet to the switch.
    2. The switch forwards the packet to the gateway, and then the gateway incorrectly updates the ARP entry of the authorized host. In the ARP entry, the IP address belongs to the authorized host and the MAC address belongs to the malicious host.
    3. When the authorized host accesses the Internet, the Internet returns reply packets to the malicious host. As a result, the authorized host cannot go online.

      In addition, the packets sent from the Internet to the authorized host are intercepted by the malicious host.

    There are two methods to solve this problem. One method is to configure both IPSG on the switch and static ARP entries of hosts on the gateway. However, configuration and maintenance are complex for a network with a large number of hosts. Another method is to configure both IPSG and DAI on the switch. The switch matches IP and ARP packets received by interfaces against binding entries, and discards the ARP packets that do not match binding entries. The bogus ARP packets cannot reach the gateway, so the ARP entries will not be incorrectly modified.

For details on static ARP, see ARP Configuration in the S7700 and S9700 V200R011C10 Configuration Guide - IP Service.

IPSG and Port Security

Both IPSG based on a static binding table and port security support MAC and interface binding. Table 12-5 lists their differences.

Table 12-5  Differences between IPSG and port security

Feature

Description

Usage Scenario

IPSG

Binds MAC addresses to interfaces in the binding table so that a host can only go online through a fixed port. Hosts whose MAC addresses are not in the binding table cannot go online through the device.

The binding entries are manually configured. If a network has a large number of hosts, the configuration workload is heavy.

In addition to binding MAC addresses to interfaces, IPSG can bind IP addresses, MAC addresses, VLANs, and interfaces flexibly. IPSG prevents IP address spoofing attacks. For example, a malicious host steals an authorized host's IP address to access or attack the network.

Port security

Converts the limited number of dynamic MAC entries learned by interfaces into secure MAC entries, so that a host can only go online through a fixed port. Hosts whose MAC addresses are not in the MAC address table cannot go online through the device.

Secure MAC entries are dynamically generated.

Port security prevents access of unauthorized hosts and limits the number of access hosts. It is applicable to networks with a large number of hosts.

If you need only to prevent hosts with unauthorized MAC addresses from communicating with each other and a large number of hosts reside on the network, port security is recommended.

IPSG does not fix MAC entries. Therefore, it cannot prevent MAC address flapping caused by incorrect MAC entry updates. In Figure 12-8, when a malicious host sends data (for example, bogus ARP packets) to the switch by using an authorized host's MAC address, the switch incorrectly updates the MAC address table. As a result, the malicious host can intercept the packets destined for the authorized host.

Figure 12-8  Incorrect MAC address table update

To solve the MAC address flapping problem, you can configure the device to generate snooping MAC entries based on binding tables.

For details about port security, see Port Security Configuration.

IPSG, DAI, static ARP, and port security resolve different issues and meet different requirements. To improve network security, it is recommended that you configure them according to your requirements.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 142023

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next