No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Evaluation on Security Risks of the ME device on the Network

Evaluation on Security Risks of the ME device on the Network

Based on network security risks and ME device vulnerabilities, you can evaluate security risks encountered by the ME device and provide suggestions on suppressing security risks. The following table describes security risks encountered by the ME device and risk suppression measures.

Table 5-1 Security risks of the ME device and the risk suppression measure

Security Risk

Vulnerabilities of the ME device

Risk Evaluation

Risk Suppression Measure

Denial of service (DoS) attack

  1. Insufficient processing capabilities of control and management planes
  2. Failure to authenticate source addresses due to openness of IP networks, which causes traffic flooding and address spoofing

The processing capabilities of control and management planes are insufficient, and traffic flooding is likely to be triggered and damages the ME device greatly.

Risk evaluation: high

  1. Strengthen network access control.
  2. Limit the traffic to the control and management planes on the forwarding plane.

Information disclosure

  1. Many insecure access channels
  2. Insufficient access control capabilities due to openness of IP networks

Insecure access channels can be easily used by attackers to initiate attacks. For example, insufficient right control measures for ME device accounts and the openness of IP networks may easily cause attacks.

Risk evaluation: high

  1. Deactivate insecure access channels.
  2. Strengthen account and rights management.
  3. Plan access control policies properly.

Damaging information integrity

Lack of necessary integrity check measures during transmission of IP packets

Lots of communication protocols have no integrity check mechanism and the openness of IP networks causes information to be tampered with.

Risk evaluation: medium

  1. Use the message digest algorithm 5 (MD5) to check whether messages are complete.
  2. Use secure channels to transmit important information.

Unauthorized access

The ME device system is complex and fails to grant users permission for access to commands and management information base (MIBs) on a per-user basis.

The diagnosis and debugging system needs to query internal system information, which also causes potential security risks.

An IP network is open and access paths to the IP network are uncontrollable. As a result, the IP network may suffer unauthorized access from untrusted networks.

After a user obtains the right at a level, the user may access information beyond the role due to lack of information isolation measures based on a smaller granularity.

The IP network is open, and therefore may encounter unauthorized access from untrusted networks.

Risk evaluation: medium

  1. Adopt the command authorization mechanism of the terminal access controller access control system (TACACS) to avoid the misuse of commands.
  2. Select SNMPv3 and configure the MIB view to limit the access to MIBs.
  3. Strengthen network access control.

Identity spoofing

The ME device is unable to authenticate all source addresses due to openness of IP networks.

Address spoofing attacks may easily occur, which causes forwarding interruption or system overload.

Risk evaluation: medium

Enable unicast reverse path forwarding (URPF) and Dynamic Host Configuration Protocol (DHCP) Snooping to avoid attacks.

Replay attack

In the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, Layer 3 and lower layers cannot process serial numbers, which makes it easy to initiate replay attacks. In addition, the ME device has insufficient capability of processing session requests. As a result, system overload occurs.

The capability of processing session requests is insufficient, which may cause system overload.

Risk evaluation: high

Use the network processor (NP) to respond to request messages, and the dynamic whitelist to suppress new sessions and retain existing sessions.

Computer viruses

The ME device has insufficient capability of processing traffic flooding caused by network viruses, and therefore system overload occurs.

Traffic flooding occurs after a computer is infected with network viruses, which exhausts bandwidth resources and causes CPU overload.

Risk evaluation: high

  1. Enhance carriers' IT management capabilities.
  2. Configure rate limitation to avoid overload.

Carelessness of engineers

The ME device system is extremely complex, and data configuration is prone to errors.

The ME device has insufficient capability of handling traffic flooding caused by topology flapping or loop topology.

Incorrect configurations may damage services.

Topology flapping and loop topology may cause the ME device to be overloaded.

Risk evaluation: medium

Strengthen trainings, improve skills, enhance carriers' IT management capabilities, and avoid man-made errors.

Configure loop detection and suppression mechanisms to intelligently prevent man-made errors.

Physical intrusion

The ME device allocates many permissions for users who access through the directly connected serial port or panel interface. Attackers can use these permissions to operate and configure the ME device system incorrectly.

If users who log in through the serial port and panel interface configure the ME device maliciously, major problems may be caused. Physical access to telecom networks is usually under strict control.

Risk evaluation: low

Enhance physical and environmental security control to avoid security accidents due to physical access and environment accidents.

Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7396

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next