No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Defense Capabilities of the Control Plane

Security Defense Capabilities of the Control Plane

To ensure the normal running of control protocols and services, the control plane of the ME60 provides the following security defense capabilities:
  • Application layer association
  • Defense against malformed packet attacks
  • Routing protocol authentication and check (MD5 for OSPF and BGP)
  • Generalized TTL Security Mechanism (GTSM)
  • Attack source tracking and alarm reporting
  • CAR for packets sent to the CPU (CPCAR)
  • Blacklist and whitelist
  • ACL-based user-defined flow
  • Security management center

Application Layer Association

Application layer association refers to the association between the protocol flag status on the control plane and the protocol packet sending of the FEs on the physical layer. After the association is established between the control layer and the physical layer, the protocol flag status is kept consistent. For service protocols disabled on a device, the bottom-layer hardware sends corresponding protocol packets at a low bandwidth by default or even does not send these packets. As a result, the attack scope is narrowed, attack cost is increased, and device security risks are reduced.

Defense Against Malformed Packet Attacks

Currently, ME60s can detect and discard the following malformed packets:

  • Null IP payload flooding attack
  • IGMP null payload attack
  • TCP illegal flags attack
  • Duplicated fragment attack
  • Fragment flooding
  • Tear Drop
  • Syndrop
  • Nesta
  • Fawx
  • Bonk
  • NewTear
  • Rose
  • Jolt
  • Big offset
  • Fraggle

Routing Protocol Authentication

Some routing protocols support security authentication. When packets are exchanged between devices, the hash algorithm is used to calculate the summary of packets. Packets that are sent are matched against those that are received to identify the packets that are modified.

SHA256 is used for routing protocol authentication, unless the protocol does not support SHA256, to ensure that protocol packets are not modified.

AES256 is used for key storage to greatly enhance key strength and prevent a key leak.

Security Defense Based on Access Control

ME60s provide complete ACL capabilities. Based on ACLs, the ME devices implement CP-CAR control, blacklist and whitelist policies and stream customization.

  • The CP-CAR classifies packets destined for the CPU and applies rate limiting rules to each type of packet. You can set the average rate, committed burst size (CBS), and priority of packets using the CP-CAR. Under the control of different CAR rules, packets of different protocols have smaller impact on each other, which helps protect the CPU. The CAR technology also allows you to set a threshold for the total packet rate. When the total rate exceeds the threshold value, packets to the CPU are discarded to avoid CPU overload.

  • The whitelist refers to groups of authorized users or high-priority users. It helps actively protect existing services and services of high-priority users. Authorized users or high-priority users can be whitelisted so that packets from these users are sent preferentially at a high rate.

    The blacklist refers to groups of unauthorized users. Unauthorized users filtered by using ACLs can be blacklisted so that packets from these users are discarded or sent at a low rate.

  • Stream customization indicates that you can customize ACL rules for attack defense. Stream customization applies when unknown attacks are detected on a network. You can flexibly specify data characteristics of attack streams so that the data streams are not sent.

    To prevent the ME device from being controlled by unauthorized users or being attacked by flooded management packets, deploy the control plane management function. Subsequently, only the specified interface can receive management packets, whereas the other interfaces directly discard received management packets. Therefore, resources are saved. You can also specify the management packets that can be received by a specified interface so that the interface discards the other protocol packets. This prevents the ME device from being attacked by unnecessary protocol packets.

GTSM

The Generalized TTL Security Mechanism (GTSM) checks whether the time to live (TTL) values carried in sent packets are valid to protect the CPU from CPU-utilization (CPU overload) attacks.

Based on the ME device networking, the number of hops (network nodes) of packets bound for the control plane is limited. You can set the number of hops based on the networking to prevent malicious users from initiating attacks from a remote node.

Attack source tracking and alarm reporting

Attack source tracing is a security hardening method that enables you to analyze attack packets, so that you can extract attack information, including the attack source, severity, and cause. This method also allows a device to record logs and generate alarms for traced attack sources.

When the ME device is under attacks, attack source tracking records information about attack packets to help locate faults and deploy attack defense.

Security Management Center

To ensure system reliability and protect service systems from the impact of intentional or unintentional security attacks, ME devices use technologies such as CAR, attack detection, and attack isolation. All the technologies require a global management center which provides the following functions:
  • Summarize and analyze information about all security attacks.
  • Intelligently analyze the sources, causes, and impacts of attacks.
  • Provide reasonable attack suppression solutions based on the embedded security knowledge base.

The security management center can summarize and analyze the information reported by all security check units in a unified manner, and display the attack sources, root causes, and recommended solutions in a simple manner.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 8061

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next