Security Defense Capabilities of the Control Plane
- Application layer association
- Defense against malformed packet attacks
- Routing protocol authentication and check (MD5 for OSPF and BGP)
- Generalized TTL Security Mechanism (GTSM)
- Attack source tracking and alarm reporting
- CAR for packets sent to the CPU (CPCAR)
- Blacklist and whitelist
- ACL-based user-defined flow
- Security management center
Application Layer Association
Application layer association refers to the association between the protocol flag status on the control plane and the protocol packet sending of the FEs on the physical layer. After the association is established between the control layer and the physical layer, the protocol flag status is kept consistent. For service protocols disabled on a device, the bottom-layer hardware sends corresponding protocol packets at a low bandwidth by default or even does not send these packets. As a result, the attack scope is narrowed, attack cost is increased, and device security risks are reduced.
Defense Against Malformed Packet Attacks
Currently, ME60s can detect and discard the following malformed packets:
- Null IP payload flooding attack
- IGMP null payload attack
- TCP illegal flags attack
- Duplicated fragment attack
- Fragment flooding
- Tear Drop
- Syndrop
- Nesta
- Fawx
- Bonk
- NewTear
- Rose
- Jolt
- Big offset
- Fraggle
Routing Protocol Authentication
Some routing protocols support security authentication. When packets are exchanged between devices, the hash algorithm is used to calculate the summary of packets. Packets that are sent are matched against those that are received to identify the packets that are modified.
SHA256 is used for routing protocol authentication, unless the protocol does not support SHA256, to ensure that protocol packets are not modified.
AES256 is used for key storage to greatly enhance key strength and prevent a key leak.
Security Defense Based on Access Control
ME60s provide complete ACL capabilities. Based on ACLs, the ME devices implement CP-CAR control, blacklist and whitelist policies and stream customization.
The CP-CAR classifies packets destined for the CPU and applies rate limiting rules to each type of packet. You can set the average rate, committed burst size (CBS), and priority of packets using the CP-CAR. Under the control of different CAR rules, packets of different protocols have smaller impact on each other, which helps protect the CPU. The CAR technology also allows you to set a threshold for the total packet rate. When the total rate exceeds the threshold value, packets to the CPU are discarded to avoid CPU overload.
The whitelist refers to groups of authorized users or high-priority users. It helps actively protect existing services and services of high-priority users. Authorized users or high-priority users can be whitelisted so that packets from these users are sent preferentially at a high rate.
The blacklist refers to groups of unauthorized users. Unauthorized users filtered by using ACLs can be blacklisted so that packets from these users are discarded or sent at a low rate.
Stream customization indicates that you can customize ACL rules for attack defense. Stream customization applies when unknown attacks are detected on a network. You can flexibly specify data characteristics of attack streams so that the data streams are not sent.
To prevent the ME device from being controlled by unauthorized users or being attacked by flooded management packets, deploy the control plane management function. Subsequently, only the specified interface can receive management packets, whereas the other interfaces directly discard received management packets. Therefore, resources are saved. You can also specify the management packets that can be received by a specified interface so that the interface discards the other protocol packets. This prevents the ME device from being attacked by unnecessary protocol packets.
GTSM
The Generalized TTL Security Mechanism (GTSM) checks whether the time to live (TTL) values carried in sent packets are valid to protect the CPU from CPU-utilization (CPU overload) attacks.
Based on the ME device networking, the number of hops (network nodes) of packets bound for the control plane is limited. You can set the number of hops based on the networking to prevent malicious users from initiating attacks from a remote node.
Attack source tracking and alarm reporting
Attack source tracing is a security hardening method that enables you to analyze attack packets, so that you can extract attack information, including the attack source, severity, and cause. This method also allows a device to record logs and generate alarms for traced attack sources.
When the ME device is under attacks, attack source tracking records information about attack packets to help locate faults and deploy attack defense.
Security Management Center
- Summarize and analyze information about all security attacks.
- Intelligently analyze the sources, causes, and impacts of attacks.
- Provide reasonable attack suppression solutions based on the embedded security knowledge base.
The security management center can summarize and analyze the information reported by all security check units in a unified manner, and display the attack sources, root causes, and recommended solutions in a simple manner.