No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


The following figure shows the security defense architecture of ME60s.

Figure 6-1 Security defense architecture of ME60s

On ME devices, the security defense architecture comprises the following parts:

Security Defense of Forwarding Engines

The forwarding engines (FEs) of ME devices provide high performance. Therefore, the best network security solution is to implement security check on the forwarding plane to identify and process invalid packets.

Most FEs, however, are implemented based on hardware such as application-specific integrated circuits (ASICs) or network processors (NPs), and are less flexible than software. FEs can detect only invalid packets that have deterministic characteristics and do not require complex computing or processing. They are designed with simple security mechanism using fixed processes.

For example:

In malformed packet check, FEs detect and discard packets that obviously violate protocol rules.

In broadcast storm suppression, FEs track the source of a broadcast storm, and discard broadcast packets or limit the rate of broadcast packets by using dynamic access control lists (ACLs) on the forwarding plane.

URPF directly checks a packet for whether the outbound port matches the source IP address. If the outbound port does not match the source IP address, the packet is discarded.

In fragmented packet flooding, the forwarding plane limits the rate of fragmented packets.

For simple packets, such as ARP, Internet Control Message Protocol (ICMP), and Point-to-Point Protocol (PPP) Keepalive packets, sent from clients, the forwarding plane responds to these packets.

With high performance, FEs can effectively handle traffic flooding attacks. In this way, the CPU does not need to process flooded packets, and the ME device reliability is ensured.

Security Defense for Channels Between the Forwarding Plane and the Control Plane

Compared with the control plane, the forwarding plane provides infinite processing capabilities. Therefore, the forwarding plane can easily send mass packets, which may cause overload of the control plane.

The packet rates on the channels between the forwarding plane and the control plane must be limited to prevent the forwarding plane from sending too many packets to the control plane. In addition, normal service packets that have high priorities and pass the security check must be permitted to ensure normal service provisioning. In consideration of security and availability, the following mechanisms are used to ensure reliable running of ME devices while improving the service processing capabilities of the ME devices:

  • Central processing unit-committed access rate (CP-CAR): A bandwidth for sending packets to the control plane is configured for each protocol. Different CP-CARs may be configured for typical packets of a protocol, such as ARP Request and ARP Reply packets.
  • Dynamic/static blacklist: When attack events are dynamically detected or a static blacklist is configured, all blacklisted packets are rejected to prevent attacks by invalid packets.
  • Dynamic/static whitelist: When sessions on the control plane pass the security check or trusted access objects are statically configured, the packets of these objects are free from rate limitation.

The preceding measures ensure that packets sent from the forwarding plane to the control plane do not cause CPU overload and that the CPU provide services to the maximum.

Security Check and Defense of Application Layer Services

The forwarding plane cannot detect or control complex and in-depth attacks because it lacks the capability of perceiving the structure of every protocol.

The security defense on the channels between the forwarding and control planes only protects the CPU against overload, but does not check whether sent packets are secure.

In this case, security check engines need to be embedded into modules at the application layer. Each protocol stack module must be able to dynamically check the validity of packets and sessions and discard invalid packets or sessions in a timely manner to protect the protocol stacks.

Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7605

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next