No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Layer 3 Multicast

Layer 3 Multicast

  • PIM neighbor filtering

    ACL rules can be configured on interfaces to filter received Hello packets. Neighbor relationships can be established only after packet filtering.

    When there are a large number of malicious Hello packets, configure rules on interfaces so that the interfaces only allow specified Hello packets and discard malicious Hello packets.

  • PIM Join packet filtering

    ACL rules can be configured on interfaces to filter received Join packets. This can prevent attacks conducted using malicious Join packets.

    When there are a large number of malicious Join packets, configure rules on interfaces so that the interfaces only allow specified Join packets and discard malicious Join packets.

  • IPv4/IPv6 PIM IPsec authentication

    Internet Protocol Security (IPsec) can be configured on interfaces to authenticate IPv4/IPv6 PIM messages. Under IPsec, an interface discards IPv4/IPv6 PIM messages that are not protected or authenticated by IPsec.

  • MSDP whitelist

    MSDP is implemented using a whitelist. MSDP establishes a stable link with the peer to construct the peer remote address, local interface address, remote port number, local port number, and IP protocol number (TCP), and notifies the lower layer of this information. MSDP reports the messages meeting these conditions first to the CPU for processing (the priority policy depends on the implementation at the lower layer). After the MSDP neighbor relationship is torn down, relevant component interfaces are called to instruct the lower layer to delete the policy based on which packets are preferentially sent to the CPU.

    Packets that do not match the whitelist are discarded to protect the device from attacks.

  • MSDP MD5 authentication

    Message digest 5 (MD5) authentication can be configured on MSDP peers to provide security protection. Make sure you enable MD5 authentication and the same authentication password for both MSDP peers. After this function is enabled, the transmit peer sends an MD5-encrypted MSDP message, which is transferred to the receive peer over a TCP connection. The receive peer decrypts the MSDP message by following the uniform MD5 encryption rules and the key contained the message. After decrypting the message successfully, the transmit peer reports the message to the MSDP module for processing. Only MSDP packets passing MD5 authentication are processed. This effectively prevents attacks that are conducted using malicious packets.

  • MSDP keychain authentication

    Keychain and new TCP extension options enable each TCP connection to be configured with a password. You can set different encryption algorithms and validity periods for passwords. In addition, passwords can be changed at any time. This significantly improves security of encrypted packets. Only MSDP packets that are authenticated using a keychain are processed. This effectively prevents attacks conducted using malicious packets.

  • Source IP address-based IGMP/MLD packet filtering

    ACL rules can be configured on interfaces to filter out received IGMP/MLD packets.

    The interface receives the IGMP/MLD packets only with a specified IP address and discards those with other IP addresses, which prevents the interfaces from potential attacks.

  • IGMP/MLD IPsec authentication

    IPsec can be configured on interfaces to authenticate IGMP/MLD messages. Under IPsec, an interface discards IGMP/MLD messages that are not protected or authenticated by IPsec.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 9154

Downloads: 12

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next