Security

Let’s look at a typical configuration of HWTACACS server on Huawei device:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.10.1
 hwtacacs-server authorization 172.16.10.1
 hwtacacs-server accounting 172.16.10.1
 hwtacacs-server source-ip 172.16.10.10
 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$
 undo hwtacacs-server user-name domain-included
#
aaa 
 authentication-scheme hwtacacs
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 domain default_admin  
  authentication-scheme hwtacacs 
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server labnario
 local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$
 local-user labnario privilege level 15
 local-user labnario service-type telnet terminal ssh ftp
#
user-interface vty 0 4
 authentication-mode aaa

How to protect Huawei switches against ARP flood attack?

DoS attack is an attempt to make a network resources unavailable to its intended users. There are several different types of DoS attacks, but most of them rely on spoofing and flooding techniques. Some of these attacks can be hard to defend against, because DoS packets may look exactly like normal packets.

One common method of attack involves saturating the target device with a flood of request packets, so that this device cannot respond to a legitimate traffic or responds so slowly, as to be unavailable.

Attackers often use ARP protocol to attack network devices, because it is easy to use and has no security mechanisms built in. Flooding a network device with ARP request packets can lead to insufficient CPU resources to process other services, when processing a large number of ARP packets. To protect the device, ARP rate limiting mechanism can be used. On Huawei switches this feature can be implemented in the following ways:

• Limiting the rate of ARP packets globally, in a VLAN or on an interface
• Limiting the rate of ARP packets based on the source MAC address
• Limiting the rate of ARP packets based on the source IP address

The first what a device has to do is to check if the ACL exists. If it does, the device matches packets against rules, according to the rule ID. We can configure rule IDs manually or they are automatically allocated. In case of automatically allocated rules, there is a certain space between two rule IDs. The size of the space depends on ACL step. By default it is 5 but we can change it by command. In this manner, we can add a rule before the first rule or between rules. ACL rules are displayed in ascending order of rule IDs, not in the order of configuration.

ACL rules can be arranged in two modes: configuration and auto.

In the configuration mode (default mode), we decide which rule should be first, which second and so on and so forth. In this mode, the device matches rules in ascending order of rule IDs. Anytime we can configure an additional rule with smaller rule ID. In such case, later configured rule may be matched earlier. We make such a decision, not the system.

In the auto mode, unlike in the configuration mode, the system automatically allocates rule IDs. We don’t have possibility to specify rule ID. The most precise rule is placed at the beginning of ACL.

When can we use it?

If you want to recall how to configure GRE, just look at GRE on Huawei routers.

You can return to IPSec configuration, reading IPSec on Huawei AR router.

Today, I’m going to put them together and try to configure GRE over IPSec.

Based on the topology below, configure IP adresses and OSPF protocol to ensure connectivity between all routers (omitted here).

Configure tunnel interface on labnario_1 and labnario_3:

[labnario_1]interface Tunnel0/0/0
[labnario_1-Tunnel0/0/0] ip address 10.0.0.1 255.255.255.0 
[labnario_1-Tunnel0/0/0] tunnel-protocol gre
[labnario_1-Tunnel0/0/0] source 150.0.0.1
[labnario_1-Tunnel0/0/0] destination 160.0.0.1

Let’s assume that a large number of packets are sent to CPU of a device. What will happen if most of these packets are malicious attack packets? CPU usage will become high, what can bring to services’ deterioration. In extreme cases it can lead the device to reboot. We can minimize an impact of the attack on network services, providing the local attack defense function. When such attack occurs, this function ensures non-stop service transmission.

Attack Defense Policy Supported by AR routers:

CPU attack defense:

• The device uses blacklists to filters invalid packets sent to the CPU
• The device limits the rate of packets sent to the CPU based on the protocol type
• The device schedules packets sent to the CPU based on priorities of protocol packets
• The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU
• ALP is enabled to protect HTTP, FTP and BGP sessions. Packets matching characteristics of the sessions are sent at a high rate, that’s why session-related services are ensured.