Cpu-Defend Policy for Network v1.1

8/10/2019 Cpu-Defend Policy for Network v1.1

1/8

CPU-DEFEND POLICY ON NETWORK

HUAWEIs NE40E/80E/CX600 have built-in default cu-defend !lic" t! #event

the !tential th#eats ai$ at !u# e%ui$ent in #eal net&!#'( in !#de# t! $eet

$!st scena#i!s and )ua#antee eve#" #!t!c!l #unnin) n!#$al( s!$e #ules !f

!lic" is a little bit l!!se( *! &e need ad+ust the a#!#iate #ules t! $eetin)

the self-defend #e%ui#e$ent &hen seci,ed scena#i! !# a#ticula# attac's

!ccu#

.athe#in) ea$les f!# !the# et#!-E( $!bile net&!#' built b" HUAWEI(

c!$bine &ith the incidents haened !n net&!#'( HUAWEIs 123 #ec!$$end

udatin) f!ll!&in) a#a$ete#s t! ensu#e sucient #!tecti!n f!# C5U( &hen

facin) that the #!utin) l!! and the )ene#al A15 / IC5 and !the# c!$$!n

attac's

5#event IC5 attac'7

In the c!$$!n net&!#'( IC5in)9 is used t! detect n!de !# lin'

#eachabilit"( but IC5 #el" need )ene#ated b" C5UN5 can !nl"

f!#&a#din) ac'et n!t )ene#ate ac'et9 In #ealit"( this &ill incu# IC5

attac'( !u# C5U can handle 4s IC5 ac'et du#in) idle ti$e( but in #eal

scena#i!( C5U need #!cess $an" #!t!c!l at sa$e ti$e If IC5 #!cess

!ccuies C5U f!# t!! l!n) ti$e( it &ill lead t! !the# c#itical #!cesses cann!t be scheduled

HUAWEI hi)hl" su))est t! l!&e# this value deend !n #eal net&!#'

#e%ui#e$ent

1ec!$$end value7 00'bs (c!nve#t t! :000s( based !n $in f#a$e

si;e 64b"tes9

: 5#event


2/8

the A15 ent#" eists( this ac'et &ill encasulated &ith $ac then

f!#&a#ded di#ectl"D if this A15 n!t eist( e%ui$ent &ill )ene#ates !ne A15

iss n!tif" A15 $!dule t! send A15 #e%uest

A15 I** attac' +ust $a'e use !f this &ea'ness( )ene#ate l!ts !f ac'et

&ith 3I5 n!t eist( the 1!ute# have t! )ene#ate l!ts !f A15 issn!ti,cati!ns &hen failu#e in ,ndin) a# ent#"

the hi)h C5U usa)e


#e%ui#e$ent

1ec!$$end value7 @00'bs (c!nve#t t! 000s( based !n $in f#a$e

si;e 64b"tes9

4 5#event *N5 attac'

In the c!$$!n net&!#'( *N5 is used t! t#ansfe# $ana)e inf!#$ati!n

bet&een N stati!n and a)ent( *N5 #!t!c!l ac'ets $ust be #!cessed

b" C5U !f the =5U b!a#d In #ealit"( this &ill incu# *N5 attac'( !u# C5U

can handle :s *N5 ac'et du#in) idle ti$e( but in #eal scena#i!( C5U

need #!cess $an" #!t!c!l at sa$e ti$e If *N5 #!cess !ccuies C5U

f!# t!! l!n) ti$e( it &ill lead t! !the# c#itical #!cesses can n!t be

scheduled


#e%ui#e$ent

1ec!$$end value7 @00'bs

@ 5#event B.5/=35/*5 attac'

In the c!$$!n net&!#'( #!ute #!t!c!lsuch as B.5/=35/*59 is used t!advice c!$$unicate #!ute bet&een #!ute#s( these #!t!c!l ac'ets $ust

be #!cessed b" C5U !f the =5U b!a#d In #ealit"( this &ill incu# #!ute

#!t!c!l attac'( !u# C5U can handle these ac'ets du#in) idle ti$e( but in

#eal scena#i!( C5U need #!cess $an" #!t!c!l at sa$e ti$e If s!$e !ne

#!t!c!l #!cess !ccuies C5U f!# t!! l!n) ti$e( it &ill lead t! !the# c#itical

#!cesses can n!t be scheduled

HUAWEI hi)hl" su))est t! #!tect these i$!#tant #!ute #!t!c!ls deend

!n #eal net&!#' #e%ui#e$ent

Recommend : Use advanced ACL to protect mportant ro!tn"

protoco#s$s!c% as &'P(LDP(O)PF*

6 5#event 3HC5 attac'

In the c!$$!n net&!#'( 3HC5 is used t! !btain I5 add#ess d"na$ic b"

h!sts But 3HC5 ac'ets $ust be #!cessed b" C5U !f the =5U b!a#d In

#ealit"( this &ill incu# 3HC5 attac'( !u# C5U can handle :s 3HC5 ac'ets

du#in) idle ti$e( but in #eal scena#i!( C5U need #!cess $an" #!t!c!l at

sa$e ti$e If 3HC5 #!cess !ccuies C5U f!# t!! l!n) ti$e( it &ill lead t!

!the# c#itical #!cesses can n!t be scheduled

1ec!$$end value7 @00'bs this value $ust be evaluated ca#efull"

deend !n #eal net&!#' #e%ui#e$ent9F 5#event HW


3/8

In the c!$$!n net&!#'( HW


4/8

Inde

I3

Ite$ 3efault

alue'bs9

1ec!$$ended

alue'bs

: IC5 4000 00

?G I54


5/8

U35 *!u#ce Add#ess 7 :6:

U35 *!c'et I3 7 F

*e%uence N! 7 0

C!n,)u#ati!n Hell! H!ld


6/8

acl nu$be# ?00?

#ule @ e#$it !sfs!u#ce :6:0

4 !dif" !ne C5U-3efend !lic" as f!ll!&in)7

cu-defend !lic" use#-de,ned-O!& acl ?00

use#-de,ned-O!& : acl ?00:

use#-de,ned-O!& ? acl ?00?

alicati!n-ae#ceive disable

#!cess-se%uence &hitelist use#-de,ned-O!& blac'list

ca# ic$ ci# 00

ca# inde ?G ci# 00

ca# inde 4F ci# 00

ca# inde @0 ci# @00

ca# sn$ ci# @00

ca# b) ci# :00

ca# ld ci# :00

ca# !sf ci# :00

ca# dhc ci# @00

ca# h&tacacs ci# :00

ca# lsin) ci# 00

ca# i)$ ci# :00

ca# v## ci# 000

@ Al" !lic" t! eve#" =5U ca#d need t! be #!tected7

sl!t X

cu-defend-!lic"

6 Chec' the !lic" statistics t! ve#if" the attac' &hen net&!#' attac' !ccu#7

N*5=5ac'ets--------------------------------------------------------------------------------

6 Alicati!n-Ae#ceive @68@?@: G8G::8? @F8G:@?G

--------------------------------------------------------------------------------


7/8

*5 : : 0

1I5 0

I*I* 0 0 0

IC5 :06 :06 0

*35 0 0 0

5I :: :: 0

3HC5 @@@F0:8F GF6F8?06 @F8GG8

=AC5 :8G? :8G? 0

N


8/8

Ud-ac'et 0 0 0

--------------------------------------------------------------------------------

Cpu-Defend Policy for Network v1.1

Documents

Transcript of Cpu-Defend Policy for Network v1.1