Tuesday, May 16, 2017

Principle of Security Data Plan on Huawei MA5800

The security plan involves system security plan, user security plan, and service security plan.
Security policy ensures service security from different aspects.

The device provides complete security measures, but not all security measures need to be deployed. Only the security measures that meet the following requirements need to be deployed:

  • The security measures can be used on the live network.
  • The security measures are easy to deploy.
  • The security measures are effective.
  • Different ONUs support different security features. Select the security feature recommended in this topic according to actual Huawei ONU/ONT capabilities.
System Security

Security Vulnerability: DoS attack
Solution: Enable the anti-DoS-attack function Huawei OLT and MDU.
Description and Usage Suggestion:After the anti-DoS-attack function is enabled, control packets are
monitored and those exceeding the number threshold are discarded. Use this solution for new site deployment.

Security Vulnerability: IP attack
Solution: Enable the anti-IP-attack function Huawei OLT and MDU.
After the anti-IP-attack function is enabled, a device discards the IP packets received from the user side whose destination IP address is the IP address of the device, and therefore the system is protected. Use this solution for new site deployment.

User Security
MAC spoofing
Enable the anti-MAC duplicate function for Huawei MA5800 and MDU.
After anti-MAC-duplicate is enabled, the system records the first MAC address learnt from the port
and binds the MAC address to the port and VLAN. If receiving packets sent from the host that has the same MAC address with the port, the system discards the packets directly. In this case, it can prevent users from forging MAC addresses to perform malicious attacks. Use this solution for new site deployment.

MAC attack
Enable the anti-MAC spoofing function Huawei OLT and MDU.
After anti-MAC spoofing is enabled, the system can prevent users from forging IP addresses to perform malicious attacks. Use this solution for new site deployment.

IP spoofing
Enable the anti-IP spoofing function for MDU.
After anti-IP spoofing is enabled, the system can prevent users from forging IP addresses to perform
malicious attacks. Use this solution for new site deployment.


Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)