Campus Network Security Design – Core Layer
Local defense against attacks
Local attack defense is an important function set of the switch, which can protect the CPU, solve the problem of service interruption caused by the CPU processing a large number of packets normally sent to the CPU or malicious attack packets, and ensure that the existing services of the device can be normal when it is attacked. Running, the main functions are: CPU attack defense, attack source tracing and port attack defense.
CPU defense attack
CPU attack defense can limit and restrict the packets sent to the CPU, so that the number of packets sent to the CPU per unit time is limited within a certain range, thereby protecting the security of the CPU and ensuring the normal processing of services by the CPU. The core part of CPU attack defense is CPCAR (Control Plane Committed Access Rate) and blacklist and whitelist.
CPCAR protects the security of the control plane by limiting the rate of protocol packets of different services sent to the control plane. For different types of protocol packets, the rate at which protocol packets are sent to the CPU is limited through independent CP-CAR values to protect the CPU from being paralyzed by a large number of attacks. By properly adjusting the value of CP-CAR, the ability of the device to process protocol packets can be improved. However, CP-CAR cannot be arbitrarily enlarged. If it is too large, CP-CAR cannot effectively protect the CPU.
As the number of access users continues to increase and the interaction of protocol packets brought about by authentication increases, the default CP-CAR will no longer be applicable. If CP-CAR is not adjusted reasonably, the result is often that the protocol packets are crowded out. The user cannot go online normally or goes offline abnormally.
The following takes the modification of the CAR value of the ARP Request packet as an example for configuration.
Create an attack defense strategy.
[Switch] cpu-defend policy policy1# Configure the CP-CAR value of ARP Request packets to 120kbit/s. [Switch-cpu-defend-policy-policy1] car packet-type arp-request cir 120 Warning: Improper parameter settings may affect stable operating of the system. Use this command under assistance of Huawei engineers. Continue? [Y/N]: y# Apply the attack defense policy to the main control board. [Switch] cpu-defend-policy policy1
Apply the attack defense policy to the interface board.
[Switch] cpu-defend-policy policy1 global
l Combined with the current network user behavior adopted in the previous project, the CP-CAR value is adjusted in real time according to the general behavior of the live network user.
By creating a blacklist and including users with specific characteristics into the blacklist, the device will directly discard the packets sent by the blacklist users; by creating a whitelist and including users with specific characteristics into the whitelist, the device will give priority to Process packets matching whitelist characteristics.
Defines ACL rules.
[Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255 [Switch-acl-basic-2001] quit [Switch] acl number 2002 [Switch-acl-basic-2002] rule permit source 10.2.2.0 0.0.0.255 [Switch-acl-basic-2002] quit
Create an attack defense strategy.
[Switch] cpu-defend policy policy1
Configure the CPU attack defense blacklist.
[Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001# Configure the CPU attack defense whitelist. [Switch-cpu-defend-policy-policy1] whitelist 1 acl 2002# Apply the attack defense policy to the main control board. [Switch] cpu-defend-policy policy1
Apply the attack defense policy to the interface board.
[Switch] cpu-defend-policy policy1 global
Through the statistical function, you can check the forwarding and discarding of the packets sent to the CPU in real time, which can effectively assist in problem location.
[HUAWEI] display cpu-defend statistics all
Attack source tracing
By configuring attack source tracing, the device can analyze whether the packets sent to the CPU will cause attacks to the CPU, and notify the network administrator through logs or alarms of the packets that may cause attacks, so that the administrator can take certain measures to protect the device. The switch defaults to Enable the attack source tracing function.
Create a cpu-defend policy, enable attack source tracing, and enable the reporting function of attack source tracing events.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] auto-defend enable [HUAWEI-cpu-defend-policy-test] auto-defend alarm enable [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] cpu-defend-policy test
View attack source information.
[HUAWEI] display auto-defend attack-source
When attack source tracing is triggered, the switch has corresponding actions that can be configured, such as discarding, but it is generally not recommended to configure actions, because there may be sudden traffic surges in the network, and discarding will affect services. We only need to use the monitoring function of attack source tracing. The above command line can monitor whether the current network is continuously affected by attacks or continuous surges at any time.
Port defense
By configuring port attack defense, the device can trace the source and limit the rate of packets sent to the CPU based on the port dimension to defend against DoS attacks against the CPU. The port attack defense function is enabled by default on the switch.
Create a cpu-defend policy to enable port attack defense. The attack defense policy can be applied to the main control board, all interface boards, or specified interface boards, which can be selected according to the actual situation.
[HUAWEI] cpu-defend policy defend [HUAWEI-cpu-defend-policy-defend] auto-port-defend enable [HUAWEI-cpu-defend-policy-defend] quit [HUAWEI] cpu-defend-policy defend //Apply the attack defense policy on the main control board [HUAWEI] cpu-defend-policy defend global //Apply the attack defense policy to all interface boards [HUAWEI] slot 3 [HUAWEI-slot-3] cpu-defend-policy test //Apply the attack defense policy on the specified interface board
View port attack defense records.
[HUAWEI] display auto-port-defend attack-source
The above command can view the records of triggering port defense attacks. Triggering port defense attacks does not mean that there must be a large number of attacks. It is just a process of self-protection of the CPU of a device. Anti-attack, for such instantaneous ARP surge or continuous attack, port anti-attack will effectively limit the impact of these packets on the CPU.
If there are special business requirements, for example, a port on the network side usually receives a large number of protocol packets, but these protocol packets are generally legal packets. List, so that the device does not trace its source and limit the rate, which can avoid affecting normal business because a large number of protocol packets on the network side cannot be processed by the CPU in a timely manner.
Configure the network-side interface GE1/0/0 as a whitelist for port attack prevention to prevent network-side protocol packets from being processed by the CPU in a timely manner and affecting normal services.
[Switch-cpu-defend-policy-policy1] auto-port-defend whitelist 1 interface gigabitethernet 1/0/0
TC attack defense
When the device receives a TC message, it will notify the ARP module to age or delete the ARP entry. At this time, the device needs to perform ARP learning again to obtain the latest ARP entry information. However, if the topology of the network changes frequently, or there are many ARP entries on the network, ARP relearning will lead to too many ARP packets on the network.
After the device receives topology change packets, it deletes MAC address entries and ARP entries. Frequent operations will have a great impact on the CPU, which may cause high CPU usage. It is recommended to enable TC protection on all STP-enabled devices.
<HUAWEI> system-view [HUAWEI] stp tc-protection
Disable the device from responding to TC packets and configure the MAC address to refresh the ARP function, so that when the device receives TC packets, the ARP entries will not be aged or deleted.
<HUAWEI> system-view [HUAWEI] mac-address update arp [HUAWEI] arp topology-change disable
ARP Security
The ARP security functions currently used in the core mainly include: ARP optimized response and ARP anti-gateway conflict.
ARP optimization response
When the device functions as an access gateway, the device will receive a large number of ARP request packets requesting the MAC address of the local interface. If all these ARP request packets are sent to the main control board for processing, the CPU usage of the main control board will be too high, affecting the processing of normal services by the CPU.
To avoid the above hazards, you can enable the ARP optimized response function. After this function is enabled, for ARP request packets whose destination IP address is the interface IP address of the device, the interface board directly replies with ARP responses, which can improve the device’s ability to defend against ARP flood attacks. This function is especially applicable to the scenario where multiple interface boards are installed on the device. By default, the ARP optimized response function is enabled.
[HUAWEI] undo arp optimized-reply disable
ARP Anti-Gateway Conflict
If an attacker impersonates the gateway and sends an ARP packet whose source IP address is the gateway IP address inside the LAN, the ARP tables of other user hosts in the LAN will record incorrect gateway address mappings. In this way, other user hosts will send all the traffic destined for the gateway to the attacker. The attacker can easily eavesdrop on the content of the data they send, and eventually these user hosts will not be able to access the network.
To prevent attackers from spoofing the gateway, when the user host directly accesses the gateway, you can enable the ARP gateway anti-collision attack function on the gateway device. When the ARP packet received by the device meets one of the following conditions:
- The source IP address of the ARP packet is the same as the IP address of the VLANIF interface corresponding to the incoming interface of the packet.
- The source IP address of the ARP packet is the virtual IP address of the incoming interface, but the source MAC address of the ARP packet is not the VRRP virtual MAC address.
The device considers the ARP packet as an ARP packet that conflicts with the gateway address, and the device will generate an ARP attack defense entry, and discard the ARP packets received by the interface in the same VLAN and with the same source MAC address for a period of time. In this way, ARP packets that conflict with the gateway address can be prevented from being broadcast in the VLAN.
[HUAWEI] arp anti-attack gateway-duplicate enable
ARP proxy
For the centralized forwarding mode, since the downlink Layer 2 devices are configured with port isolation, the corresponding ARP proxy needs to be configured on the core gateway, and the ARP proxy within the VLAN is generally used.
[HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] arp-proxy inner-sub-vlan-proxy enable
Description: In this scenario, both the access device and aggregation device need to be configured with port isolation.
Configure the port isolation function of GE1/0/1 and GE1/0/2 to realize Layer 2 data isolation and Layer 3 data intercommunication between the two interfaces.
[HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 1 [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] port-isolate enable group 1 [HUAWEI-GigabitEthernet1/0/2] quit
IPv6 attack defense
It is recommended to configure IPv6 security attack defense. When the network is normal, the device can correctly receive ICMPv6 packets. However, when the network traffic is heavy, if hosts and ports are frequently unreachable, the device will receive a large number of ICMPv6 packets, which will increase the network traffic burden and significantly reduce the performance of the device. At the same time, network attackers often use ICMPv6 error messages to illegally spy on the internal structure of the network to achieve the purpose of attack.
To improve network performance and enhance network security, you can disable the system from receiving ICMPv6 reply packets, host unreachable packets, and port unreachable packets to prevent security attacks against these ICMPv6 packets.
Disable the function of the system to receive ICMPv6 reply messages, host unreachable messages and port unreachable messages.
<HUAWEI> system-view [HUAWEI] undo ipv6 icmp echo-reply receive [HUAWEI] undo ipv6 icmp port-unreachable receive [HUAWEI] undo ipv6 icmp host-unreachable receive