FAQ-Security Features of NE05E&08E

Created: Sep 24, 2016 18:41:47Latest reply: Jan 18, 2017 13:36:37 1191 2 0 0
Security Features

Security Authentication

The NE supports the following security authentication functions:

  • Authentication, accounting, and authorization implemented locally or on the RADIUS or HWTACACS server
  • Plaintext authentication and MD5 encrypted text authentication supported by routing protocols that include RIPv2, OSPF, IS-IS, and BGP
  • MD5 encrypted text authentication supported by LDP and RSVP
  • SNMPv3 encryption and authentication
  • 802.1x authentication

DHCP Snooping

Dynamic Host Configuration Protocol (DHCP) snooping filters out untrusted DHCP messages through the functions of MAC address limit, DHCP snooping binding, IP+MAC binding, and Option 82. In this manner, the DHCP denial of service (DoS) attacks, bogus DHCP server attacks, ARP middleman attacks, and IP/MAC Spoofing attacks in DHCP applications are prevented. DHCP snooping functions like a firewall between the DHCP client and DHCP server.

URPF

The NE supports unicast reverse path forwarding (URPF) for IPv4 traffic.

MAC Address Limit

The NE supports the following MAC address limit functions:

  • Limit on the number of VLAN-based MAC address forwarding table entries
  • Limit on the number of VSI-based MAC address forwarding table entries
Entries in a MAC address forwarding table are classified into three types:

  • Dynamic entries
  • Dynamic entries are learned by interfaces and stored in the hardware of the system control board. Dynamic entries will age. Dynamic entries will be lost when the system is reset.
  • Static entries
  • Static entries are configured by users and stored on the system control board. Static entries will not age. Static entries will not be lost when the system is reset.
  • Blackhole entries
  • Blackhole entries are used to filter out the data frames that contain specific destination MAC addresses. Blackhole entries are configured by users and stored on the system control board. Blackhole entries will not age. Blackhole entries will not be lost when the system is reset.

MAC Address Deletion

The NE supports the deletion of MAC addresses from the MAC address forwarding table:

  • VSI-based MAC address deletion
  • VLAN-based MAC address deletion
  • Trunk-based MAC address deletion
  • Entire system-based MAC address deletion

Unknown Traffic Limit

With the unknown traffic limit function, the NE can implement the following functions on a VPLS or Layer 2 network:

  • Manages user traffic.
  • Allocates bandwidth to users.
  • Limits the rate of unknown unicast, unknown multicast, and broadcast traffic.
In this manner, the network bandwidth is properly used and network security is guaranteed.

Whitelist- or Blacklist-based MAC Address Filtering

The NE can filter MAC addresses based on a source MAC address whitelist or blacklist at Ethernet interfaces. Then, the NE forwards packets from MAC addresses in the whitelist and discards packets from MAC addresses in the blacklist.

Local Attack Defense

The NE provides a uniform local attack defense module to manage and maintain the attack defense policies of the entire system, thereby offering an all-around, feasible, and maintainable attack defense solution for users.
The NE supports the following attack defense functions:

  • Management and service plane protection
  • Attack source tracing
  • When the NE is attacked, it obtains and saves suspicious packets, and then displays the packets in a certain format using command lines or offline tools. This helps locate the attack source easily.
  • When attacks occur, the system automatically removes the data encapsulated at upper layers of the transmission layer and then caches the packets. When the number of packets in the cache reaches a certain number (for example, 20000 packets on each LPU), the earliest cached packets are overridden when more packets are cached.

SSHv2

The NE supports the STelnet client and server as well as the SFTP client and server, which support SSHv1.5 and SSHv2.

Interface Loop Detection

If a physical interface detects packets sent by itself, a loop has occurred. In this case, the interface blocks itself. After the specified block time elapses, the interface does not receive packets sent by itself, which means that the loop has been eliminated. Then, the interface unblocks itself.
  • x
  • convention:

Wayne     Created Sep 24, 2016 18:42:15 Helpful(0) Helpful(0)

FAQ-Security Features of NE05E&08E
  • x
  • convention:

haesong     Created Jan 18, 2017 13:36:37 Helpful(0) Helpful(0)

Security Features of NE05E&08E
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top