Ip Source Guard - Huawei AR500 Product Description

Huawei AR500 Industrial Switch Routers
Product Description
l
l
ARP Security
There are various ARP attacks on networks, including attacks targeting hosts and gateways,
address spoofing attacks and violent attacks, virus attacks, and malicious software attacks.
Address Resolution Protocol (ARP) security uses various ARP-based security mechanisms, such
as strict ARP learning, ARP entry protection, and ARP packet rate limiting, to protect the
network from attacks to the ARP protocol and ARP-based network scanning attacks.

IP Source Guard

Some attacks on networks aim at source IP addresses by accessing and using network resources
through spoofing IP addresses. The attacks block authorized users from accessing networks or
information leaks.
The AR500 series routers support IP source guard (IPSG) and Unicast Reverse Path Forwarding
(URPF).
l
Issue 01 (2013-5-10)
IP protocol numbers. The AR500 compares the packet information with the ACL rules and
determines whether to forward or discard the packets.
In addition, the AR500 can filter the fragmented IP packets to prevent the non-initial
fragment attack.
ASPF
Application Specific Packet Filter (ASPF) filters packets of the application layer based on
packet status. ASPF, used for security policies, detects session information about
application layer protocol packets that attempt to pass the AR500, and prevents unsatisfied
packets.
Attack defense
With the attack defense feature, the AR500 can detect various network attacks and protect
the internal network against attacks. Network attacks are classified into three types: DoS
attacks, scanning and snooping attacks, and malformed packet attacks.
– DoS attack
The DoS attack is an attack to a system by using a large number of data packets. This
prevents the system from receiving requests from authorized users or suspends the host.
DoS attacks include SYN Flood attacks and Fraggle attacks. DoS attacks are different
from other attacks because DoS attackers do not search for the ingress of a network, but
prevent authorized users from accessing resources or routers.
– Scanning and snooping attack
The scanning and snooping attack is to identify the existing systems on a network by
using ping scanning (including ICMP and TCP scanning), and then find out potential
targets. By using TCP scanning, attackers can identify the operating system and the
monitored services. By scanning and snooping, an attacker can know the service type
and security vulnerability of the system and prepare for further intrusion to the system.
– Malformed packet attack
The malformed packet attack is to send malformed packets to the system. If such an
attack occurs, the system breaks down when processing the malformed IP packets.
Malformed packet attacks include Ping of Death and Teardrop.
IPSG prevents source address spoof attacks, so attackers cannot access network resources
and authorized users' rights are protected.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 Product Characteristics
15