Application layer association refers to the association between the protocol flag status on the control plane and the protocol packet sending of the FEs on the physical layer. After the association is established between the control layer and the physical layer, the protocol flag status is kept consistent. For service protocols disabled on a device, the bottom-layer hardware sends corresponding protocol packets at a low bandwidth by default or even does not send these packets. As a result, the attack scope is narrowed, attack cost is increased, and device security risks are reduced.
Currently, NetEngine 8000 Fs can detect and discard the following malformed packets:
Some routing protocols support security authentication. When packets are exchanged between devices, the hash algorithm is used to calculate the summary of packets. Packets that are sent are matched against those that are received to identify the packets that are modified.
SHA256 is used for routing protocol authentication, unless the protocol does not support SHA256, to ensure that protocol packets are not modified.
AES256 is used for key storage to greatly enhance key strength and prevent a key leak.
The blacklist refers to groups of unauthorized users. Unauthorized users filtered by using ACLs can be blacklisted so that packets from these users are discarded or sent at a low rate.
The whitelist refers to groups of authorized users or high-priority users. It helps actively protect existing services and services of high-priority users. Authorized users or high-priority users can be whitelisted so that packets from these users are sent preferentially at a high rate.
The Generalized TTL Security Mechanism (GTSM) checks whether the time to live (TTL) values carried in sent packets are valid to protect the CPU from CPU-utilization (CPU overload) attacks.
Based on the router networking, the number of hops (network nodes) of packets bound for the control plane is limited. You can set the number of hops based on the networking to prevent malicious users from initiating attacks from a remote node.
Attack source tracing is a security hardening method that enables you to analyze attack packets, so that you can extract attack information, including the attack source, severity, and cause. This method also allows a device to record logs and generate alarms for traced attack sources.
When the router is under attacks, attack source tracking records information about attack packets to help locate faults and deploy attack defense.
In protocol-specific multi-session scenarios, a bandwidth limit can be set for each session to send packets to the control plane. If a session is attacked, the other sessions can retain their connections and send their packets to the control plane.
When a protocol establishes sessions through different interfaces, a bandwidth limit can be set for each interface to send packets to the control plane. If an interface is attacked, protocol-specific sessions established on the other interfaces can retain their connections and send their packets to the control plane.