This section describes device security, its purpose, and its advantages.
To ensure its security, the device categorizes packets sent from the interface boards to the CPU on the main control board according to the protocol granularity and then filters out attack packets using features, such as local Unicast Reverse Path Forwarding (URPF), TCP/IP attack defense, application layer association, management and service plane protection, Generalized TTL Security Mechanism (GTSM), and dynamic link protection. This way, the device protects the services for which connections have been established. In addition, the device drops malformed packets, spoofing packets, and service packets that are not originated at the network processor (NP), to prevent unnecessary packet processing on the CPU and improve device security.
The device supports the following security features:
Application layer association
Management plane protection
TCP/IP attack defense
Attack source tracing
Dynamic link protection
GTSM
TM Multi-Level scheduling
CP-CAR and Host-CAR
Whitelist, blacklist, and customer-defined flows
Alarm
Unauthorized users remotely accessing NetEngine 8000 Fs.
Malicious users exploiting TCP/IP vulnerabilities to attack the NetEngine 8000 F protocol stacks.
Large numbers of packets flooding the upstream channel of NetEngine 8000 Fs.
Denial of Service (DoS) attacks consuming CPU and system memory resources.
Forged source IP addresses spoofing NetEngine 8000 Fs, which wastes forwarding entries and CPU resources.
Device security offers the following benefits:
Services are not affected in case of attacks on the device, the device can work stably, and the quality of service (QoS) is guaranteed.
Service reliability is enhanced.