Security Technology of Huawei devices

Several common security technologies on Huawei devices

Security Technology 1: ACL

: ACLAccess Control List, access Control List)

ACL is to implement packet filtering by configuring matching rules and processing operations on packets. Basic ACL:Rules are set only based on the source IP address of the data packet. Advanced ACL:Rules are formulated based on the source IP address, destination IP address, protocol type, port number, and protocol characteristics of the data packet. L2 ACL: Rules are formulated based on the source MAC address, destination MAC address, 802.1 p priority, L2 protocol type, and other L2 information of the data packet. User-Defined ACL: Based on the packet header, specify the number of bytes starting with the mask to perform the "and" operation, and compare the string extracted from the packet with the User-Defined string, find the matched message. Huawei devices are allowed by default)Ø 100 ~ 199: indicates the wlan acl;Ø 2000 ~ 2999: indicates the IPv4 basic ACL;Ø 3000 ~ 3999: indicates the IPv4 advanced ACL;Ø 4000 ~ 4999: Two-layer ACL;Ø 5000 ~ 5999: indicates the User-Defined ACL.

ØCreation time Period: time-range,

Security Technology 2: AMAccess Management Configuration
Note: amAccess Management Configuration

When the number of users connected to an Ethernet switch is small, in order to reduce the networking cost, the LAN service provider can use the Ethernet switch instead of the authenticated billing server and DHCP server.
A low-cost and simple alternative. It is used in this low-cost alternative
Two features of server change: Port and IP Address binding and layer-2 isolation between ports.

By configuring layer-2 isolation on the port of the Ethernet switch, you can control that frames sent from Port 1 are not received by port 2, while those sent from Port 2 are not received by port 1, this isolates Port 1 from Port 2. This ensures that the PCs of each organization can only communicate with other PCs in the Organization, and that the PCs specified in each organization can communicate with the external network normally.

Security Technology 3: IP-MAC binding
Note:
The ip address and mac address can be bound to the layer-3 device of Huawei to prevent the impact of ARP on the network.

MAC Address binding is to use the security control list of the layer-3 Switch to bind the port on the switch with the corresponding MAC address. Each network adapter has a unique MAC address. to effectively prevent unauthorized users from stealing network resources, binding MAC addresses can effectively prevent unauthorized users from accessing the network. Security Protection on the network physical layer.

Security Technology 4: ARP binding
Note:

ARP is an Address Resolution Protocol used to resolve IP addresses to Ethernet MAC addresses. If you bind an ARP ing table, you can prevent normal ARP spoofing attacks. The most effective way to prevent ARP virus attacks: bidirectional static ARP binding

Security Technology 5: AAA

Note:AAA is short for Authentication, Authorization and Accounting Authentication, Authorization, and billing. It is a management method for network security. Provides a unified configuration framework for authentication, authorization, and billing. Token Authentication: users who can access the network server; token authorization: users with access permissions can get what services; token billing: how to charge users who are using network resources. AAA generally adopts the Client/Server structure: the client runs on the managed resource side, and user information is centrally stored on the server. Therefore, the AAA framework has good scalability and is easy to achieve centralized management of user information.

Security Technology 6: dot1x

Note:802.1x protocol is a Port-Based Network Access Control (Port-Based Network Access Control) protocol. "Port-based network access control" means to authenticate and control the connected devices at the port level of the LAN access device. If the user device connected to the port can pass authentication, it can access resources in the LAN. If the authentication fails, it cannot access resources in the LAN.