Security overview·· 1

Network security threats 1

Network security services 1

Network security technologies 1

Identity authentication· 1

Access security· 2

Data security· 2

Connection control 3

Attack detection and protection· 3

Other security technologies 4

Many events happened on a network might bring threats to the network resource security, such as data confidentiality, data integrity, and data availability. Network security services provide solutions to remove or reduce the network security threats.

Network security threats

·     Information disclosure—Information is leaked to an unauthorized person or entity.

·     Damaging data integrity—Data integrity is damaged by unauthorized changing or destroying.

·     Denial of service—Make information or other network resources unavailable to their intended users.

·     Unauthorized usage—Resources are used by unauthorized persons or in unauthorized ways.

Network security services

One security service is implemented by one or more network security technologies. One technology can implement multiple services. A safe network needs the following services:

·     Identity authentication—Identifies users and determines if a user is valid. Typical ways include Authentication, Authorization, and Accounting (AAA)-based, user names plus passwords, and PKI digital certificate mechanism.

·     Access security—Controls behaviors that a user accesses network resource based on the result of identity authentication, and prevents untrusted usage and access from performing privileged actions. Major access security protocols include 802.1X, MAC authentication and portal authentication, working together with AAA to implement user identity authentication.

·     Data security—Encrypts and decrypts data during data transferring and storing. Typical encryption mechanisms include symmetric encryption and asymmetric encryption, and their common applications are IP security (IPsec), Secure Sockets Layer (SSL) and Secure Shell (SSH). IPsec secures IP communications. SSL and SSH protects data transfer based on TCP.

·     Attack detection and protection—Determines if traffic flows or received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack for data link layer, network layer and application layer, including TCP and ICMP attack protection, ARP attack prevention and IP Source Guard.

Network security technologies

Identity authentication

AAA

AAA provides a uniform framework for implementing network access management. It provides the following security functions:

·     Authentication—Identifies network users and determines whether the user is valid.

·     Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.

·     Accounting—Records all network service usage information, including service type, start time, and traffic. The accounting function provides information required for charging, and allows for network security surveillance.

AAA can be implemented through multiple protocols, such as RADIUS and HWTACACS, of which RADIUS is most often used.

PKI

Public Key Infrastructure (PKI) uses a general security infrastructure to provide information security through public key technologies. PKI employs the digital certificate mechanism to manage the public keys. The digital certificate mechanism binds public keys to their owners, helping distribute public keys in large networks securely. With digital certificates, the PKI system provides network communication, e-commerce and e-Government with security services.

H3C's PKI system provides digital certificate management for IPsec and SSL.

Access security

802.1X

802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

MAC authentication

MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources.

Portal authentication

Portal authentication, also called "web authentication", helps control access to the Internet. You can input a user name and password at the website for authentication. It does not require client software for access control at the access layer and other data entrance that needs protection.

With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website. However, to access the Internet, a user must pass portal authentication.

Data security

Managing public keys

Public key configuration enables you to manage the local asymmetric key pairs (such as creating and destroying a local asymmetric key pair, displaying or exporting the local host public key), and configure the peer host public keys on the local device.

IPsec

IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly for data encryption and data origin authentication.

SSL

SSL is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTPS by using the public key mechanism and digital certificates. SSL is independent of the application layer, so the connection at the application layer is safe, and unknown to SSL.

SSH

SSH is a network security protocol implementing remote login and file transfer securely over an insecure network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing and plaintext password interception.

Connection control

You can configure connection limit policies to collect statistics and limit the number of connections, connection establishment rate, and connection bandwidth for protecting internal network resources (hosts or servers) and correctly allocating system resources on the device.

Attack detection and protection

ARP attack protection

Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices, such as faking a trusted user or gateway and ARP flooding attacks. H3C has provided a comprehensive and effective solution against those attacks.

ND attack defense

The IPv6 Neighbor Discovery (ND) protocol provides rich functions, but does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. The device implements multiple ND attack detection technologies for defending against these attacks, such as source MAC consistency check for ND packets and ND Detection.

IP Source Guard

IP Source Guard uses a binding entry to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. It is applied on an interface connecting to the user side.

IP Source Guard can filter packets according to the packet source IP address, source MAC address, and VLAN ID. A binding entry can be statically configured or dynamically added through DHCP or ND.

URPF

Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks.

TCP and ICMP attack protection

Attackers can attack the device during the process of TCP connection establishment or by sending a large number of ICMP fragments. To prevent such attacks, the device provides the following features:

·     SYN Cookie

·     Protection against Naptha attacks

·     Disabling ICMP fragment forwarding

Other security technologies

The device also provides other network security technologies to implement a multifunctional and full range of security protection for users. For example, password control is a set of functions for enhancing the local password security, which controls user login passwords, super passwords, and user login status based on predefined policies. Those policies include minimum password length, minimum password update interval, password aging, and early notice on pending password expiration.