l SSL VPN
l L2TP VPN
l DSVPN
l GRE over IPSec VPN
l L2TP VPN over IPSec VPN
For details about VPN features, see VPN Configuration Guide.
3.2.3 Security
ACL
An access control list (ACL) defines a series of filtering rules based on a certain policy, the
ACL permits or forbids the passage of data packets.
The AR500&AR510&AR530&AR550&AR2500 can use ACL rules to filter packets.
Firewall
l ACL-based packet filtering
ACL-based packet filtering is used to analyze the information of the packets to be
forwarded, including source/destination IP addresses, source/destination port numbers,
and IP protocol numbers. The AR500&AR510&AR530&AR550&AR2500 compares
the packet information with the ACL rules and determines whether to forward or discard
the packets.
In addition, the AR500&AR510&AR530&AR550&AR2500 can filter the fragmented IP
packets to prevent the non-initial fragment attack.
l ASPF
Application Specific Packet Filter (ASPF) filters packets of the application layer based
on packet status. ASPF, used for security policies, detects session information about
application layer protocol packets that attempt to pass the
AR500&AR510&AR530&AR550&AR2500, and prevents unsatisfied packets.
l Attack defense
With the attack defense feature, the AR500&AR510&AR530&AR550&AR2500 can
detect various network attacks and protect the internal network against attacks. Network
attacks are classified into three types: DoS attacks, scanning and snooping attacks, and
malformed packet attacks.
– DoS attack
The DoS attack is an attack to a system by using a large number of data packets.
This prevents the system from receiving requests from authorized users or suspends
the host. DoS attacks include SYN Flood attacks and Fraggle attacks. DoS attacks
are different from other attacks because DoS attackers do not search for the ingress
of a network, but prevent authorized users from accessing resources or routers.
– Scanning and snooping attack
The scanning and snooping attack is to identify the existing systems on a network
by using ping scanning (including ICMP and TCP scanning), and then find out
potential targets. By using TCP scanning, attackers can identify the operating
system and the potential services. By scanning and snooping, an attacker can know
Huawei AR500&AR510&AR530&AR550&AR2500
Series Industrial Switch Routers
Product Description
3 Product Characteristics
Issue 02 (2016-11-25) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
To Next Page
Loading...
