Huawei Technologies Co. Ltd EM820W 사용자 설명서
encrypt data and authenticate the data source at the IP layer to ensure the confidentiality and
integrity of the data and prevent replay on the network.
integrity of the data and prevent replay on the network.
IPSec implements these functions by using two security protocols: Authentication Header (AH)
protocol and Encapsulating Security Payload (ESP). Internet Key Exchange (IKE) provides the
automatic key negotiation, SA establishment, and SA maintenance functions to simplify IPSec
use and management.
protocol and Encapsulating Security Payload (ESP). Internet Key Exchange (IKE) provides the
automatic key negotiation, SA establishment, and SA maintenance functions to simplify IPSec
use and management.
The AR supports IPSec VPN and provides high reliability transmission tunnels for users. In
addition, the AR uses Generic Routing Encapsulation (GRE) and Layer 2 Tunneling Protocol
(L2TP) to support the following VPN services:
l
addition, the AR uses Generic Routing Encapsulation (GRE) and Layer 2 Tunneling Protocol
(L2TP) to support the following VPN services:
l
GRE VPN
l
IPSec VPN
l
BGP/MPLS IP VPN
l
SSL VPN
l
L2TP VPN
l
DSVPN
l
GRE over IPSec VPN
l
L2TP VPN over IPSec VPN
For details about VPN features, see Feature Description - VPN.
3.2.4 Security
ACL
An access control list (ACL) defines a series of filtering rules based on certain policy, the ACL
permits or forbids the passage of data packets.
permits or forbids the passage of data packets.
The ARs can use ACL rules to filter packets.
Firewall
l
ACL-based packet filtering
ACL-based packet filtering is used to analyze the information of the packets to be
forwarded, including source/destination IP addresses, source/destination port numbers, and
IP protocol numbers. The ARs compare the packet information with the ACL rules and
determine whether to forward or discard the packets.
In addition, the ARs can filter the fragmented IP packets to prevent the non-initial fragment
attack.
ACL-based packet filtering is used to analyze the information of the packets to be
forwarded, including source/destination IP addresses, source/destination port numbers, and
IP protocol numbers. The ARs compare the packet information with the ACL rules and
determine whether to forward or discard the packets.
In addition, the ARs can filter the fragmented IP packets to prevent the non-initial fragment
attack.
l
ASPF
Application Specific Packet Filter (ASPF) filters packets of the application layer based on
packet status. ASPF, used for security policies, detects the session information of the
application layer protocol packets, which attempt to pass the AR and prevent the unsatisfied
packets.
Application Specific Packet Filter (ASPF) filters packets of the application layer based on
packet status. ASPF, used for security policies, detects the session information of the
application layer protocol packets, which attempt to pass the AR and prevent the unsatisfied
packets.
l
Attack defense
With the attack defense feature, the ARs can detect various network attacks and protect the
internal network against attacks.
Network attacks are classified into three types: DoS attacks, scanning and snooping attacks,
and malformed packet attacks.
With the attack defense feature, the ARs can detect various network attacks and protect the
internal network against attacks.
Network attacks are classified into three types: DoS attacks, scanning and snooping attacks,
and malformed packet attacks.
Huawei AR G3 Series Enterprise Routers
Product Description
Product Description
3 Product Characteristics
Issue 02 (2012-04-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25