X.805-Complaint Three-Layer and Three-Plane Security Framework and Defense Mechanism

To address the threats faced by networks and enhance security protection during network design, construction, and operation, the International Telecommunication Union (ITU) defines a layer- and plane-based security framework in the X.805 standard. Figure 1 shows the X.805 security framework, in which each layer and each plane has the security capability and functionality specified by the ITU. The framework is divided into three security layers: infrastructure layer, service layer, and application layer. It also consists of three security planes: management plane, control plane, and user plane.

Figure 1 ITU X.805 security framework

Different data flows have different levels of importance, security threats, and impacts on users. To prevent data flows from affecting each other, Huawei proposes an X.805-complaint three-layer and three-plane security framework shown in Figure 2. As shown in the figure, each plane and each layer faces different threats. Isolating the three planes can minimize the attack surface of each layer and prevent other planes from being affected by attacks on one plane.

Figure 2 ITU X.805-compliant three-layer and three-plane security framework

The following two examples illustrate the reasons for implementing three-plane isolation. Assume that the forwarding plane is not isolated from the management and control planes. When the device is under attack (for example, heavy traffic or viruses), the hardware resources are consumed, leading to insufficiency. In addition, processing tasks on the forwarding plane continue to consume CPU and memory resources until they are exhausted. Consequently, the device cannot be managed, becoming isolated because no resources are available on the control plane. Assume that the control plane is not isolated from the management plane. If an ARP flood attack causes the device to break down, an administrator may be unable to check the protocol and status of the device on the management plane because it has no reserved resources.

The preceding examples highlight the importance of using three-plane isolation, because it prevents the three planes from affecting each other while also maintaining reliance among them. The following describes the defense capabilities of the three layers and three planes.

Management plane: is used to access, configure, and manage devices, and typically delivers network management functions. To prevent unauthorized access to and unauthorized operations on the device, the management plane provides security defense capabilities such as system permission management, account permission management, and log recording.
- Role-based user permission control ensures that users at different levels have different permissions.
- AAA controls system permissions in different application scenarios.
- A log system records all the system configurations and the exceptions that occur during the running of the system, facilitating subsequent auditing.
To harden the management plane more effectively, it is necessary to know which protocols and functions are typically used on the management plane.
- Simple Network Management Protocol Version 3 (SNMPv3)
- Secure Shell (SSH)
- File/Hypertext transfer protocols (SFTP, and HTTPS)
- Huawei Terminal Access Controller Access Control System (HWTACACS)
- RADIUS
Control plane: also known as the signaling plane, is used to control and manage the operating of all network protocols, such as OSPF, BGP, IS-IS, ARP, and IPv6. In addition, it provides various network information and forwarding entries required by the forwarding plane. To ensure the security of these network protocols, the control plane provides the following defense capabilities:
- Anti-DDoS
- Single-packet attack defense
- Blacklist
- IP-MAC binding
Forwarding plane: also called the data plane or user plane, is used to process and forward various types of data on different interfaces of the device. A device uses the destination MAC and IP addresses of packets to search for routes, over which it forwards the packets. To prevent forwarding route-based attacks and stop attack traffic from flooding the IP network, the forwarding plane provides the following defense capabilities:
- Security policies
- Unicast reverse path forwarding (URPF)

Device layer: provides defense capabilities such as operating system hardening, patch management, file integrity protection, and physical security.
Network layer: provides defense capabilities similar to those of the forwarding plane, because it faces similar threats.
Application layer: provides defense capabilities such as user access authentication and defense against malformed packet attacks.