Evaluation of Security Risks on Devices

Based on the analysis of security threats and device vulnerabilities discussed in the preceding sections, users can evaluate the security risks facing the devices and implement appropriate mitigation measures. Table 1 provides the mitigation measures for each type of threat.

**Table 1** Security risk evaluation table
Security Threats	Device Vulnerability	Risk Assessment	Mitigation Measures
DoS	The control and management planes have limited processing capabilities. IP networks are open and do not provide source address authentication, resulting in traffic flooding and address spoofing.	The control and management planes have insufficient processing capabilities, and it is easy to trigger traffic flooding attacks, causing significant damage to devices. Risk level: high	Strengthen network access control. Limit the traffic sent from the forwarding plane to the control and management planes.
Information leakage	There are insecure access channels. IP networks are open and provide insufficient access control capabilities.	Insecure access channels can be easily exploited by attackers to initiate attacks. For example, attacks easily occur due to insufficient rights control measures for accounts and the openness of IP networks. Risk level: high	Deactivate insecure access channels. Strengthen accounts and rights management. Design appropriate access control policies.
Compromised information integrity	No integrity check measures are available during IP packet transmission.	Many communication protocols lack an integrity check mechanism, and information tampering cannot be avoided on open IP networks. Risk level: medium	Use digest algorithms, such as SHA2-256, to check message integrity. Use secure channels to transmit key information.
Unauthorized access	The CLI or MIB cannot be authorized to individual users because of system complexity. Diagnosing or debugging the system involves checking internal system information, bringing security risks. IP networks are open and access paths to IP networks are uncontrollable, which may be exploited for unauthorized access from untrusted networks.	After a user obtains a certain level of permissions, the user may be able to access information beyond the designated role due to a lack of finer-grained measures for information isolation. IP networks are open and may therefore be exploited for unauthorized access from untrusted networks. Risk level: medium	Use the TACACS-based CLI authorization mechanism to prevent CLI abuse. (TACACS stands for Terminal Access Controller Access Control System, which is a client/server authentication protocol.) Use SNMPv3 and configure the MIB view to restrict the MIB access scope. Strengthen network access control.
Identity spoofing	The device is unable to authenticate all source addresses due to the openness of IP networks.	Address spoofing attacks may be launched, interrupting services or overloading the system. Risk level: medium	Enable features such as unicast reverse path forwarding (URPF), and DHCP Snooping to protect the device against becoming an attack target.
Replay attack	Among TCP/IP protocols, Layer 3 and lower-layer protocols cannot process sequence numbers, exposing networks to replay attacks. If the system lacks sufficient capabilities to process session requests, the system will be overloaded.	The device does not have sufficient capabilities to process session requests, resulting in system overload. Risk level: high	Use the hardware network processor (NP) to respond to request messages, and the dynamic whitelist to suppress new sessions and retain ongoing sessions.
Computer virus	The device lacks sufficient capabilities to process traffic flooding caused by network viruses, resulting in system overload.	Virus-infected computers trigger traffic flooding, exhausting bandwidth resources and overloading the system CPU. Risk level: high	Enhance carriers' IT management capabilities. Configure rate limiting to prevent traffic floods.
Misoperations	Because the device system is extremely complex, configurations are prone to errors. Incorrect data configuration may cause topology flapping and routing loops. The device lacks sufficient capabilities to handle traffic flooding caused by topology flapping and loops.	Incorrect configurations may compromise services. Network topology changes and loops may cause system overload. Risk level: medium	Provide technical training for engineers and improve carriers' IT management capabilities to reduce human errors. Configure loop detection and suppression mechanisms to protect against human errors.
Physical intrusion	The device grants relatively high levels of permissions to physically connected users, such as those accessing the device through serial interfaces or panel-based interfaces. Once attackers exploit these permissions, they can maliciously configure the device.	Malicious configurations on the device cause major problems. Physical access to telecom networks is usually under strict control. Risk level: low	Enhance physical and environmental security control to avoid security incidents caused by unauthorized physical access and environmental accidents.