optix rtn 900 v100r006c00 security configuration_ maintenance_ and hardening manual 03

OptiX RTN 900V100R006C00Security Configuration, Maintenance, and Hardening Manual

Issue03

Date2013-12-26

DOCPROPERTY Confidential

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address:Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website:http://www.huawei.com

Email:[email protected]

Contents

11 Introduction

11.1 Purposes for Security Configuration Maintenance & Hardening

11.2 About Layered Security Configuration Maintenance and Hardening

32 Security Configuration at the Device Management Layer

32.1 NE User Management

32.1.1 Querying the NE User Information

42.1.2 Creating an NE User

62.1.3 Deleting an NE User

62.1.4 Modifying NE User Attributes

92.1.5 Changing an NE User Password

92.1.6 Changing the Password for an Online NE User

112.1.7 Modifying User Additional Parameters

122.1.8 Querying NE User Groups

132.1.9 Querying NE Security Parameters

152.2 Managing NE User Logins

152.2.1 Managing Online NE Users

162.2.2 Switching a Logged-In NE User

182.2.3 Setting the NE Login Message

202.3 Setting the Security Access Control of an NE

202.3.1 Ethernet Access Control

212.3.2 Serial Port Access Control

222.3.3 USB Access Control

232.4 Checking Device Logs

232.4.1 Browsing Device Logs

252.4.2 Forwarding the Device Logs to the Syslog Server

293 Security Configuration at the Network Layer

293.1 Network Security Management

293.1.1 Access Control List

333.1.2 Access Management

403.2 Protocols and Controls

403.2.1 SSL/TLS Protocol

453.2.2 SFTP Protocol

473.2.3 NTP Protocol

483.3 Network Access Authentication

483.3.1 Enabling a RADIUS Client or a RADIUS Proxy Server

493.3.2 Creating a RADIUS Server

503.3.3 Configuring RADIUS Server Parameters

513.4 Data Service Security

513.4.1 Flow Control

533.4.2 Loop Avoidance

563.4.3 Access Control of Layer 2 Services

663.4.4 Service Isolation

693.5 Layer 3 Protocols

693.5.1 IS-IS

703.5.2 RSVP

713.5.3 BGP

734 Security Maintenance

734.1 Suggestions on Port Maintenance

744.2 NE Account Maintenance

744.3 Log Audit

744.4 Security Patch Upgrade

744.5 Software Package Integrity Check

765 Security Hardening

765.1 Device Layer Security Hardening

765.1.1 Account Management Hardening

775.1.2 Security Log Hardening

775.1.3 USB Application Hardening

785.2 Network Layer Security Hardening

785.2.1 Configuring an ACL to Prevent Unauthorized Access

785.2.2 Using SSL to Prevent Unauthorized Access to Sensitive Data

795.2.3 Using SSH to Prevent Sensitive Data from Theft

795.2.4 Using SFTP to Load Software

825.2.5 Data Service Security Hardening

835.2.6 Defense Against Flood Attacks

846 Appendixes

846.1 References

846.2 Acronyms and Abbreviations

866.3 Maintenance Tools

866.3.1 EMS and NMS Tool

866.3.2 Software Upgrade Tool

876.3.3 Fault Collection Tool

876.3.4 Network Health Check Tool

886.3.5 Handheld Terminal

886.4 Other Maintenance Means

1 Introduction

1.1 Purposes for Security Configuration Maintenance & Hardening

Currently, application systems are facing bigger and bigger security threats. Once these threats cause any trouble, there can emerge risks such as service interruption, profit decreasing, and even system break-down. Therefore, operators need to build and maintain a security wall for the whole application system in multi-layers. In this way, they can find and solve all sorts of potential security problem in advance.

1.2 About Layered Security Configuration Maintenance and Hardening In addition, the security threats are emerging constantly. That's why operators need to harden system security specifically corresponding to problems emerging in daily system maintenance, to ensure the safe and normal operation of application systems.

At the Device Management Layer

Purposes for security maintenance at the device management layer are to guarantee the normal operation of hardware/software systems, normal operation of the devices and their normal external service provision.

Security maintenance at the device layer is conducted according to the maintenance terminals and tools for the maintenance objectives.

At the Network Layer

Purposes for security maintenance at the network layer are to ensure the NE's normal operation and that the security strategy of this layer is implemented.

Security maintenance at the network layer is conducted according to the maintenance terminals and tools for the maintenance objectives.

About Security Hardening

Based on the security features of the device management and network layers and characteristics of client networks, configure corresponding security functions for device management and data platforms, and provide attack defense for devices to eliminate potential threats.

2 Security Configuration at the Device Management Layer

2.1 NE User Management

2.1.1 Querying the NE User Information

Prerequisites

You are an NMS user with Administrator User Group rights or higher.

Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User Management from the Function Tree.

Step 2 Click Query, to check the current NE user information. NE user management table.

----EndTable 2-1 Default user list for deliverable devices

User namePasswordUser Group

szhwnesoftSuper administrator user group

rootpasswordAdministrator user group

lctpasswordAdministrator user group

LCDLCDAdministrator user group

Moreover, when the NE is in BIOS state, the user need to enter the correct password for authentication before logging in NE (without authentication, the account name can be any character string). This is similar to the BIOS of Personal Computers. The default password in BIOS state is "nesoft"

User passwords that are stored on the devices are encrypted using MD5 and SHA256 by default. Users can set the encryption mode to SHA256. Then, newly added or changed passwords are encrypted using only SHA256 for storage.2.1.2 Creating an NE User

Prerequisites


Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User Management.Step 2 In the NE User Management Table pane, click Add and the Add NE User dialog box is displayed. After setting the user attributes, click OK in the dialog box to save the modifications.

----End

Table 2-2 Parameters for NE user attributes

ParameterValue RangeDefault ValuesDescription

NE User--This parameter specifies the name of a registered NE user.

NOTEThe name of an NE cannot contain any Chinese characters.

User LevelMonitor Level

Operation Level

Maintenance Level

System Level

Debug LevelMonitor LevelMonitor Level: represents the lowest authority. Monitor level NE users are authorized to issue query commands and modify their own attributes.Operation Level: Operation level NE users are authorized to query device information and perform certain configuration operations.Maintenance Level: Maintenance level NE users are authorized to maintain the system and perform all maintenance operations.System Level: System level NE users are authorized to manage security and perform all query and configuration operations.Debug Level: Debug level NE users are authorized to perform all operations including security management.

NE User FlagLCT NE User

EMS NE User

CMD NE User

General NE UserLCT NE UserThis parameter specifies the flag of a registered NE user.

An LCT NE User can manage an NE on the LCT, U2000-Local Craft Terminal.

An EMS NE User can manage an NE on the U2000.

A CMD NE User can manage an NE on the CMD, the management system using command lines.

A General NE User does not differentiate the NMS types.

Description--Describes the NE user information that has been set.

New Password--Specifies the password for a new NE user.

Confirm Password--Enter the same value as New Password.

Immediate Password ChangeYes

NoYesThis parameter specifies whether the password of a registered NE user can be changed.

2.1.3 Deleting an NE User

Prerequisites


The NE user to be deleted exists.

Procedure

Step 1 In NE User Management Table, select the user to be deleted, and click Delete.

Step 2 A dialog box is displayed asking you whether to delete the NE user. After you confirm that the user is to be deleted, click OK.

----End

2.1.4 Modifying NE User Attributes

Prerequisites


The NE user has been created.

Common users with rights lower than Administrator User Group can modify only their own attributes.

Procedure

Step 1 In the NE User Management Table pane, select the NE user for attribute modification. Click Modify.

The Modify NE User dialog box is displayed.

Step 2 After modifying the user attributes, click OK to save the modifications.

----End

Table 2-3 User attributesParameterValue RangeDefault ValuesDescription

NE User--This parameter specifies the name of a registered NE user.

NOTEThe name of an NE cannot contain any Chinese characters.

User LevelMonitor Level

Operation Level

Maintenance Level

System Level

Debug LevelMonitor LevelA Debug Level NE user has the right to use all query commands, to log in, to log out, and to change its own password.

A System Level NE user has all fault performance authorities, security authorities, and configuration authorities.

A Maintenance Level NE user has some security rights, some configuration rights, the communication setting rights, and the log management rights.

An Operation Level NE user has all fault performance authorities, some security authorities, and some configuration authorities.

A Monitor Level NE user has all security and configuration authorities, and has the right to run debugging commands.

NE User Flag LCT NE User

EMS NE User

CMD NE User

General NE UserLCT NE UserThis parameter specifies the flag of a registered NE user.

An LCT NE User can manage an NE on the LCT, U2000-Local Craft Terminal.

An EMS NE User can manage an NE on the U2000.

A CMD NE User can manage an NE on the CMD, the management system using command lines.

A General NE User does not differentiate the NE types.

Description--This parameter describes the NE user information that has been set.

Login AllowedYesNoYesThis parameter describes whether the NE user is enabled.

Permanently Valid or notYesNo-This parameter displays whether a registered NE user is permanently valid.

Valid FromYYYYMMDDHHMMSS indicates the creation time. YYYYMMDDHHMMSS indicates the creation time This parameter specifies that the default time for creating a user cannot be modified.

Valid TillThis parameter displays the time when a registered NE user logged in to the NE for the last time.The value of this parameter is specified by the user.If the value of the Permanently Valid or not parameter is Yes, the field cannot be modified. If the value of the Permanently Valid or not parameter is No, the field can be set manually.

2.1.5 Changing an NE User Password

Prerequisites



Procedure

Step 1 In the NE User Management Table pane, select the NE user for password modification. Click Set Password. The Set Password of NE User dialog box is displayed.

Step 2 After modifying the user password, click OK to save the modifications.

----End

2.1.6 Changing the Password for an Online NE User

Prerequisites

You are an NMS user with Monitor User Group rights or higher.

The NE user is online.

Procedure

Step 1 In the NE Explorer, select the desired NE user. Choose Security > NE Login Management from the Function Tree. Click Set Current User Password. A dialog box is displayed asking you whether to change the current password.

Step 2 In the displayed Set Password for NE User dialog box, enter New Password and Confirm Password and click OK.

----End

2.1.7 Modifying User Additional Parameters

Prerequisites

You are an NMS user with Maintainer User Group rights or higher and belongs to the Security Manager Group.


The level of the NE user to be modified is lower than that of the user that is logged in.

Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User Management from the Function Tree.

Step 2 Click Query. Then select the desired user. Click View Additional User Info. The Additional User Info List dialog box is displayed.

Step 3 Modify required user additional information. Click OK or Apply to save the modifications.----End

Table 2-4 User additional parameters

ParameterDescription

NEThis parameter displays the current NE name.

UserThis parameter displays the registered NE name.

Records of All LoginsThis parameter specifies whether a registered NE can be logged in at any time.

Allowable Login Start DateThis parameter specifies the date when a registered NE user logs in to the NE for the first time.

Allowable Login Start timeThis parameter specifies the time when a registered NE user logs in to the NE for the last time.

Allowable Login End DateThis parameter specifies the date when a registered NE user logs in to the NE for the last time.

Valid Till (time)This parameter specifies the time when a registered NE user logs in to the NE for the last time.

Time to Lock User for No Activities (Day)This parameter specifies days to lock a user for no activities.

Maximum Password Validity (Day)This parameter specifies the password validity days.

Password Change TimeThis parameter displays last password change time

Last Login TimeThis parameter displays last login time.

2.1.8 Querying NE User Groups

Prerequisites

You are an NMS user with Maintainer User Group rights or higher.

Procedure

Step 1 In the NE Explorer, select an NE and choose Security > NE User Group Management from the Function Tree.

Step 2 Click Query to query NE users included by various NE user groups of the NE.

----End

2.1.9 Querying NE Security ParametersPrerequisites


Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE Security Parameters from the Function Tree.

Step 2 Click Query to query the settings of NE security parameters.

----End

Table 2-5 NE security parameters

ParameterValue RangeDescription

NEExample: NE1This parameter displays the current NE name.

Warning Screen SwitchEnabled, DisabledThis parameter specifies whether to enable Warning Screen.

Warning Screen InformationThis parameter can be random characters, numerals, or a combination of characters and numerals. The maximum length of the parameter is 1500 characters.This parameter specifies that you can enter the information after you set the Warning Screen to Enabled.

Allowable Used Times for Outdated PasswordFor example: 3This parameter specifies the allowable access time of an outdated password. This parameter cannot be modified. Its fixed value is 3.

Maximum Password Validity (Day)For example: 90This parameter specifies the longest period for you to use a password. This parameter ranges from 25 to 999. Its default value is 0, indicating that the password is valid permanently.

Minimum Password Validity (Day)For example: 1This parameter specifies the shortest period for you to use a password. This parameter cannot be modified. Its fixed value is 1.

Password UniquenessFor example: 5This parameter specifies password uniqueness. If the value is n, it indicates that the modified password must be different from the passwords used in the latest n times "0" indicates that the password uniqueness is not required. This parameter cannot be modified. Its fixed value is 5.

Lock Testing Time (Minute)For example: 180This parameter monitors the total time of NE lockout. This parameter cannot be modified. Its fixed value is 180.

Allowable Illegal Access TimesFor example: 5This parameter specifies allowable illegal access times This parameter cannot be modified. Its fixed value is 5.

Lockout Time (Second)For example: 900This parameter specifies the total time of NE lockout.

Encryption Type for Password StorageMD5 and SHA256This parameter specifies the encryption type of users' passwords that are stored on the devices.

2.2 Managing NE User Logins

2.2.1 Managing Online NE Users

Prerequisites


Procedure

Step 1 To ensure the security of NE operations, the NMS maintainers or administrators can use the U2000 server to view all the online NE users within the management rights and the way in which the users log in to the NEs.

Step 2 When you want to log in to an NE as a user who has a higher level of rights, you can force a lower-level NE user to log out of the NE. In this way, you can avoid an NE being configured by multiple NE users at the same time, or prevent unauthorized logins by other NE users.

Step 3 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > Online User Management.

A List of Online User is displayed.

Step 4 Click Query to query the latest information about NE logins.

Select the NE entry. Click Forced Logout to force the desired NE user to log out of the NE.----End

2.2.2 Switching a Logged-In NE UserDuring a new deployment, after the NE user root creates an NE, this user can create another NE user. By switching a logged-in NE user, you can log in to the NE with a new user.Prerequisites



Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE Login Management.

An NE Login Management Table is displayed.

Step 2 Click Query to query the current NE user.

Step 3 In the NE Login Management Table, select the NE and click Switch NE User. In the Switch Current NE User dialog box, enter values in User and Password.

Step 4 Click OK.----End

2.2.3 Setting the NE Login MessageYou can customize the message to pop up when a user logs in to an NE. For example, you can customize a message displaying the required user rights for operating an NE to prompt an unauthorized user not to log in to the NE.Prerequisites


Procedure

Step 1 Select the desired NE in the NE Explorer. Choose Security > NE Security Parameters from the Function Tree.

The NE Security Parameter List is displayed.

Step 2 Click Query to query the settings of NE security parameters.

Step 3 Select an NE, double-click Warning Screen Switching and choose Enabled or Disabled.Step 4 Double-clickWarning Screen Informationand enter the message.

Step 5 Click Apply. A message is displayed indicating that the operation is successful. Click Close.

You can enter a message in the Warning Screen Information field only when Warning Screen Switching is set to Enabled.----End

2.3 Setting the Security Access Control of an NE

To ensure the NE security, you can disable the unused interfaces on the NE.

2.3.1 Ethernet Access Control

Prerequisites

You are an NMS user with Operator User Group rights or higher.

Procedure

Step 1 In the NE Explorer, select an NE and choose Communication > Access Control from the Function Tree.

Step 2 In the Ethernet Access Control area, select or deselect Enable Ethernet Access and click Apply.

If you select Enable Ethernet Access, the external network port of an NE can be used for Ethernet communication.

If you deselect Enable Ethernet Access, the external network port of an NE cannot be used for Ethernet communication.

If Ethernet communication exists on the external network port of an NE and Enable Ethernet Access is not selected, the NE may be unreachable to the NMS.----End

2.3.2 Serial Port Access Control

Prerequisites


Procedure

Step 1 In the NE Explorer, select an NE and choose Communication > Access Control from the Function Tree.

Step 2 In the Serial Port Access Control area, set serial port access parameters and click Apply.

Set the parameters as follows:

The Enable Serial Port Access parameter allows equipment to be managed through the serial port. If Enable Serial Port Access is selected, the management through the serial port is allowed.

The Access Command Line parameter allows equipment to be managed in command-line mode.

The Access NM parameter allows equipment to be managed using the NMS

The Baud Rate parameter indicates the rate for serial port access.----End

2.3.3 USB Access Control

Prerequisites


Procedure

Step 1 In the NE Explorer, select an NE, choose Communication > Access Control from the Function Tree, and click the USB Access Control tab on the right pane.

Step 2 On the USB Access Control tab, set Enabled/Disabled and click Apply.

----End

2.4 Checking Device Logs

2.4.1 Browsing Device Logs

By browsing security and operation logs periodically, you can check and track the operation security information of devices.

Security LogsI. Prerequisites


II. Context

Security logs are saved in the U2000 database, where you can check the information about security operations.

When the security logs are sent forward the syslog server, they are not saved in U2000 database, so they can be checked only on the syslog server.

III. Procedure

Step 1 In the NE Explorer, select an NE and choose Security > NE Security Log from the Function Tree, as shown in the following figure.

Step 2 Query logs using one of the following methods:

Query logs using the U2000: Click Query and set filter criteria to obtain required logs.

Query logs from the NE: Choose Query from the NE and click Query. Querying from the NE takes a relatively long period of time. After the query results are returned, click Query and set filter criteria to obtain required logs.

Step 3 Click Save as to save NE security logs.----End

Operation LogsI. Procedure

Step 1 In the NE Explorer, select an NE and choose Security > NE Operation Log from the Function Tree, as shown in the following figure.

Step 2 Click Save as to save NE operation logs to files.----End

2.4.2 Forwarding the Device Logs to the Syslog Server

Prerequisites


Procedure

Step 1 In the NE Explorer, select an NE and choose Security > NE Log Forwarding from the Function Tree.

Step 2 Configure the syslog server. Click the Syslog Server tab. The list of syslog servers is displayed. Click New.The Add Syslog Server dialog box is displayed. Set the IP Address, Send Mode, and Port based on the network settings.

Step 3 Configure the Syslog GNE. Click the Syslog GNE tab. The list of syslog GNEs is displayed. Click New. From the displayed Object Select dialog box, select a proper NE as a syslog GNE.

----End3 Security Configuration at the Network Layer

3.1 Network Security Management

3.1.1 Access Control List

Access control list (ACL) can be used for basic traffic filtering. ACL can be configured for all the NEs to filter IP packets that pass through NEs. Devices support basic and advanced ACL rules.

Setting Basic ACL Rules

For ordinary NEs that do not have high security requirements, you can set the basic ACL rules. The basic ACL rules examine the source IP addresses of packets. The basic ACL rules do not use many system resources.

I. Prerequisites


II. Procedure

Step 1 In the NE Explorer, select an NE and choose Security > ACL from the Function Tree.

Step 2 Click the Basic ACL tab. The basic ACL rule list is displayed.

Step 3 Click Query to query the basic ACL rules from the NE.

Step 4 Click New.

An undefined basic ACL rule is added to the basic ACL rule list. Set the parameters according to the network requirements.

Step 5 Click Apply to apply the new configuration data to the NE.

A dialog box is displayed, indicating that the operation is successful. Step 6 You can repeat the preceding steps set more basic ACL rules for this NE.----End

Setting Advanced ACL Rules

For NEs that have very high security requirements, you can set advanced ACL rules. The advanced ACL rules examine the source and sink IP addresses, the source and sink port IDs, and the protocol types of IP packets. The implementation of advanced ACL rules uses many system resources. The advanced ACL rules have higher priority than the basic ACL rules.

I. Prerequisites


II. Procedure

Step 1 In the NE Explorer, select an NE and choose Security > ACL from the Function Tree.

Step 2 Click the Advanced ACL tab. The advanced ACL rule list is displayed.

Step 3 Click Query to query the advanced ACL rules from the NE.

Step 4 Click New.

An undefined advanced ACL rule is added to the advanced ACL rule list. Set the parameters according to the network requirements.

Step 5 Click Apply to apply the new configuration data to the NE. A message appears indicating the operation is successful.

Step 6 You can repeat the preceding steps to set more advanced ACL rules to this NE.

Parameter list for ACL rules is shown as following.----End

Table 3-6 Setting ACL parameters as follows:

ParameterValue RangeOperation

Operation TypeEnable and DisableThis parameter specifies the type of the ACL. The values are as follows:Disable: If the message received does not comply with the ACL rules, it is discarded. Enable: This parameter specifies that if the message received does not comply with the ACL rules, its access can be allowed.

Source IP AddressSource IP AddressThe Source IP Address parameter and the Source Wildcard parameter together determine the addresses that comply with an ACL rule.

Source Wildcard00xFFFFFFFFSet the source wildcard of the match value. Adopt 0 for strictly matched bits, and 1 for unconcerned bits.

Sink IP AddressSink IP AddressThe Sink IP Address parameter and the Wildcard parameter together determine the addresses that that comply with an ACL rule.

Sink Wildcard00xFFFFFFFFSet the source sink wildcard of the match value. Adopt 0 for strictly matched bits, and 1 for unconcerned bits.

Protocol TypeTCP/UDP/ICMP/IPThe Protocol Type parameter specifies the type of protocol. When filtering packets at the UDP/TCP port, you need to set the protocol type to UDP or TCP; when filtering packets in the ICMP protocol type and code type, you need to set the protocol type as ICMP. When this parameter is meaningless to the protocol type, set the parameter as IP.

Source PortThe valid value range is from 0 to 65535 or 0xFFFFFFFF. 0xFFFFFFFF indicates that the parameter is not concerned about this item. This parameter is valid only when the protocol type is TCP/UDP.

Sink PortThe valid value range is from 0 to 65535 or 0xFFFFFFFF. 0xFFFFFFFF indicates that the parameter is not concerned about this item. This parameter is valid only when the protocol type is TCP/UDP.

ICMP Protocol TypeICMP Protocol TypeThis parameter specifies that this item is valid only when the protocol type is TCP/UDP. If the parameter value is 255, this parameter is meaningless to this item. (If this parameter is set to 255, then ICMP Code Type should also be 255.)

ICMP Code TypeICMP Code TypeThis parameter is valid only when the protocol type is ICMP. If the parameter value is 255, it specifies that this parameter meaningless to this item. (If the protocol type is 255, then the code should also be 255.)

3.1.2 Access Management

NMS Access

The NMS is connected to devices through Ethernet NM interfaces and OAM serial ports, remote login, manage and maintain the devices. The NMS communicates with the devices through TCP/IP protocols. The NMS and gateway devices can be connected to the DCN or a network cable. Users can also select the proper connection ways as required. For non-GNEs, users can disable device access through Ethernet NM interfaces and OAM serial ports. For the operation method, see 2.3.1

REF _Ref327974133 \h \* MERGEFORMAT Ethernet Access Control and 2.3.2

REF _Ref327974149 \h \* MERGEFORMAT Serial Port Access Control.

Configuring LCT Access to NEsI. Prerequisites


II. Procedure

Step 1 In the NE Explorer, select the NE from the Object Tree and then choose Security > LCT Access Control from the Function Tree.

Step 2 Click Access Allowed to enable the LCT access function. To disable the LCT access function, click Disable Access.

Step 3 Click Query to query the status of the LCT access.

----End

SNMP Access

I. Prerequisites


II. Procedure

Step 1 In the NE Explorer, select an NE and choose Communication > SNMP Communication Parameters.

Step 2 Click Create. The Create SNMP Communication Parameters dialog box is displayed. Set parameters, such as NMS IP Address, Read/Write Permissions, Port, Read/Write Community Name, and Trap Version.

Step 3 After the parameter configuration is complete, click OK.----EndSNMP V1/V2/V3 is supported. When SNMP V3 is used, the default user names are szhwSHA and szhwMD5, and the default password is Nesoft@!.Read Community Name and Write Community Name must meet the following complexity requirements:

1. The name must be a character string with a minimum length of six bytes. Valid length ranges from 616 bytes.

2. The name must combine at least two types of the following characters:

Lowercase letters

Uppercase lettersDigitsSpecial characters, including space and `~!@#$%^&*()-_=+\|[{}];:'",/?

If such complex community names are unnecessary for you, you can choose Communication > SNMP Communication Parameters to disable the community name complexity verification function.SSH AccessI. Prerequisites

You are an NMS user with Maintainer User Group rights or higher.II. Procedure1. Set the NE communication service type. 2. Choose Administration > NE Security Management > NE Communication Service Management from the main menu.

3. Click the Communication Service Management tab. 4. Select the target NE from the NE list and click . In the dialog box that is displayed, click Query. The query result will be displayed in the right pane.

5. Set Control Switch to Enabled for both service types (FTP client and SFTP client). 6. Click Apply. Query the SSH server.

7. Choose Administration > NE Security Management > NE Communication Service Management from the main menu. 8. Click the SSH Server tab. 9. Select the target NE from the NE list and click . In the dialog box that is displayed, click Query. The query result will be displayed in the right pane.

Set the key for the SSH server. 10. Choose Administration > NE Security Management > NE Communication Service Management from the main menu. 11. Click the NE Key Management tab.

12. Select the target NE from the NE list and click . In the dialog box that is displayed, click Query. The query result will be displayed in the right pane.

13. Click New Key Pair.

14. In the New Key Pair dialog box, set Key Type to S-RSA(NE As the Server) and Overwrite Mode to Yes.

15. Click OK. In the Result dialog box, click Close. 16. Click Export Public Keys.

17. In the displayed dialog box, select S-RSA and set File Name. Click OK.

18. In the Result dialog box, click Close. Import public key information to the NE.

19. Choose Administration > NE Security Management > NE Communication Service Management from the main menu. 20. Click the Client Key Management tab. 21. Select the target NE from the NE list and click . In the dialog box that is displayed, click Query. The query result will be displayed in the right pane.

22. Click Create.

23. In the displayed Add Client Key dialog box, set Key Name, Key Remarks, and Key Information.

Users can copy the public key information in the file exported in step 8 to the text box, or click Import to import public key information to the NMS. 24. Click OK. In the Result dialog box, click Close.

The public key information is uploaded to the specified directory. Associate an SSH user and the SSH client key. 25. Choose Administration > NE Security Management > NE Communication Service Management from the main menu. 26. Click the SSH User Management tab. 27. Select the target NE from the NE list and click . In the dialog box that is displayed, click Query. The query result will be displayed in the right pane.

28. Set the authentication mode and client public key name.29. Click Apply. In the Result dialog box, click Close. 3.2 Protocols and Controls

3.2.1 SSL/TLS Protocol

The SSL/TLS protocol is a protocol used to encrypt/decode data for providing all security features except serviceability in a short-term. Developed based on RFC 2246, RTN 900 supports all encryption algorithms specified in SSL 3.0/TLS 1.0, such as AES, DES, RC4, RC5, IDEA, SHA-1, and MD5. Users can connect to an NE in SSL mode.

Modifying Connection Modes Between the NMS and GNE

I. Prerequisites


The IP GNE has been created.

II. Procedure

Step 1 Select the NE from the Object Tree in the NE Explorer. Choose Communication > Communication Parameters from the Function Tree. Set Connection Mode to Security SSL or Common + Security SSL.

Step 2 Choose Administration > DCN Management from the Main Menu. Click the GNE tab. Right-click the GNE to be modified and choose Modify GNE from the shortcut menu.

Step 3 In the Modify GNE dialog box that displayed, set Connection Mode to Security SSL.

----End

Modifying Connection Modes Supported by Common NEsI. Prerequisites


II. Procedure

Step 1 Select the NE from the Object Tree in the NE Explorer. Choose Communication > Communication Parameters from the Function Tree.

Step 2 Set Connection Mode to Security SSL or Common + Security.

For a common NE, its GNE uses to communicate with the NMS, so that it can communicate normally with its NMS. For example: If an NE's GNE uses Security SSL mode to communicate with the NMS, then its corresponding connection mode should be set to Security SSL or Common + Security. Devices are delivered with default SSL certificates. The default SSL certificates are not encrypted. It is recommended that users replace the default SSL certificates with their own certificates and public-private key pairs.----EndDownloading SSL certificates to NE by NMSPrerequisitesYou are an NMS user with Maintainer User Group rights or higher. The SSL certificates have been imported to U2000.

Procedure

Step 1 Log in to the U2000 client

Step 2 Choose Administration > NE Software Management > Board Software Upgrade.

By default, the DC accounts of NEs are blank, after enter the Board Software

Upgrade, the navigator tree cannot automatically filter the NE list of the subnet. You

need to configure the DC account of the NE in the DC Login User Management (Choose

Administration > NE Security Management > NE Login Management) first, then

enter the Board Software Upgrade again, the navigator tree will filter the specific NEs.Step 3 Right-click a desired NE in the navigation tree and choose Login NE from the shortcut menu.

You can also choose Set Login Account from the shortcut menu and set Login User and Password in the dialog box that is displayed

Step 4 Right-click the NE and choose Query Board from the shortcut menu. Then board information about the NE is displayed.

It may take a period of time for the board information to display, which is normal

Step 5 Click to expand the board listStep 6 Select the check box before the desired main control board and click to add the board to the operation listStep 7 In the Upgrade Version field, click The Board software setting window is displayed

Step 8 Set the software load type to Certificate and click Add Software. The Choose File window is displayed

You can click Add Software to add multiple files at the same time

Step 9 In the Choose File dialog box, select the CA.CRT, CERTNE.CRT, and CERTNE.KEY certificates If the file path contains non-alphanumeric characters, you may fail to access the file

Enter the correct IP address of the SFTP/FTP server, user name, password, and port.Then, click After the successful connection, you can access the files on the FTP server. To use the FTP protocol, enter port 21. To use the SFTP protocol, enter port 22.Step 10 In the Board software setting dialog box, click OK. The upgrade software selection is completeStep 11 Select a board in the Operation List, and click StartStep 12 When the loading is complete, click Activate. The Warning dialog box is displayed. Confirm whether to activate the softwareStep 13 Click Yes to start activating the softwareStep 14 After the activation, the Operation Result dialog box is displayed indicating that the activation succeeds. Click Close----End3.2.2 SFTP Protocol

II. Prerequisites


III. Procedure

Step 1 Choose Administration > NE Security > Service Management > NE Communication Services Management from the Main Menu.

Figure 3-2 Configuring the SFTP control switch

Step 2 Double-click the Control Switch of SFTP client, and choose Enabled.

Step 3 In NE SFTP Key Management, click New Key Pair and enter values in Passphrase, Key length, Key Type, and Overwrite Mode. Click OK.

Step 4 In the displayed dialog box, click Close. In the following displayed dialog box, click Yes.

Step 5 The newly created public key information is uploaded from the NE to the NMS. In addition, Key Creation Time and Public Key Fingerprint values are displayed. Public Key Uploaded is Yes.

Step 6 Click Export Public Keys. In the displayed Export Public Keys dialog box, set Start Row, End Row, and File Name, and click OK.

Step 7 Copy the public key file to the SFTP server.Step 8 After deploying the public key file for the GNE, you can back up and upload NE software by means of SFTP.----End

3.2.3 NTP Protocol

IV. Prerequisites


V. Procedure

Step 1 In the NE Explorer. Choose Configuration > NE Time Synchronization from the Function Tree.

Step 2 Enable NE Time Synchronization and configure the NTP server address, and click Apply.

----End

3.3 Network Access AuthenticationThe OptiX RTN900 supports local authentication and RADIUS authentication. In local authentication mode, user accounts and passwords are stored in local equipment, and local equipment performs authentication. In RADIUS authentication mode, user accounts and passwords are stored on a RADIUS server and the RADIUS server performs authentication. The user accounts and passwords used in RADIUS authentication mode are secure and easy to maintain.

Remote Authentication Dial In User Service (RADIUS) is a server/client protocol that provides centralized management of authentication, configuration information between network access equipment and a RADIUS server. This chapter describes how to configure the RADIUS authentication.

3.3.1 Enabling a RADIUS Client or a RADIUS Proxy ServerAfter the RADIUS function of an NE is enabled, the NE can function as a RADIUS client or proxy server. If the function of RADIUS client or proxy server for an NE serving RADIUS client or a proxy server is not enabled, then the relevant RADIUS functions of the NE can fail.

VI. Prerequisites


Communication between the NE and the NMS is normal.

VII. Procedure

Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE RADIUS Function Configuration from the Function Tree

Step 2 Click Query to query the information about RADIUS function configuration from the NE.

Step 3 Set RADIUS Client and Proxy Server to Open.

Figure 3-3 Configuring RADIUS switch

Step 4 Click Apply to deliver the configuration data to the NE.----End

3.3.2 Creating a RADIUS ServerBefore enabling the RADIUS, you need to create the RADIUS server.

VIII. Prerequisites


The RADIUS client function of the NE is enabled.

IX. Procedure

Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE RADIUS Configuration from the Function Tree.

Step 2 Click the RADIUS Server Configuration tab. The RADIUS Server Information dialog box is displayed.

Step 3 Click Query to query the information about RADIUS server configuration from the NE.

Step 4 Click New.

The New RADIUS Server Information dialog box is displayed.

Step 5 Configure information about the RADIUS server. Click OK to save the configuration.

If a new RADIUS server is added, then set an IP address for the server to uniquely identify it.

If a new RADIUS proxy server is added, then set an IP address or NE Name for the RADIUS proxy server to uniquely identify it.

Before adding a new RADIUS proxy server, you need to configure the NE as RADIUS proxy server.----End

3.3.3 Configuring RADIUS Server Parameters

The RADIUS server can be used for authentication only when the Radius server parameters are configured.

X. Prerequisites


The RADIUS server has been created.

XI. Procedure

Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE RADIUS Configuration from the Function Tree.

Step 2 Click Query to query the information about RADIUS parameter configuration from the NE.

Step 3 Click New.

The New NE RADIUS Server Configuration dialog box is displayed.

Step 4 Configure information about RADIUS parameters. Click OK to save the configuration.----End

3.4 Data Service Security

3.4.1 Flow ControlThe objective of flow control configuration is to avoid the following problems:

Unexpected traffic surge caused by broadcast, unknown unicast, or multicast packets

Abnormal network device load caused by an excessively large number of users accessing the system

Network congestion caused by burst traffic

The following functions must be configured based on network operation and maintenance (O&M) requirements.

Broadcast Traffic SuppressionThe broadcast traffic suppression function is used to limit the broadcast traffic that can pass a port. The broadcast packets of excessive broadcast traffic are discarded. You can enable or disable the broadcast packet suppression function, and configure a broadcast packet suppression threshold.

For EOT boards

I. Prerequisites


II. Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer, and choose Configuration > Ethernet Interface Management > Ethernet Interface from the Function Tree.

Step 2 Select External Port. Click the Advanced Attributes tab, select the port to be modified, and then set Broadcast Packet Suppression or Broadcast Packet Suppression Threshold.

Step 3 Click Apply to save the settings.----End

For packet service boardsI. Prerequisites


II. Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > Interface Management > Ethernet Interface from the Function Tree.

Step 2 Click the Advanced Attributes tab, and then set Broadcast Packet Suppression or Broadcast Packet Suppression Threshold(%).


Unknown Multicast Traffic Discard (for Packet Service Boards)You can specify whether to transparently transmit or discard unknown multicast packets that arrive at the device.

I. Prerequisites


II. Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > Ethernet Service Management > E-LAN Service from the Function Tree.

Step 2 Select the desired E-LAN service from the list of available E-LAN services, click the Unknown Frame Processing tab, and then set the processing mode of unicast or multicast frames to Flood or Discard.

Figure 3-4 Configuring the unknown frame processing mechanism on a packet service board


Unknown Unicast Traffic Discard (for Packet Service Boards)You can specify whether to transparently transmit or discard unknown unicast packets that arrive at the device.

For details, see "Unknown Multicast Traffic Discard (for Packet Service Boards)."

3.4.2 Loop AvoidanceThe loop avoidance function is used to avoid loops on a Layer 2 (L2) network, as loops may cause broadcast storm. You can configure port self-loop detection and service loopback detection to implement loop avoidance.

Port Self-Loop Detection

You can enable or disable the port self-loop detection function, and specify whether to automatically block service loops. If automatic service loop blocking is enabled, the system will automatically block a service loop after detecting the loop.

For EOT boards

I. Prerequisites


II. Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Ethernet Interface Management > Ethernet Interface from the Function Tree.

Step 2 Click the Advanced Attributes tab, select the port to be modified, and then set Loop Detection or Loop Port Shutdown to Enabled or Disabled.


For packet service boards:

I. Prerequisites


II. Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > Interface Management > Ethernet Interface from the Function Tree.

Step 2 Click the Advanced Attributes tab, and then set Loop Detection or Loopback Port Block to Enabled or Disabled.

Figure 3-5 Configuring loop detection for ports on a packet service board


Service Loop Detection (for Packet Service Boards)The device can detect E-LAN service loops. You can enable or disable automatic disconnection for service loops. If a service loop is detected and automatic disconnection is enabled, the E-LAN service is automatically disconnected. Users will receive alarms about service disconnection.

I. Prerequisites


E-LAN services have been configured.

II. Procedure


Step 2 Select the desired E-LAN service from the list of available E-LAN services, and click the Loopback tab.

Step 3 Select the desired Ethernet service, and click Start. The Start Loopback dialog box is displayed. Click Start. The detection result is displayed after the detection is complete.

Step 4 Click Service Status List. The Service Status List dialog box is displayed, indicating whether the related ports are disabled. To enable a disabled port, click Enable.

----End

3.4.3 Access Control of Layer 2 Services

The device supports access control of L2 services. For example, you can configure static MAC addresses, add an MAC blacklist, or configure rules for classifying and filtering complex traffic to filter service packets or control service access.

Static MAC Address

You can add, delete, and query static MAC address entries.

For EOT boards

I. Prerequisites


You have configured and mounted E-LAN services.

II. Procedure

Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Ethernet Service > Ethernet LAN Service from the Function Tree.

Step 2 Select the desired E-LAN service, and then click the VLAN Unicast tab.

If the MAC address learning mode of the selected E-LAN service is IVL, click the VLAN Filtering tab to create a VLAN filtering table.

Step 3 Click New. The Create VLAN Unicast dialog box is displayed. Set related static MAC address parameters.

If the MAC address learning mode of the selected E-LAN service is SVL, the VLAN ID cannot be specified.

Step 4 Click OK to save the settings.

----End

For packet service boards

I. Prerequisites



II. Procedure


Step 2 Select the desired E-LAN service from the list of available E-LAN services, and click the Static MAC Address tab.

Step 3 Click New. The NEW Static MAC Address dialog box is displayed. Set the parameters of the static MAC address.


Step 4 Click OK to save the settings.----End

MAC Address Blacklist

An MAC address blacklist can be configured to prevent the unauthorized users specified in the blacklist from accessing the network. You can add, delete, and query blacklisted MAC addresses.

For EOT boards

I. Prerequisites



II. Procedure

Step 1 Select the NE from the Object Tree in the NE Explorer. Choose Configuration > Ethernet Service > Ethernet LAN Service from the Function Tree.

Step 2 Select the desired E-LAN service, and then click the Disable MAC Address tab.

Step 3 Click New. The Disable MAC Address Creation dialog box is displayed. Set the parameters of the MAC address to be blacklisted.

Figure 3-6 Setting the parameters of the MAC address to be blacklisted on the EOT board



For packet service boardsI. Prerequisites


You have configured E-LAN services.

II. Procedure


Step 2 Select the desired E-LAN service from the list of available E-LAN services, and click the Disable MAC Address tab.

Figure 3-7 Configuring the MAC address blacklist on the packet service board

Step 3 Click New. The Disabled MAC Address dialog box is displayed. Set the parameters of the MAC address to be blacklisted.


If the MAC address learning mode of the selected E-LAN service is SVL, the VLAN ID cannot be specified.----End

Maximum Number of MAC AddressesThe MAC address table capacity can be specified in the system, so that MAC addresses are no longer learned when the number of existing MAC addresses reach the maximum number of MAC addresses allowed in the system. This provides an effective means to control the number of users accessing the system.

You can configure an MAC address table capacity based on an Ethernet service ID, VLAN, or logical port for an EOT board.

For a packet service board, you can also specify an upper threshold and a lower threshold for MAC address alarms, in addition to configuring an MAC address table capacity based on an Ethernet service ID. If the number of MAC addresses reaches the upper threshold (95% by default), an alarm is generated, indicating that the MAC address table is full. This alarm is cleared when the number of MAC addresses drops below the lower threshold (90% by default).

For EOT boards

I. Prerequisites



II. Procedure


Step 2 Select the desired E-LAN service.

To configure the MAC address table capacity based on a VLAN, click the VLAN MAC Address Table Capacity tab and select the desired VLAN ID.

To configure the MAC address table capacity based on a VB port, click the VB Port MAC Address Table Capacity tab and select the desired VB port. A dialog box is displayed.

Step 3 Enter the maximum number of MAC addresses in the MAC Address Table Capacity text box.


To configure the MAC address table capacity based on a VLAN, you must first create a VLAN filtering table on the VLAN Filtering page.

To configure the MAC address table capacity based on a VB port, you must first configure the VB port on the Service Mount page.----End

For packet service boards:

I. Prerequisites


You have configured E-LAN services.

II. Procedure


Step 2 Select the desired E-LAN service from the list of available E-LAN services, and click the MAC Address Learning Parameters tab.

Step 3 Set the MAC address table capacity, the upper threshold for MAC address alarms, and the lower threshold for MAC address alarms.


Disabling the MAC Address Learning Function (for Packet Service Boards)You can disable the MAC address learning function of E-LAN services, so that new users cannot access the network. If the MAC address learning function of E-LAN services is disabled, the existing users are not affected and can still access the network.

You can disable the MAC address learning function based on a specified VLAN to guarantee the stability and security of network users in this VLAN and prevent unauthorized users from accessing the network.

I. Prerequisites


II. Procedure


Step 2 Select the desired E-LAN service from the list of available E-LAN services, and then set Self-Learning MAC Address to Enabled or Disabled.

Step 3 Click New. The New E-LAN Service dialog box is displayed. Set Self-Learning MAC Address to Enabled or Disabled.

Step 4 Click Apply or OK to save the settings.----End

Complex Traffic Classification and Filtering (for Packet Service Boards)Complex traffic is classified based on complex rules. For example, packets can be classified based on link layer, network layer, and transport layer information, such as the source MAC address, destination MAC address, source IP address, destination IP address, user group ID, protocol type, or TCP/UDP port number of an application. You can configure ACL rules to filter matching packets in complex traffic. The ACL action in a traffic classification rule is to either permit or deny the traffic.

You can set the ACL action for a traffic classification rule based on a port or V-UNI ingress policy for packet service boards. The following configuration procedures use the port policy as an example. The configuration procedures are similar under the V-UNI ingress policy.

I. Prerequisites


II. (based on an existing QoS policy):

1. Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > QoS Management > Policy Management > Port Policy from the Function Tree.

2. Select an existing policy and click the Traffic Classification Configuration tab.

Select a traffic classification rule, and change the value of ACL Action to Permit or Deny. Click Apply to save the settings.

Create a traffic classification rule. Click New. The Create Traffic Classification dialog box is displayed. Set the matching rule and ACL action. Click OK to save the settings.

III. (based on a new QoS policy):

1. Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > QoS Management > Policy Management > Port Policy from the Function Tree.

2. Click New. A dialog box is displayed, where you can create a port policy. Click the Traffic Classification Configuration tab.

3. Click New. The Create Traffic Classification dialog box is displayed. The rest operations are the same as those in Procedure 1.

4. Click OK to save the settings.3.4.4 Service Isolation

The device provides multiple service isolation means to prevent mutual communication between user services and reduce the impact of broadcast traffic.

Setting the Hub/Spoke Attribute (for EOT Boards)

Users who create Ethernet private services can separate services by configuring "Hub/Spoke".

I. Prerequisites


You have configured and mounted E-LAN services.

II. Procedure


Step 2 Select the desired E-LAN service, click the Service Mount tab, and set Hub/Spoke to Hub or Spoke.


Configuring Split Horizon Groups (for Packet Service Boards)You can configure a group of physical or logical ports that cannot interwork on the local device to avoid service loops and isolate services between different customers.

You can create a split horizon group for E-LAN services, the members of which can be added or deleted based on actual requirements.

I. Prerequisites


II. (based on existing E-LAN services)1. Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > Ethernet Service Management > E-LAN Service from the Function Tree.

2. Select the desired E-LAN service from the list of available E-LAN services, and click the Split Horizon Group tab.

3. Click New. The New Split Horizon Group dialog box is displayed. Set the members of the split horizon group.

4. Click OK to save the settings.

III. (based on a new E-LAN service)1. Select the desired NE from the Object Tree in the NE Explorer. Choose Configuration > Packet Configuration > Ethernet Service Management > E-LAN Service from the Function Tree.

2. Click New. The New E-LAN Service dialog box is displayed. Click the Split Horizon Group tab.

3. Click New. The New Split Horizon Group dialog box is displayed. Set the members of the split horizon group. The rest steps are the same as those in Procedure 1.

4. Click OK to save the settings.3.5 Layer 3 Protocols

3.5.1 IS-IS

Intermediate System to Intermediate System (IS-IS) is a link-state routing protocol and an internal gateway protocol, designed for use within an autonomous system. OptiX RTN 900 uses IS-IS in cooperation with Resource Reservation Protocol-Traffic Engineering (RSVP-TE) to dynamically create Multiprotocol Label Switching (MPLS) label switched paths (LSPs).

IS-IS provides null authentication and key authentication for security, in compliance with ISO 10589, RFC 1195, and RFC 5304.

Null authentication: Packets are not authenticated.

Simple password authentication: A simple password is used for authentication for both parties in a communication. The authentication fails if there is no password or the password is incorrect. When employing simple password authentication, each OptiX RTN 900 within an IS-IS area uses the same password.

Key authentication: HMAC-MD5 is used to calculate the digest. The password for calculating the digest is never sent over the network to defend against passive attacks. When employing key authentication, each OptiX RTN 900 within an IS-IS area uses the same key.

The following describes how to configure IS-IS authentication on OptiX RTN 900.

IV. Prerequisites

You must be an NM user with Administrator User Group rights or higher.

IS-IS is enabled on ports.V. Procedure

Step 1 Choose Configuration > Route Management > ISIS > ISIS Instance from the main menu.

Step 2 Click the Create or Modify tab.

Step 3 Set Authentication Type. If null authentication is selected, no authentication password is required. If simple password authentication or MD5 authentication is selected, you must set a password for the authentication.

Step 4 Click Apply. The Result dialog box is displayed.Step 5 Click Close.----End3.5.2 RSVP

Resource Reservation Protocol (RSVP) is designed for the Integrated Service model and reserves resources on every node along an LSP. RSVP is a control protocol at the transport layer but does not transmit application data. RSVP-TE, as an extension to RSVP, creates or deletes constraint-based routed LSPs (CR-LSPs) by using traffic engineering (TE) attributes carried in extended objects. RSVP-TE complies with RFC 2205 and RFC 3209.

RSVP messages are protected from modification and spoofing by added objects and checks on these objects, elevating the reliability and security level of the network. RSVP supports interface-based authentication. That is, you are allowed to configure authentication on interfaces so that RSVP handles the authentication based on the egress interface of messages. The following three authentication types are available:Null authenticationPackets are not authenticated.

Simple password authentication

A character string of 1 byte to 24 bytes is used for simple password authentication.

Key authentication

A character string of 1 byte to 24 bytes is used for MD5 authentication.

OptiX RTN 900 uses null authentication by default. You can configure authentication types based on application scenarios.

The following describes how to configure RSVP authentication on OptiX RTN 900.

VI. PrerequisitesYou must be an NM user with Administrator User Group rights or higher.VII. Procedure

Step 1 Choose Configuration > Control Plane Configuration > MPLS-RSVP Configuration from the main menu.

Step 2 Click the Port Configuration tab.

Step 3 Set Authentication Type. If null authentication is selected, no authentication password is required. If MD5 authentication is selected, you must set a password for the authentication.

Step 4 Click Apply. The Result dialog box is displayed.

Step 5 Click Close.----End3.5.3 BGP

Border Gateway Protocol (BGP) is used for transmitting routing information. OptiX RTN 900 supports BGP-4 and MP-BGP in compliance with RFC 4271, RFC 4760, and RFC 4724. Besides transmission of IPv4 and Layer 3 virtual private network (L3VPN) routing information, key authentication is also provided for security considerations.

Plain-text password authentication: The plain-text password is required for the authentication between peers. The authentication fails if the password is incorrect.

Key authentication uses MD5 to calculate the digest. The password for calculating the digest is never sent over the network to defend against passive attacks. In key authentication, the two BGP peers that transmit routing information must have the same key.

The following describes how to configure BGP authentication on OptiX RTN 900.

VIII. Prerequisites

You must be an NM user with Administrator User Group rights or higher.

BGP peers have been configured.

IX. Procedure

Step 1 Choose Configuration > Route Management > BGP > BGP Peer Information from the main menu.

Step 2 Click the Create or Modify tab.

Step 3 Set the plain-text password or MD5 authentication key.

Step 4 Click Apply. The Result dialog box is displayed.

Step 5 Click Close.----End4 Security Maintenance

Security maintenance is a means to audit the device in terms of security to discover security risks in time and effectively implement security hardening, aiming to ensure that the device works properly and securely.

4.1 Suggestions on Port Maintenance

Ports are classified into logical ports and physical ports. Logical ports are standard communication protocol ports, such as STELNET port 22. Physical ports are management access ports and service ports provided by the device.

It is recommended that unused ports be disabled during routine O&M to avoid unauthorized access traffic. The following ports can be disabled:

TCP Port Function

1600 ECC extension23 Telnet

2008 Raw Telnet

22 STELNET

UDP Port Function

161 SNMP

123 NTP

520 RIP1812 Radius

1813 Radius

1405 Automatic NE report4.2 NE Account Maintenance

NE accounts are user names and passwords used for NE management. NE accounts must be updated in time to prevent unauthorized access and guarantee device security. The following issues must be considered during account maintenance:

Periodically updating passwords

Changing the default account and password of the NE in time

Deleting abandoned and unused accounts in time

4.3 Log Audit

Log audit is a means to discover security risks during network O&M and identify hidden security troubles. The device provides two types of logs, security logs and operation logs, for this purpose. Security logs record operations related to NE accounts, such as account deletion, to reveal unauthorized user access. Operation logs record all user configuration operations to help effectively discover unauthorized configuration operations.

Security logs must be periodically audited to strengthen the protection against unauthorized account access or login attempts. You can add an access control list (ACL) or deploy a firewall to shield unauthorized login attempts, and can clear abandoned or unused accounts to prevent unauthorized account access.

Operation logs must also be periodically audited to discover unauthorized configuration operations performed by unauthorized users on NEs in time. You can delete accounts to reduce security risks in time.4.4 Security Patch UpgradeSecurity vulnerabilities on devices can be rectified online through hot patches.

4.5 Software Package Integrity CheckWhen a device software package is released at http://support.huawei.com, the digest value of this software package is calculated based on the standard Hash algorithm and written in an MD5 authentication document that is released at the website simultaneously.

Each document contains the following information:

Users can select a required tool and a proper calculation algorithm (MD5 or SHA-256) to calculate the digest value; and then compare the calculated digest value with the digest value in the mentioned MD5 document to check the integrity of the software package. If these two digest values are inconsistent, the integrity of the software package is corrupted. In this case, do not use the software package and contact Huawei's engineers to obtain a new software package.

5 Security Hardening

5.1 Device Layer Security Hardening

5.1.1 Account Management HardeningAccount management hardening involves account maintenance hardening and management mode hardening.

Account Maintenance Hardening

After an NE is handed over to the customer's O&M department, the administrator must delete the ex-factory default accounts or modify the passwords of the ex-factory default accounts in time. For details about a list of the default accounts, see Table 2-1.

Delete outdated or useless accounts in time.

Allocate the monitor rights to each new account based on the "Minimum Rights" principle.

Ensure that only one administrator is defined for each NE to avoid conflicts during account maintenance.

Change the user password periodically (preferably once every two months), ensuring that the user password contains three or more characters.

Set a validity period for the password of each new account. It is recommended that the validity period be three months. It is recommended to set the storage mode for the password of each account to SHA256. Centralized Account Management on an RADIUS Server

The device provides local authentication and RADIUS authentication. If the device is deployed in local authentication mode, accounts and passwords must be periodically updated. This, however, brings a huge maintenance workload. Therefore, the RADIUS authentication mode is recommended for higher maintenance efficiency.

An RADIUS server can be deployed on the live network, with all devices on the network using the same accounts or passwords. These accounts are configured on the RADIUS server only. This effectively lowers the maintenance workload, because you need only to periodically examine the accounts or passwords on the RADIUS server during O&M.5.1.2 Security Log HardeningThe device can store a limited number of security logs. If security logs are not audited, useful logs may be overwritten, causing a failure to discover security risks in time and bringing hidden troubles during network O&M.

The device provides the syslog function. The logs of the device can be dumped to an external syslog server. This helps solve the issue about an insufficient security log storage space.

You can configure the syslog server on each device. For details about the methods for configuring the syslog server and the gateway server, see section 2.4 .After the configuration is successfully, the devices will upload security logs to the syslog server.

The following example describes how to configure the syslog server on NE 1.

Figure 5-8 Network topology

You can set the syslog server on NE1 to the NE ID (0x00092012) of the GNE, and then configure the IP address (128.100.1.1) of the syslog server on a gateway NE (GNE). Here, a forwarding server must be configured, because Huawei proprietary Embedded control channel (ECC) protocol instead of IP is used on the management plane of the network where NE 1 is located.

If IP is used on the network, the IP address of the syslog server can be directly configured on each NE and then the forwarding server is not necessary.

5.1.3 USB Application HardeningAfter site deployment, if USB flash drive maintenance is not required, disable USB access ports. If USB flash drive maintenance is required, enable USB access ports.

To support the previous version, MD5 encryption is available. However, it is recommended that you use SHA256 encryption when saving new files.

5.2 Network Layer Security Hardening

5.2.1 Configuring an ACL to Prevent Unauthorized Access

Configuring a Basic ACL to Control Unauthorized IP AccessThe basic ACL covers only the IP addresses that are allowed to access the device. IP addresses beyond the basic ACL will be unable to access the device. The ACL rules that define the IP addresses allowed to access the device can be configured on all gateway NEs.

The following figure shows an example about how to configure the basic ACL so that only IP addresses in the network segment 100.100.1.0 can access the NE.

Configuring an Advanced ACL to Control Unauthorized Port Access

The advanced ACL can filter out all application layer protocols that are forbidden to access the device. The ports of application protocols, however, are discrete. For this reason, you can configure blacklisted users one by one on the Advanced ACL page. The blacklist can be configured on the gateway NE.

The following figure shows an example about how to prohibit Telnet access to the device.

5.2.2 Using SSL to Prevent Unauthorized Access to Sensitive Data

During the creation of a gateway NE on the NMS, you must select a security socket layer (SSL) connection. For details, see section 3.2.1. This, however, will trigger the establishment of a security encryption channel between the NMS and the gateway NE using the SSL3.0 or TLS1.0 protocol.Devices are delivered with default SSL certificates. Private key encryption in the PKCS#1 format is supported. Users can replace the default SSL certificates with their own SSL certificates in the same format.

5.2.3 Using SSH to Prevent Sensitive Data from Theft Users can access an NE using Telnet or SSH. Telnet transmits plaintext so some risks emerge. To improve remote access security, users can disable Telnet and enable SSH.

5.2.4 Using SFTP to Load Software

The device supports two modes to download software packages on an all-IP network. One is to use the File Transfer Protocol (STP) client, and the other is to use the SSH FTP client. The device serves as the client, and the NMS serves as the server. FTP transmits plaintext so some risks emerge. To guarantee security during software package download, you can selectively disable the FTP client service and use only the SFTP client to download software packages.

The following figure shows how to enable or disable the FTP/SFTP client.

To use SFTP, log in to the web page on the U2000 to configure a third-party server. Configuring a third-party server

Prerequisites


Procedure

Step 1 Enter https://U2000SserverIP/ftpconf/login.jsp in the web page. U2000SserverIP refers to the IP address of the U2000 server.

Step 2 Log in to the U2000.

Step 3 Click Third Party FTP Settings.

Step 4 Configure the third-party server.

Step 5 Log in to the U2000. In the NE Explorer, select the target NE. Choose Administration > NE Software Management > FTP Settings from the main menu.

Step 6 Click the Third-party FTP server settings tab. The server information configured earlier is displayed. Configurations are successful.

----End5.2.5 Data Service Security Hardening

Configuring Broadcast Traffic SuppressionYou can enable the broadcast traffic suppression function and configure related thresholds to control the traffic of broadcast packets inbound to the equipment, so that broadcast traffic is not excessively high and unicast services can be properly forwarded.

Configuring Service Loop Detection (for Packet Service Boards)

After creating E-LAN services, you can perform a service loop detection test to disconnect the related services and avoid service loops. For details, see section 3.6.2.

Configuring the Maximum Number of UsersYou can configure the MAC address table capacity and the unknown unicast packet discard function to control E-LAN services. If the number of existing MAC addresses reaches the MAC address table capacity, new MAC packets are discarded as unknown unicast packets, so that only a limited number of users can access the system.

For EOT boards, you can configure the MAC address table capacity based on a VLAN or VB port. For packet service boards, you can configure the MAC address table capacity based on an Ethernet service instance.

Configuring the ACL Action in a Traffic Classification Rule to Filter Services (for Packet Service Boards)

You can configure the ACL action in a traffic classification rule to filter service packets based on the following criteria:

Source IP address

Destination IP address

Source MAC address

Destination MAC address

Protocol type

Source port

Destination port

Internet Control Message Protocol (ICMP) packet type

Differentiated services code point (DSCP)

IP Pre

CVLAN ID

CVLAN Pri

SVALN ID

SVLAN Pri

DEI

A combination of multiple or all of the preceding criteria

Configuring Service Isolation

After E-LAN services are created on an NE, different users may share the same V-LAN service. To prevent service interworking between users, you can take the following service isolation measures:

EOT boards: You can configure the hub/spoke attribute of each VB port, ensuring that services cannot interwork between spoke ports.

Packet service boards: You can create a split horizon group and add members to the group. Services cannot interwork between the members of this split horizon group.

5.2.6 Defense Against Flood Attacks

The firewall needs to be used for defense against flooding attacks such as ARP flood, ICMP flood, reflecting ICMP flood, no-IP-load flood, LAND attack, UDP flood, SynFlood, TCP Stress attack, Fraggle attack, DHCP exhaustion, reverse ARP-triggered flood, and MAC forwarding table flood.6 Appendixes

6.1 References

1. Product Security Technical White Paper

2. Product Communication Matrix

6.2 Acronyms and Abbreviations

AbbreviationFull Name

OSNOptical Switch Node

TDMTime Division Multiplexing

MACMedium Access Control

IGMPInternet Group Management Protocol

BPDUBridge Protocol Data Unit

LACPLink Aggregation Control Protocol

APSAutomatic Protection Switching

QOSQuality of Service

VLANVirtual Local Area Network

VPNVirtual Private Network

DCNData Communication Network

ECCEmbedded Control Channel

HTTPSHyper-Text Transmission Protocol

OSPFOpen Shortest Path First

TCP/IPTransmission Control Protocol/ Internet Protocol

UDPUser Datagram Protocol

ICMPInternet Control Message Protocol

ACLAccess Control List

QXPrivate Manage Protocol of HUAWEI

NMSNetwork Management System

MD5Message Digest Algorithm 5

OSPFOpen Shortest Path First Protocol

RSVPResource Reservation Protocol

FTPFile Transfer Protocol

SSLSecurity Socket Layer

SNMPSimple Network Management Protocol

LCTThe local maintenance terminal of a transport network, which is based on http Protocol

IS-ISIntermediate System to Intermediate System

RADIUSRemote Authentication Dial In User Service

LDPLabel Distribution Protocol

MPLSMulti-Protocol Label Switching

FECForwarding Equivalence Class

LSPLabel Switched Path

BGPBorder Gateway Protocol

VRRPVirtual Router Redundancy Protocol

6.3 Maintenance Tools6.3.1 EMS and NMS ToolTable 6-7 EMS and NMS tool

Tool NameCommunication PortCommunication ProtocolRemarks

U20001400/5432Communication channels are established using TCP. The QX protocol is used for communication in the NE application layer.The U2000 is a new-generation graphical network management tool. It provides multiple functions, such as service provisioning, monitoring, O&M, and security management.

WEB_LCT1400Communication channels are established using TCP. The QX protocol is used for communication at the application layer.The WEB_LCT is used for local NE access during network operating and maintenance phases. It supports simple maintenance operations, such as alarm and performance monitoring and service monitoring.

6.3.2 Software Upgrade ToolTable 6-8 Software upgrade tool


DC1400Communication channels are established using TCP. A Huawei proprietary protocol is used for communication in the NE application layer.The DC is a tool used during software upgrade. You can use it to load software packages and patches, or upload the database. This tool automatically loads software packages to an NE and activates the software packages after you create a software loading task, so that the NE software is automatically upgraded.

This tool can also be used to load, activate, and validate patches, and back up or recover the NE database.

This tool can be either independently used or integrated in the U2000. In most cases, it is integrated in the U2000.

6.3.3 Fault Collection Tool

Table 6-9 Fault collection tool


Smartkit NSE2700 OptiX DataCollector1400Communication channels are established using TCP. A Huawei proprietary protocol is used for communication at the application layer.The Smartkit NSE2700 OptiX DataCollector is a fault collection tool. When a software or hardware fault occurs on an NE, you can collect data about the fault excluding the customer's service data using this tool from the NE.

6.3.4 Network Health Check Tool

Table 6-10 Network health check tool


Smartkit NSE2700 OptiX Inspector1400/Communication channels are established using TCP. A Huawei proprietary protocol is used for communication at the application layer.The Smartkit NSE2700 OptiX Inspector is a network health check tool. You can use this tool to periodically check the health of an NE and identify improper configuration data or potential software faults on the NE. The health check items vary according to different versions of the NE and do not involve the customer's service data.

6.3.5 Handheld Terminal

Table 6-11 Handheld terminal


Handheld terminalThe handheld terminal is connected to an NE from a serial port. It is useful during deployment and site commissioning.

6.4 Other Maintenance MeansAll the commands in these documents are intended for customers that deploy and maintain the Huawei devices on the live network.

The commands, including but not limited to the commands that are used during production, assembly, and return for repair, are confidential and will not be provided in this document. If you do need to use these commands, please apply to Huawei for them.

iiHuawei Proprietary and Confidential Copyright Huawei Technologies Co., LtdIssue 01 (2009-04-10)

_1417244402.vsd

optix rtn 900 v100r006c00 security configuration_ maintenance_ and hardening manual 03

Documents