rtn 310 security white paper 01
TRANSCRIPT
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 1/37
OptiX RTN 310 Radio Transmission System
Security White Paper
Issue 01
Date 2012-07-20
HUAWEI TECHNOLOGIES CO., LTD.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 2/37
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
i
Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respectiveholders.
NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or impli ed.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: [email protected]
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 3/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper Contents
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
ii
Contents
1 Product Introduction and Network Applications ................................................................... 1
1.1 Product Introduction..........................................................................................................................................................1
1.2 Network Applications........................................................................................................................................................2
2 Security Architecture .................................................................................................................... 4
2.1 Overvie w of Hard ware Security ......................................................................................................................................4
2.2 Overview of Software Security .......................................................................................................................................5
3 System Security ............................................................................................................................. 9
3.1 Management Plane ............................................................................................................................................................9
3.1.1 Threats .......................................................................................................................................................................9
3.1.2 Preventive Measures ...............................................................................................................................................9
3.2 Data Plane .........................................................................................................................................................................16
4 Network Security ........................................................................................................................ 17
4.1 Network Security Management .....................................................................................................................................17 4.1.1 Threats .....................................................................................................................................................................17
4.1.2 Preventive Measures .............................................................................................................................................18
4.2 Protocols and Control......................................................................................................................................................23
4.2.1 Threats .....................................................................................................................................................................23
4.2.2 SFTP Clients...........................................................................................................................................................23
4.2.3 OSPF Protocol........................................................................................................................................................25
4.2.4 NTP Protocol ..........................................................................................................................................................25
4.2.5 Layer 2 Protocols ...................................................................................................................................................27
4.3 Network Services .............................................................................................................................................................28
4.3.1 Threats .....................................................................................................................................................................28
4.3.2 Ethernet Serv ices ...................................................................................................................................................29
A Appendix ..................................................................................................................................... 32
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 4/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 1 Product Introduction and Network Applications
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
1
1 Product Introduction and NetworkApplications
1.1 Product IntroductionThe OptiX RTN 310 is a new-generation full-outdoor radio transmission system developed byHuawei. It provides a seamless radio transmission solution for a mobile communicationnetwork or private network. Table 1-1 lists the basic features of the OptiX RTN 310.
Table 1-1 Basic features of the OptiX RTN 310
Item Performance
Chassis dimensions (H x W x D) 290 mm x 265 mm x 98 mm
Number of microwave directions 1
Service port 2 GE service ports
RF configuration mode 1+0 non-protection configuration
2+0 non-protection configuration
Cross polarization interference cancellation (XPIC)configuration
Multi-direction configuration
NOTE
XPIC and 2+0 non-protection configurations require twoOptiX RTN 310s in concatenation. In the multi-directionconfiguration, the OptiX RTN 310 can be concatenated withother OptiX RTN 310s or the OptiX RTN 900s to increasemicrowave directions.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 5/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 1 Product Introduction and Network Applications
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
2
Item Performance
Power supply Power over Ethernet (PoE)
DC power supply
NOTE
The PoE supports a maximum distance of 100 meters.
The DC power supply supports a maximum distance of 300meters.
Figure 1-1 OptiX RTN 310
1.2 Network ApplicationsThe OptiX RTN 310 is a highly-integrated full-outdoor microwave product. In contrast tosplit microwave equipment, the OptiX RTN 310 integrates all its functions to an outdoor chassis and supports zero footprint installation. Therefore, it provides carriers a low-costsolution for building and operating network.
The OptiX RTN 310 can works with other OptiX RTN 310s or OpitX RTN 900s. The latter option provides more functions and makes full use of existing microwave equipment. For example:
Figure 1-2 and Figure 1-3 describe the radio transmission solutions provided by the OptiXRTN 310.Radio transmission solution provided by only the OptiX RTN 310
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 6/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 1 Product Introduction and Network Applications
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
3
Figure 1-3 Radio transmission solution provided by the OptiX RTN 310 and the OptiX RTN 900
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 7/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 2 Security Architecture
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
4
2 Security Architecture
2.1 Overview of Hardware SecurityFigure 2-1 shows the system block diagram of the OptiX RTN 310. The system adoptshigh-reliability hardware design to ensure that the system runs properly under security threats.
Figure 2-1 System block diagram
The following hardware preventive measures are provided:
Microwave interfaces: The FEC encoding mode is adopted and the adaptive time-domainequalizer for baseband signals is used. This enables the microwave interfaces to toleratestrong interference. Therefore, an interceptor cannot restore the contents in a data frameif coding details and service configurations are not obtained.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 8/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 2 Security Architecture
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
5
Modular design: Control units are separated from service units and service units areseparated from each other. In this manner, a fault on any unit can be properly isolated,minimizing the impact of the fault on other units in the system.
CPU flow control: Data flow sent to the CPU for processing is classified and controlled
to prevent the CPU from being attacked by a large number of packets. This ensures thatthe CPU operates properly under attacks. USB port control: The USB port is disabled when the USB port is not used, to avoid
invalid access.
2.2 Overview of Software SecurityBeing positioned at the transport layer of a communications network, the OptiX RTN 310
provides high-capacity and high-reliability transparent transmission tunnels, and is almostinvisible to end users. Therefore, the transmission tunnels are not easily exposed to external
attacks. To better address security requirements, the following part describes services provided by the OptiX RTN 310, based on which security design is implemented.
The OptiX RTN 310 processes two categories of data: O&M data and service data. The preceding data is transmitted over independent paths and does not affect each other. Therefore,services on the OptiX RTN 310 are processed on two planes:
Management plane Data plane
The management plane provides access to the required equipment and management functions,such as managing accounts and passwords, communication protocols, and alarm reporting.
The management plane adopts a security architecture shown in Figure 2-2.
Figure 2-2 Security architecture on the management plane
Hardware Platform
Vxworks OS
TCP/IP Protocol Stack
Security Management
Account andPassword
Management
Security Log
SSL 3.0/TLS 1.0
OSPFv2
AC L
NTPv3
TCP/IP AttackPrevention
RADIUS
SNMPv3 SYSLOG
Operation Log
FTP/SFTP
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 9/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 2 Security Architecture
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
6
Security features on the management plane implement security access, integrated securitymanagement, and all-round security audits. The Secure Sockets Layer (SSL) features providesecurity access to the required equipment. The Remote Authentication Dial-In User Service(RADIUS) feature implements centralized security authentication for the equipment on theentire network. The Syslog feature implements offline storage of more security-related logsfor audits.
The data plane processes the service data flow entering the equipment and forwards service packets according to the forwarding table. Security features on the data plane ensureconfidentiality and integration of user data by preventing malicious theft, modification, andremoval of user service packets. They ensure stable and reliable operation of the forwarding
plane by protecting forwarding entries against malicious attacks and falsification. The data plane provides:
User service separation methods Access control methods Methods for controlling and managing ingress and egress bandwidth of the equipment to
ensure reliable operation, such as flow control and QoS. The data plane adopts a securityarchitecture shown in Figure 2-3.
Figure 2-3 Security architecture on the data plane
Hardware platform
Product adapter/driver
VxWorks OS
Service platform
Accesscontrol
Quality of service
Servicecomponents
Protocolsecurity Flow control
Securitycomponents
Protocolcomponents
Other components
Availability
Figure 2-4 shows principles of data separation on the management plane and data plane.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 10/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 2 Security Architecture
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
7
Figure 2-4 Principles of data separation
Fiber or Radio
payload
D bytes
payload
D bytes
Fiber or Radio
payload
VLAN
payload
VLAN
The equipment supports two modes:
In overhead+payload mode, data on the management plane is transmitted as D1-D3D-byte overheads and data on the data plane is transmitted as payloads. Data is
physically separated on the two planes.
In VLAN+payload mode, data on the two planes is transmitted as service data, shares physical bandwidth and is separated by the VLAN technology. Data on the two planesuses different VLAN IDs.
Table 2-1 lists the security functions provided by the OptiX RTN 310.
Table 2-1 Security functions
Plane Function Description
Management plane
Account and passwordmanagement
Manages and stores maintenance accounts.
Local authentication andauthorization Authenticates and authorizes accounts.
RADIUS authenticationand authorization
Authenticates and authorizes remoteaccounts in a centralized manner to reducemaintenance costs.
Security log Records events related to accountmanagement.
Operation log Records non-query operations are recorded.
Syslog management Provides a standard solution for offlinestorage of logs.
TCP/IP attack defense Provides defense against TCP/IP attacks,such as IP error packets, Internet ControlMessage Protocol (ICMP) ping attacks andJolt attacks, and Dos attacks.
Access control list Provides access control lists based on IPaddresses and port IDs.
SSL/TLS encryptioncommunication
Uses the SSL3.0 and TLS1.0 protocols toestablish an encryption channel based on asecurity certificate.
Secure File Transfer Provides SFTP services.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 11/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 2 Security Architecture
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
8
Plane Function Description
Protocol (SFTP)
Open Shortest Path First
(OSPF)
Uses the OSPFv2 protocol for standard MD5
authentication. Network Time Protocol(NCP)
Uses the NTPv3 protocol for MD5authentication and permission control.
Simple Network Management Protocol(SNMP)
Uses the SNMPv3 protocol for authentication and data encryption.
Data plane Flow control Controls traffic at ports. Broadcast packetsare suppressed. Unknown unicast packetsand multicast packets are discarded. QoS isused to limit the service traffic.
Discarding of incorrect packets
Discards incorrect packets, such as anEthernet packet shorter than 64 bytes.
Loop prevention Detects self-loops at service ports and blocksself-looped ports.
Access control of Layer 2services
Filters static MAC addresses in the staticMAC address table, provides a blacklist,enables and disables the MAC addresslearning function, and filters packets basedon traffic classification.
Service separation Includes Layer 2 logical separation, split
horizon, and physical path separation.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 12/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
9
3 System Security
3.1 Management Plane
3.1.1 ThreatsThe management plane of the OptiX RTN 310 supports O&M functionality. This functionalityallows you to activate and maintain services, monitor network problems, and identify securityrisks. Threats to the management plane are a leakage of accounts and passwords and invalidaccess. An authorized user who obtains accounts and passwords to log in can configure thesystem or modify services. In serious cases, service interruption or termination may occur.
The OptiX RTN 310 adopts the following measures to protect the management plane againstthe preceding threats:
Strict account management and permission control Effective log management Private communication channels (to be described in chapter 4 "Network Security")
Account management and authorization prevent invalid accounts from accessing to theequipment. Security logs and operation logs record security and configuration events of thesystem, so users can check logs to prevent security risks at any time. Private communicationchannels prevent accounts and passwords from leaking out. The following chapters describethese security measures in detail.
3.1.2 Preventive MeasuresFigure 3-1 shows the security management system provided by the OptiX RTN 310.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 13/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
10
Figure 3-1 Security management system provided by the OptiX RTN 310
SecurityManagement
LogManagement
AccountManagement
Account&PasswordManagement
Authorization
Authentication
SYSLOG
Operation Log
Security Log
.Account Complexity
.Password Complexity
.Valid Period of Password
.Encrypt Pollicy Password
.Radius Account Management
.User Group Management
.Radius Authorization
.State of Account
.Valid Period of Account
.Period of Login
.Disable Unused Account
.Lock Policy and SecurityAlarm.Radius Authentication
.Log Integrality
.Log Record
.Log Overflow Event
.Log Integrality
.Log Record
.Log Overflow Event
.log Upload
.Submit SYSLOG to SYSLOGServer.SYSLOG Record
Accounts and Passwords
Accounts of the OptiX RTN 310 are divided into five levels: system monitoring, systemoperation, system maintenance, system administrator, and super administrator. Accounts at thesystem monitoring level represent the lowest rights and are authorized to issue querycommands of the smallest function collection. Accounts at the super administrator levelrepresent the highest rights and are authorized to perform all operations of the system.Accounts at the system administrator level are authorized to manage accounts, that is, tocreate, delete, modify, and query accounts. To create an account, an administrator must set auser name, a password, a user level, and an active period. When a user first uses a new accountto log in, the sys tem prompts the us er to change the initial pass word.
The system supports default accounts. After the system starts up for the first time, a user needs to log in to the system by using a default account. When a user uses a default account anda default pass word to log in, the system prompts the user to change the password . Table 3-1 andTable 3-2 list default accounts and passwords of the system.
Table 3-1 Default accounts and passwords in bios state
Account
Password
szhw nesoft
Table 3-2 Default accounts and passwords in host state
Account Password Group
szhw nesoft Super administrator
root password Administrator
lct password Administrator
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 14/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
11
Account Password Group
LCD LCD Administrator
Table 3-3 Rules for accounts and passwords
Rule Description
Uniqueness of accounts All accounts held in the same system are unique.
Complexity of accounts An account consists of 4 to 16 characters, including letters inlower case and upper case.
Length of passwords A password consists of 8 to 16 characters. To change a password, a user needs to enter the original passw ord onceand a new password twice.
Complexity of passwords A new password consists of at least three of the followingcharacter types: lower case letters, upper case letters,numbers, and special characters.
A new password must be different from the previous five passwords. A new password must be different from an account name,either in the normal written format or in the reverselywritten format.
A new password must contain two or more charactersdifferent from those of the old password.
Active periods of passwords
After the active period expires, the password can be used for only three logins. The default value is 0, which indicates thatthe passwoord is valid permanently.
A common user has a shortest active period of one day after which the password can be changed.
Storage of passwords Passwords encrypted by using MD5 are held in the system beyond queries.
Management of accounts Accounts can be created, modified, deleted, and queried.
Query of online users Users of the administrator group can query other onlineusers.
Authentication
Authentication is the process wherein the system checks whether accounts and passwords arevalid. Terminals accessing the equipment through physical ports and protocol ports need to
pass authentication before they are authorized to operate the equipment.
The equipment supports two authentication modes: local authentication and RADIUSauthentication. In local authentication mode, accounts and passwords are saved on theequipment. The equipment uses locally stored accounts to authenticate users in login attempts.
In RADIUS authentication mode, accounts and passwords are saved on the RADIUS server.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 15/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
12
The equipment uses the RADIUS protocol to forward accounts and passwords to the RADIUSserver. The RADIUS server checks whether the accounts and passwords are valid. InRADIUS authentication mode, accounts and passwords of equipment on the entire network are saved on the RADIUS server. These accounts and passwords can be easily maintained andhave high security.
Local authentication
Table 3-4 lists the check items involved in local authentication.
Table 3-4 Check items involved in local authentication
Item Description Handling
Activation s tatusof accounts
If an account is activated, thelogin request is accepted; if anaccount is deactivated, the loginrequest is refused.
The user who is logged in to thesystem by using an administrator account can change the activationstatus of other accounts.
Active periods of accounts
An account can be used for logins within a specific period,namely, the active period. If theactive period of an accountexpires, the login request isrefused.
The user who is logged in to thesystem by using an administrator account can change the active
periods of other accounts.
Active periods of passwords
The password of an account can be used for logins within aspecific period, namely, theactive period. After the active
period of the password expires,the first three login requests areaccepted but the later ones arerefused.
The user who is logged in to thesystem by using an administrator account can change the active
periods of the passwords of other accounts.
Login time of accounts
An account can be used for logins within a specific sectionof a day, namely, the login time.If an account is used beyond itslogin time, the login request isrefused.
The user who is logged in to thesystem by using an administrator account can change the login timeof other accounts.
Inactive time of accounts
An account is deactivated if aspecific period elapses from thelast login. This period is calledinactive time of accounts. If anaccount is deactivated, the loginrequest is refused.
The user who is logged in to thesystem by using an administrator account can change the inactivetime and enabled/disabled status of other accounts.
Locked accounts If an account is locked, the loginrequest is refused until thelocking time expires.
After five login attempts using oneaccount fail and the interval
between two attempts is shorter than three minutes, the account islocked and cannot be unlockedmanually. An alarm is reported atevery login attempt since the sixth
one.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 16/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
13
Item Description Handling
Automatic logoutof accounts
If an account does not exchangedata with the equipment for aspecified time, the account will
be automatically logged out.Then the account must beauthorized again before loggingin to the equipment.
The specified time for triggeringautomatic logouts is one hour,which cannot be changed by users.
RADIUS authentication
In RADIUS authentication mode, accounts and passwords are managed by the RADIUSserver and only the accounts that pass the authentication can be used to log in to theequipment. The RADIUS authentication mode takes precedence over the local authenticationmode. If the RADIUS server is unreachable, the local authentication mode is automaticallyused. Successful local authentication also requires valid accounts and passwords. When theconsecutive authentication failures reach a specified value, a security alarm is reported. Inaddition, the RADIUS protocol supported by the system complies with RFC 2856 and RFC2866. Figure 3-2 and Figure 3-3 show the principle and process of RADIUS authentication.
Figure 3-2 Networking of RADIUS authentication
U2000 server
RADIUSmaster server
RADIUSSlave server
U2000 client
U2000 client
U2000 client
Device
NAS
NAS
NAS
NAS
Figure 3-3 Process of RADIUS authentication
U2000 server
1 Login(username+ password) 2 Radius request
3 Radius response4 Login success/failure
NAS RADIUS server
Reliability is critical to a RADIUS server because accounts of equipment on the entirenetwork are managed and authenticated by the RADIUS server. The OptiX RTN 310 supportsmaster and slave RADIUS servers to ensure reliability of the external server.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 17/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
14
Table 3-5 RADIUS functions
Function Description
RADIUS authentication,
authorization, andaccounting
After the RADIUS function is enabled, accounts attempting to
log in to an NE are forwarded to the RADIUS server. TheRADIUS server determines whether these accounts can log into the NE.
RADIUS authentication policy
The system prefers RADIUS authentication to localauthentication.
Authorization
Authorization is the process wherein the system assigns operation rights to valid accounts thathave logged in.
Accounts are managed in groups. Table 3-6 lists groups of accounts. Accounts of theadministrator and higher-level groups are authorized to perform all security management andmaintenance operations. Super administrator users have the highest rights and are onlyavailable in fault location. Operations that an account can perform depend on the rightsgranted to a user when the account is created. If an account is used to attempt anyunauthorized operation, an error message is displayed and the attempt is logged.
Table 3-6 Groups of accounts
Group Rights
System monitoring This group represents the lowest rights. The accounts of this groupare authorized to issue query commands and modify their ow nattributes.
System operation The accounts of this group are authorized to query the systeminformation and perform some configuration operations.
Systemmaintenance
The accounts of this group are authorized to perform all maintenanceoperations.
Systemadministration
The accounts of this group are authorized to perform all query andconfiguration operations.
Super administrator The accounts of this group are authorized to perform all operations.
Log Management
Logs record routine maintenance events of the equipment. Users can find security loopholesand risks by checking logs. Considering security categories, the system provides security logsand operation logs. Security logs record operation events related to account management.Operation logs record all events related to system configurations. The OptiX RTN 310
provides a Syslog solution to solve the problem wherein the storage space of the equipment islimited. That is, logs are transmitted to and stored on the external Syslog servers. Currently,only security logs are saved on the Syslog server.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 18/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
15
Operation log
The operation log tracks the non-query operations performed by each account, including theaccount name, address of the client, time, operation, and results.
Table 3-7 Operation log
Operation Description
Querying theoperation log
Only authorized accounts of administrator and higher-level groupscan upload and query the operation log.
Checking theintegrity of theoperation log
The system checks the integrity of the operation log and allows nomanual changes.
Recovering theoperation log
The operation log can be recovered even after a power-cycle of thesystem.
Overwriting theoperation log
The operation log keeps records in time sequence. After the memoryis exhausted, the earliest records of the operation log are overwrittenwith the latest records. Once the memory is exhausted, a
performance event is reported to prompt the user.
Security log
The security log tracks security-related configuration operations (including user managementand security settings) and the attempts of unauthorized operations. The security log providesthe information about the account name, address of the client, time, and operation.
Table 3-8 Security log
Operation Description
Querying thesecurity log
Only authorized accounts of administrator and higher-level groupscan upload and query the security log.
Checking theintegrity of thesecurity log
The system checks the integrity of the security log and allows nomanual changes.
Recovering the
security log
The security log can be recovered even after a power-cycle of the
system.Overwriting thesecurity log
The security log keeps records in time sequence. After the memoryis exhausted, the earliest records of the operation log are overwrittenwith the latest records. Once the memory is exhausted, a
performance event is reported to prompt the user.
SYSLOG
The Syslog function of the equipment allows all security logs to be uploaded to the Syslogserver. Security logs of non-query operations, unauthorized operations, and Syslogconfiguration operations are saved on the Syslog server. The Syslog function uses the UDP
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 19/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
16
and TCP protocols that are compliant with the RFC 3164 and RFC 3195 s tandards. Figure 3-4 shows the working principle of the Syslog protocol.
Figure 3-4 Application of the Syslog function
U2000 server
Syslog server1
U2000 client
U2000 client
U2000 client
NE1
NE3
NE4
Syslog server2
NE2
The Syslog function of the equipment needs to be configured by the NMS. When the addressinformation is set on the equipment, the Syslog service is available.
3.2 Data PlaneThe data plane of the OptiX RTN 310 transparently transmits services based on Layer 2information, such as VLAN tags and MAC addresses. The boards of the equipment do notlisten to user services.
The OptiX RTN 310 handles the threats of flow bursts, malic ious pockets, and data theftsthrough access control, flow control, loop detection and avoidance, protocol securityguarantee, and service separation. Section 4.3 "Network Services " describes details of thesemechanisms.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 20/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
17
4 Network Security
4.1 Network Security ManagementFigure 4-1 shows the implementation mechanism of security management for a network.
Figure 4-1 Implementation of security management
External DCN
Transport network(Internal DCN)
Firewall
SSL
NMS
ACL
4.1.1 ThreatsAccording to the network topology, a data communication network (DCN) consists of anexternal DCN and an internal DCN. The external DCN refers to a network from the NMS tothe gateway equipment. The external DCN is generally an IP network that is built or leased bya customer, or the Internet. The internal DCN refers to a self-organization network of equipment. The IP protocol has been widely developed and applied because it is simple andopen. However, an IP network has poor security and can be easily attacked. The securitythreats brought by the external DCN on internal equipment are as follows: invalid access,network attacks, and theft and modification of private data. To counterattack such threats, theOptiX RTN 310 provides the following preventive measures:
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 21/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Secur ity
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
18
Access control TCP/IP attack prevention Encryption channel for access Secure communication protocols
4.1.2 Preventive Measures
Access Control
The OptiX RTN 310 provides Access Control Lists (ACLs). Users set IP addresses andcommunication ports in whitelists and blacklists to limit data from specific IP addresses andto filter data from specific communication ports. The ACL function protects the equipmentfrom network attacks by controlling data of access requests from unauthorized IP addressesand communication ports.
Table 4-1 Classification of ACLs
Item Value Range Feature
Basic ACL 0 – 0xffffffff Rules are defined based on the source IP address.
AdvancedACL
0 – 0xffffffff Rules are defined based on the source IP address of adata packet, destination IP address of a data packet,
protocol type of the IP bearer network, and protocolfeatures. The protocol features include source port of theTCP protocol, destination port of the TCP protocol, andICMP protocol type.
Table 4-2 ACL parameters
Parameter Value Range Description
ACL operation type Permit and deny Indicates the ACL operation type. The valuesare as follows:
Deny: If a received message does notcomply with a rule in an ACL, the messageis discarded.
Permit: If a received message complieswith a rule in an ACL, the message isdiscarded.
Source IP address Source IP address The source IP address and the sourcewildcard determine the addresses to whichthat an access control rule is applicable.
Source wildcard 0 – 0xFFFFFFFF The value 0 represents a bit that must beexactly matched and the value 1 represents a
bit that is ignored.
Sink IP address Sink IP address The destination IP address and the sink wildcard determine the addresses to which
that an access control rule is applicable.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 22/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
19
Parameter Value Range Description
Sink wildcard 0 – 0xFFFFFFFF The value 0 represents a bit that must beexactly matched and the value 1 represents a
bit that is ignored.
Protocol type TCP, UDP, ICMP,and IP
Set this parameter to UDP or TCP whenfiltering packets at an UDP or a TCP port.Set this parameter to ICMP when filtering
packets of the ICMP protocol and code type.The value IP indicates that the protocol typeis not concerned.
Source port 0 – 65535 or 0xFFFFFFFF;0xFFFFFFFFindicates that this
parameter is notconcerned.
This parameter is available only whenProtocol type is set to TCP or UDP .
Sink port 0 – 65535 or 0xFFFFFFFF;0xFFFFFFFFindicates that this
parameter is notconcerned.
This parameter is available only whenProtocol type is set to TCP or UDP .
ICMP protocol type ICMP protocol type This parameter is available only whenProtocol type is set to ICMP . The value 255indicates that this parameter is not
concerned.ICMP code type ICMP code type This parameter is available only when
Protocol type is set to ICMP . The value 255indicates that this parameter is notconcerned.
TCP/IP Attack Prevention
Gateway equipment may be under external attacks because it is directly connected to anexternal DCN. The TCP/IP protocol stack needs to protect the equipment from attacks, soservices are transmitted normally by the equipment under attacks. Therefore, the equipment ismore secure and reliable.
Table 4-3 lists the attacks that the equipment can prevent currently.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 23/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
20
Table 4-3 TCP/IP attacks
Attack Protocol Attack Mode Preventive Measure
Address
spoofingattack
ARP IP address
conflict
If the IP address of an external device
conflicts with that of the equipment, theequipment sends a gratuitous ARP packet to broadcast the correct MACaddress.
IP IP addressconfigurationconflict
Before making an IP address to takeeffect, the equipment checks whether the IP address has been used. If the IPaddress has been used, the equipmentdoes not make the IP address to takeeffect.
Messagespoofingattack
IP IP option attack Prevents attacks by using ICMP, TCP,or UDP messages that carry incorrect IPoptions.
IP Defective IPheader attack
Prevents attacks by using extremelyshort IP headers, defective IP headers,special source IP addresses, and IPheaders with unknown protocols.
IP IP fragmentattack
Prevents IP fragment attacks such asmassive segments, huge offsets,repeated segments, TearDrop, Bonk,
SynDrop, NewTear, Nesta, Rose, andFawx.
TCP TCP flag bittraversal
Prevents TCP flag bit traversal such as packets without Flag, FIN bit withoutACK bit, packet with URG/OOB flag,and SYN and FIN bits set.
ICMP Defective ICMP packet
Prevents ping attacks and Jolt attacks.
Flood attack IP IP non-payloadflood attack
Prevents IP packet attacks andgenerates an alarm indicating an IPaddress attack without affecting thenormal operation of the equipment.
UDP UDP flood attack Prevents fraggle attacks and diagnoses port flooding, port 0 flooding, and loopflooding.
ICMP ICMP floodattack
Prevents ICMP flood attacks, Smurf attacks, ping flood attacks, loop pingflood attacks, time stamp request floodattacks, mask request flood attacks, androuter request flood attacks.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 24/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
21
Attack Protocol Attack Mode Preventive Measure
DoS attack TCP Syn flood attack Prevents Syn flood attacks withoutaffecting the normal operation of theequipment.
TCP Land attack Prevents land attacks without affectingthe normal operation of the equipment.
Security Access
Security access is the process wherein the OptiX RTN 310 uses secure communicationchannels or secure communication protocols for access to prevent security risks. The NMScan use SSL channels and SNMP to access the equipment. The following part respectivelydescribes the two access methods.
The NMS accesses the equipment by using SSL channels.
The NMS uses Ethernet ports or Operation, Administration, and Maintenance (OAM) ports toaccess the equipment. OAM ports provide local access. Ethernet ports provide remote access
by using the external DCN for access. Communication between the NMS and GNE usesstandard TCP/IP protocols. When the NMS uses external DCN to access the equipment,configuration data and account information of the NMS transmit over the external DCN. Thecommunication channels for access use the SSL3.0 and TLS1.0 protocols to encrypt data toensure secure transmission.NMS access
External DCN
Transport n etwork( Internal DCN)
Firewall
SSL
NMS
GNE
Certificates are needed for establishing SSL and TLS encryption channels. The certificates aremanaged and issued by carriers. The OptiX RTN 310 loads and activates SSL certificates. Thedelivered equipment has a default SSL certificate by default. It is recommended that thecustomer replace the default SSL certificate with its own SSL certificate. The equipmentcomplies with RFC 2246 standards and supports encryption algorithms specified in thestandards, such as AES, DES, RC4, RC5, IDEA, SHA-1, and MD5.
The following part describes working principles of SSL.
The SSL protocol provides enhanced encryption and decryption algorithms to ensure allsecurity features except serviceability for communication. In addition, the algorithms cannot
be cracked in a short time. The SSL layer establishes an encryption channel based on TCP to
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 25/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
22
encrypt data that passes the SSL layer. The SSL protocol consists of the Handshake protocoland the Record protocol. The Handshake protocol is used for cipher key negotiation. Most of the contents in the protocol describe how to securely negotiate a cipher key between twocommunication parties. The Record protocol defines the data transmission format.
Transport Layer Security (TLS) is a security protocol similar to the SSL protocol. TLS1.0 is based on SSL3.0 and supports SSL3.0. Figure 4-3 shows the negotiation of the SSL protocolkey.
Figure 4-3 Negotiation of the SSL/TLS key
G N EM S E x t e r n a l D C N
1
6
5
4
3
2
7
8
9
10
12
11
ClientHello
ServerHel lo
Certificate
CertificateRequest
ServerHelloDone
Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
SNMPv3 access
SNMP is a standard protocol for network management. The OptiX RTN 310 uses SNMP to provide query of alarms and performance and the TRAP function. The equipment supports theSNMPv3 protocol. MD5 and SHA algorithms are used in the authentication and the DESalgorithm is used in data transmission. SNMP default accounts of the system are szhwSHAand szhwMD5. Their passwords are Nesoft@!. SNMPv3 complies with the RFC 2572, RFC2574, and RFC 2575 standards. Figure 4-4 shows the application of the SNMP
protocol.SNMPv3 access
External DCN
Transport network(Internal DCN)
Firewall
GNE
NE
NE
NE
SNMPmanager
LAN
SNMP
manager
SNMP Agent
SNMP Agent
SNMP Agent
SNMP Agent
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 26/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
23
4.2 Protocols and Control
4.2.1 ThreatsOn an internal DCN, standard protocols on the IP layer are used for communication betweenequipment. These protocols may be used for interconnection with third-party equipment. Inthis case, the result calculated by the OptiX RTN 310 may be incorrect when the third-partyequipment transmits incorrect information. When interconnected with third-party equipment,the OptiX RTN 310 takes the following preventive measures to ensure communicationsecurity:
Adding protocol authentication and access control Adopting secure standard protocols
4.2.2 SFTP Clients
The OptiX RTN 310 provides an SFTP client based on SSH for software upgrades. In thisapplication, the equipment serves as a client and the SFTP server is deployed outside theequipment network and is provided by the carrier. Figure 4-5 shows the application of SFTPclients.
The SFTP authentication policy is determined by the SFTP server. The OptiX RTN 310supports password authentication and key authentication. Password authentication is the
process wherein an SFTP client uses a user name and password to log in to the SFTP server.Key authentication is the process wherein an SFTP client and SFTP server adoptRevist-Shamir-Adleman Algorithm (RSA) for cryptographic authentication. A user needs togenerate an RSA key on the equipment and to upload the public key to the SFTP server beforecryptographic authentication. The user can set the length of the RSA key from 2048 bits to4096 bits.
The equipment uses passphrases to protect private keys on an SFTP client for cryptographicauthentication. When users generate key pairs, they need to set the passphrases.
The SFTP client of the OptiX RTN 310 is enabled when before deliver. Users can disable or enable it using the NMS.
Figure 4-5 Application of SFTP clients
External DCN
Transport network(Internal DCN)
Firewall
SSH
GNE
NE
NE
NE
Sftp server
LAN
sftp client
sftp clientsftp client
sftp client
NMS
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 27/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
24
Figure 4-6 shows principles of SSH.Protocol layers
SSH client SSH server
Application layer Application layer
Transmission layer Transmission layer
SSH protocol layer SSH protocol layer
TCP connection
Transmission protocol
Authentication protocol
Session protocol
SSH protocols adopt Client/Server architecture and consist of three layers: transmission layer,authentication layer, and connection layer.
Transmission protocols
Transmission protocols are used to establish a secure encryption channel between the SSHclient and SSH server. In this manner, confidentiality of data that requires high security intransmission, such as authentication and data exchange, is protected.
The transmission layer provides origin authentication and integrity check, and enables a clientto authenticate a server.
The transmission protocols run on top of the TCP/IP connection. The well-known portnumber used by the HHS server is 22.
Authentication protocolsAuthentication protocols run on top of transmission protocols and process authenticationrequests.
Connection protocols
Connection protocols divide an encryption channel into multiple logical channels for differentapplications. Connection protocols run on top of authentication protocols and provide servicessuch as sessions and execution of remote commands.
Negotiation of SSH is described as follows:
1. Connection establishment
Port number 22 is listened on to establish TCP connections to SSH clients.
2. Version negotiation
The version of the SSH protocol is negotiated on TCP connections. The OptiX RTN 310supports SSHv2.
3. Algorithm negotiation
An SSH client and an SSH server support different encryption algorithm collections, so theyneed to negotiate encryption algorithms when the SSH protocol is running. The algorithmsthat need to be negotiated are as follows:
Key exchange algorithms: are used for generating session keys.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 28/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
25
Encryption algorithms: are used for encrypting data. Host public key algorithms: are used for signing and authentication. MAC algorithms: are used for integrity protection.
The SSH client and SSH server send to each other the algorithm collection that theyrespectively support and the result is the intersection of algorithms supported by both parties.
4. Key exchange
The key exchange and encryption algorithms resulted from step 3 are used to negotiate thekeys required for data communication.
5. User authentication
Password authentication and public key authentication are provided.
6. Service requests
The OptiX RTN 310 supports SFTP clients.
4.2.3 OSPF ProtocolThe management plane uses the OSPF protocol to dynamically calculate routes on the entirenetwork for network management. The OptiX RTN 310 supports OSPFv2 in compliance withRFC 2328 standards. Besides the routing function, the equipment supports authenticationtypes as follows:
Null authentication
The OSPF packets are not authenticated. That is, the OSPF protocol does not processauthentication on packet reception.
Simple password authentication
A "clear" 64-bit password is used for authentication. Simple password authentication guardsagainst the equipment inadvertently joining the routing domain. The OptiX RTN 310s in thesame OSPF domain must be configured with the same password for authentication.
Cryptographic authentication
Cryptographic authentication uses MD5 to calculate the digest. Because the password used tocalculate the digest is never sent over the network, the protection is provided against passiveattacks. When employing cryptographic authentication, the OptiX RTN 310s in the sameOSPF domain must be configured with the same key for authentication.
The equipment uses null authentication as the default authentication. Users can configureauthentication types as required.
4.2.4 NTP Protocol Network Time Protocol (NTP) is used to synchronize time between NEs. Possible securityloopholes in NTP result in time disturbance on the network. To enhance security of NTP, the
NTP protocol provides the authentication function and access control of local services.
The NTP authentication function verifies validity and integrity of NTP packets. This function prevents the equipment from incorrect packets and ensures packet exchanges from validservers.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 29/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
26
Access control of local services enables the system administrator to better control the NTP protocol. This function prevents NTP information on the equipment from malicious query andmodification. Users have different rights as follows:
Query: Users are authorized to query local NTP services.
Synchronize: Users are authorized to use the local clock as the synchronization sourcefor other hosts.
Server: is a combination of the rights above. Peer: Users have full control rights to query, being synchronized, and synchronize other
hosts.
NTP uses MD5 to check whether clients and servers are valid. If a client and server adoptauthentication, keys configured on both parties must be the same and be reliable. Table 4-4shows the authentication relationship.
Table 4-4 Authentication relationship
Server Client Authentication
Enabled Enabled Pass
Enabled Disabled Pass
Disabled Disabled Pass
Disabled enabled Not pass
NTP complies w ith RFC 1305 standards. Figure 4-7 shows working principles of NTP timesynchronization.Principles of NTP time synchronization
NTP serverTP client
NTPmessage
10:00:00am
NTPmessage
10:00:00am 10:00:01am
NTPmessage
10:00:00am 10:00:01am 10:00:02am
Receivepacket time10:0003am
Send packettime
Receivepacket time
Send packettime
1. An NTP client sends an NTP message to an NTP server. The NTP message carries atimestamp recording the current time of its leaving the client. The timestamp is recordedas T1 = 10:00:00am.
2. The current time of the NTP message arriving at the NTP server is recorded as atimestamp. This timestamp is added to the NTP message as T2 = 10:00:01am.
3. The current time of the NTP message leaving the NTP server is recorded as another timestamp. This timestamp is also added to the NTP message as T3 = 10:00:02am.
4. The current time of the NTP client receiving the response is recorded as a newtimestamp. The timestamp is recorded as T4 = 10:00:03am.
So far, the NTP client is able to calculate the time difference between NTP equipment.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 30/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
27
Δ T = ((T2 + T3) - (T1 + T4))/2
The NTP client sets its clock based on the time difference to achieve clock synchronization tothe NTP server.
4.2.5 Layer 2 ProtocolsThreats
Layer 2 protocols are generally attacked by flood, deformed, or malicious packets. Under anattack, the equipment may fail to process the protocols and therefore services on the entirenetwork are affected. The following preventive measures are provided for Layer 2 protocols.
Flow Control
The rate for reporting protocol packets to the CPU is limited to prevent the equipment from being attacked by a large number of protocol packets. The following methods are available:
Protocol software rate limiting: The maximum number of packets that can be processedin each second for each protocol is defined. When the number of received packetsexceeds this number, the excess packets are discarded. The maximum number isspecified by each data board.
CPU queue rate limiting: The packets to be reported to the CPU are listed in the CPUqueue of the chip. When the number of packets exceeds the queue length, the chipautomatically discards the excess packets.
Discarding of Invalid Packets
All packets are verified and various invalid protocol packets are filtered out. Table 4-5 liststhe verification rules.
Table 4-5 Packet verification rules for Layer 2 protocols
Protocol Verification Rule
BPDU DMAC = 01-80-c2-00-00-00 or 01-80-c2-00-00-08
Each protocol packet is verified according to the corresponding protocol.
LACP DMAC = 01-80-c2-00-00-02
EthType = 0x8809
EthSubType = 0x01 and 0x02
Each TLV is verified according to the corresponding protocol.
Eth-OAM(802.1ag)
EthType = 0x8902 (IEEE802.1ag standard)
Each protocol packet is verified according to the corresponding protocol.
Eth-OAM(802.3ah)
DMAC = 01-80-c2-00-00-02
EthType = 0x8809
EthSubType = 0x03
Each TLV is verified according to the corresponding protocol.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 31/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
28
Protocol Verification Rule
ERPS DMAC = 01-19-A7-00-00-01
Each protocol packet is verified according to the corresponding protocol.
Robust Measures Countermeasures under abnormal conditions are as follows:
According ITU-T G.8032, R-APS packets are transmitted within an Ethernet ring and theR-APS packets at ports not on the ring are not extracted or processed, so the robustnessof ring network protocols is improved.
4.3 Network Services4.3.1 Threats
As described previously, data services are under the following threats:
Attack of service flow bursts with network bandwidth being preempted and processingcapability and forwarding efficiency of the equipment being lowered. A typical case of such a threat is a broadcast storm.
Access of unauthorized users. Theft of user data.
Table 4-6 lists the preventive measures.
Table 4-6 Threats and preventive measures
Threat Preventive Measure Measure Description
Flow bursts Flow control Limiting the service flow within arange using various methods
Loop detection and prevention Detecting physical loops on anetwork to prevent a broadcaststorm
Discarding of incorrect packets Detecting the packets received bythe equipment and discardingabnormal packets
Access of unauthorizedusers
Defining rules for access to Layer 2 according to features of theLayer 2 service flow.
Configuring rules for access toLayer 2 services
Theft of user data Service separation Logically or physically separatingservices of different users
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 32/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
29
4.3.2 Ethernet ServicesEthernet services are classified into Ethernet private line (E-Line) services and Ethernet LAN(E-LAN) services.
E-Line services: Such services are forwarded based on VLAN tags and logicallyseparated at Layer 2. E-Line services are highly confidential. Therefore, flow control can
be applied to E-Line services using QoS and invalid packets can be filtered out usingACL.
E-LAN services: Such services include MAC-based and MAC+VLAN-based servicesfor Layer 2 switching. E-LAN services are flexible, the MAC addresses cannot becontrolled, and the MAC address learning and forwarding mechanism is affected by thedata packets. Therefore, E-LAN services are easily attacked. All the preceding described
preventive measures are applicable to E-LAN services.
NOTE
Ethernet aggregation (E-AGGR) services are also forwarded based on VLAN tags. Preventive measures
for E-AGGR services are the same as those for E-Line services.
Flow Control
The bandwidth of the equipment may bear load abnormally when there are a large number of broadcast packets, multicast packets, or unicast packets with unknown destination addresses,and a network may be congested when flow bursts occur. Flow control can prevent suchscenarios and ensure secure and stable operation of the network.
Suppressing broadcast flow− Broadcast storm suppression: The broadcast flow is limited and the flow that exceeds
the limit is discarded.−
Broadcast storm suppression enabled based on port: After broadcast stormsuppression is enabled at a port, the broadcast flow at the port is discarded when the broadcast flow exceeds the broadcast flow suppression threshold. The defaultthreshold is 30%.
− Setting of broadcast flow suppression threshold: The threshold specifies the broadcastflow that a port allows. When the actual broadcast flow exceeds the threshold, theexcess broadcast flow is discarded to ensure that the proportion of the broadcast flowis within a proper range. This prevents a broadcast storm and network congestion sothe network services can run normally.
Discarding unknown unicast packets
Unknown unicast packets can be discarded or forwarded.
Discarding unknown multicast packets
Unknown multicast packets can be discarded or forwarded.
Monitoring port flow
The flow at a port is monitored. When packets are received at rate faster than the specifiedthreshold, a flow threshold-crossing alarm is reported, prompting a user to take preventivemeasures.
Limiting service flow using QoS
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 33/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
30
Figure 4-8 QoS network model
The QoS function of the equipment can be implemented in the DiffServ mode. A network isdivided into several DiffServ domains (DS domains for short). A DS edge node classifies theflow entering a DS domain and identifies the flow of different service types with differentPHBs. The PHB information is forwarded to all nodes in the DS domain. Then the nodes inthe DS domain perform flow control on the services based on the PHBs. The flow controlmeasures include flow shaping and queue scheduling.
Loop Prevention
If a loop is generated on a Layer 2 switching network, packets will be duplicated and cycledin the loop, and therefore a broadcast storm occurs. In this case, all available bandwidthresources will be occupied by the broadcast storm and the network will be unavailable.
Detection of self-loops at service ports
The equipment can detect whether a service port is self-looped by transmitting and receiving protocol packets.
Blocking of self-looped ports
After self-loop detection and blocking of self-looped ports are enabled, a port is blocked to prevent a broadcast storm when the port is self-looped.
Discarding of Incorrect Packets
Incorrect packets include packets with missing fields, disordered packets, duplicated packets,and excessively large or small packets. Incorrect packets may be forged by malicious users, or caused by bit errors on the transmission line, or caused by abnormal processing of theequipment hardware. Processing incorrect packets brings extra load to the equipment and
reduces the bandwidth for normal services. Therefore, incorrect packets must be identifiedand discarded.
The following incorrect packets are discarded:
A packet whose source MAC address and destination MAC address are the same A packet whose size is smaller than 64 bytes A packet whose size is greater than the maximum transmission unit (MTU) A packet whose FCS (CRC) is incorrect
Access Control of Layer 2 Services
Access control of Layer 2 services is provided to filter out unauthorized user data.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 34/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
31
Static MAC address table
For E-LAN services, static MAC addresses can be added to, deleted from, and queried in thestatic MAC address table. When the MAC address learning function is disabled, MACaddresses must be added to the static MAC address table to ensure that services are forwarded
properly. If the MAC address of a service does not match the static MAC address table, theservice is considered as invalid and is discarded.
Black list
For E-LAN services, MAC addresses can be added to, deleted from, and queried in the black list. Services whose MAC addresses are in the black list are considered as invalid and filteredout.
Disable of MAC address learning
E-LAN services can filter out invalid packets after MAC address learning is disabled.
When MAC address learning is enabled, the equipment can learn the MAC addresses.
When MAC address learning is disabled, the equipment can forward E-LAN services andfilter out invalid MAC addresses after static MAC addresses are configured.
Service Separation
The following logical and physical separation methods are provided to prevent malicious datatheft and reduce the impact of the broadcast flow.
Layer 2 logical separation
Virtual local area network (VLAN) is the basic unit for managing network data equipment. AVLAN is a logical subnet or a logical broadcast domain. Users are allocated to differentVLANs so that they cannot communicate with each other at Layer 2. In this manner, logicalseparation is achieved for Layer 2 services. In addition, after VLANs are divided, the
broadcast flow is limited in each broadcast domain, which limits the broadcast range.
The OptiX RTN 310 supports identification and forwarding of VLAN tags, and switching of VLAN tags.
A group of physical or logical ports that cannot communicate with each other on the localequipment are configured to prevent service loops and separate services for different users. Inthis manner, service security is ensured.
Split horizon
The OptiX RTN 310 supports creation of split horizon groups for L2VPN services, andsupports adding and deleting of group members.
Physical path separation
Services for different users are carried on different physical paths. In this manner, services donot share physical paths or communicate with each other at the physical layer, and thereforeservice security is ensured.
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 35/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper A Appendix
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
32
A Appendix
A.1 Standards ComplianceTable A-1 shows the security standards that the OptiX RTN 310 complies with.
Table A-1 Standards compliance
Related Standard Description
ITU-T G.8011.1 Ethernet private line service
ITU-T G.8011.2 Ethernet virtual private line service
ITU-T G.8261/Y.1361 Timing and synchronization aspects in Packet Networks
ITU-T G.8262/Y.1362 Timing characteristics of synchronous Ethernet equipment slaveclock
ITU-T G.8032/Y.1344 Ethernet Ring Protection Switching
RFC 2474 Definition of the Differentiated Services Field(DS Field) in theIPv4 and IPv6 Headers
RFC 2819 Remote Network Monitoring Management Information Base
RFC 0793 Transmission Control Protocol
RFC 0768 User Datagram Protocol
RFC 0791 Internet Protocol, Version 4 (IPv4)
RFC 0792 Internet Control Message Protocol
RFC 0826 An Ethernet Address Resolution Protocol
RFC 0894 A Standard for the Transmiss ion of IP Datagrams over Ethernet Networks
RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE)
RFC 1661 The Point-to-Point Protocol (PPP)
RFC 1662 PPP in HDLC-like Framing
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 36/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper A Appendix
Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd
33
Related Standard Description
RFC 1332 The PPP Internet Protocol Control Protocol (IPCP)
RFC 1990 The PPP Multilink Protocol (MP)
RFC 2131 Dynamic Host Configuration Protocol
RFC 2328 OSPF Version 2
RFC 2246 Security Socket Layer 3.0/ TLS 1.0
RFC 1305 Network Time Protocol 3.0
IEEE 802.3ah Media Access Control Parameters, Physical Layers, andManagement Parameters for Subscriber Access Networks
IEEE 802.1ad Virtual Bridged Local Area Networks Amendment 4: Provider Bridges
IEEE 802.1ag Virtual Bridged Local Area Networks — Amendment 5:Connectivity Fault Management
A.2 Acronyms and Abbreviations
Table A-2 Acronyms and abbreviations
Acronym and Abbreviation Full Name
ACL Access Control List
CAR Committed Access Rate
DCN Data Communication Network
DNS Domain Name System
ECC Embedded Control Channel
FTP File Transfer Protocol
GNE Gate Network Element
HTTP Hyper-Text Transmission Protocol
ID IDentification
IEEE Institute of Electrical and Electronics Engineers
IF Intermediate Frequency
IP Internet Protocol
ISO International Organization for Standardization
ISP Internet Service Provider
7/30/2019 RTN 310 Security White Paper 01
http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 37/37
OptiX RTN 310 Radio Transmission SystemSecurity White Paper A Appendix
Acronym and Abbreviation Full Name
ITU-T International Telecommunication Union-Telecommunication Standardization Sector
LAN Local Area Network
LCT Local Craft Terminal
NMS Network Management System
OAM Operation Administration and Maintenance
ODU Outdoor Unit
OSI Open Systems Interconnection
OSS Operation Support System
OSPF Open Shortest Path First
PDH Plesiochronous Digital Hierarchy
QoS Quality of Service
RMON Remote Monitoring
RTN Radio Transmission Node
SDH Synchronous Digital Hierarchy
SNMP Simple Network Management Protocol
TCP/IP Transmission Control Protocol/ Internet ProtocolVLAN Virtual Local Area Network