Document PDF

OptiX RTN 950 Radio Transmission System
V100R003C01SPC300
Security White Paper
Issue 01
Date 2013-06-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2013-06-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd
Security White Paper Contents
Contents
1 Product Introduction and Network Applications ................................................................... 1

1.1 Product Introduction ......................................................................................................................................... 1
1.2 Network Applications ....................................................................................................................................... 2
2 Security Architecture .................................................................................................................... 3

2.1 Overview of Hardware Security ....................................................................................................................... 3
2.2 Overview of Software Security ........................................................................................................................ 4
3 System Security ............................................................................................................................. 8

3.1 Management Plane ........................................................................................................................................... 8
3.1.1 Threats..................................................................................................................................................... 8
3.1.2 Preventive Measures ............................................................................................................................... 8
3.2 Data Plane ...................................................................................................................................................... 13
4 Network Security ........................................................................................................................ 15

4.1 Network Security Management ...................................................................................................................... 15
4.1.1 Threats................................................................................................................................................... 15
4.1.2 Preventive Measures ............................................................................................................................. 16
4.2 Protocols and Control ..................................................................................................................................... 21
4.2.1 Threats................................................................................................................................................... 21
4.2.2 SFTP Clients ......................................................................................................................................... 21
4.2.3 OSPF Protocol ...................................................................................................................................... 23
4.2.4 NTP Protocol......................................................................................................................................... 23
4.2.5 Layer 2 Protocols .................................................................................................................................. 25
4.3 Network Services ........................................................................................................................................... 26
4.3.1 Threats................................................................................................................................................... 26
4.3.2 Ethernet Services .................................................................................................................................. 27
A Appendix ..................................................................................................................................... 32
A-1 Standards Compliance ................................................................................................................................... 32
A-2 Acronyms and Abbreviations ........................................................................................................................ 33
Issue 01 (2013-06-30) Huawei Proprietary and Confidential ii

Security White Paper 1 Product Introduction and Network Applications
1 Product Introduction and Network

Applications
1.1 Product Introduction

The OptiX RTN 950 is a split radio transmission system developed by Huawei. It provides a
seamless radio transmission solution for a mobile communication network or private network.
The ODU is an outdoor unit covering 11/18/23 GHz frequency bands. The IDU 950 is an
indoor unit. Table 1-1 lists the basic features of the IDU 950.
Table 1-1 Basic features of the IDU 950

Item Performance
Chassis height 2U
Board pluggable Supported
Number of microwave 1 to 6
directions
RF configuration modes 1+0 configuration
2+0 configuration
1+1 configuration
XPIC configuration
Figure 1-1 IDU 950
Issue 01 (2013-06-30) Huawei Proprietary and Confidential 1

Security White Paper 1 Product Introduction and Network Applications
1.2 Network Applications

The OptiX RTN 950 provides several types of service interfaces and facilitates installation
and flexible configuration. It can provide a Packet microwave solution based on the network
requirements. The solution can be evolved based on service changes due to radio mobile
network evolution. Therefore, this solution can satisfy the transmission requirements of not
only 2G and 3G networks, but also future LTE and 4G networks.
Figure 1-2 shows the microwave transmission solution that is provided by the OptiX RTN 950
for the mobile communication network.
Figure 1-2 Microwave transmission solution provided by the OptiX RTN 950

Security White Paper 2 Security Architecture
2 Security Architecture
2.1 Overview of Hardware Security

Figure 2-1 shows the system block diagram of the OptiX RTN 950. The system adopts
high-reliability hardware design to ensure that the system runs properly under security threats.
Figure 2-1 System block diagram
The following hardware preventive measures are provided:

 Microwave interfaces: The FEC encoding mode is adopted and the adaptive time-domain
equalizer for baseband signals is used. This enables the microwave interfaces to tolerate
strong interference. Therefore, an interceptor cannot restore the contents in a data frame
if coding details and service configurations are not obtained.
 Modular design: Control units are separated from service units and service units are
separated from each other. In this manner, a fault on any unit can be properly isolated,
minimizing the impact of the fault on other units in the system.
 CPU flow control: Data flow sent to the CPU for processing is classified and controlled
to prevent the CPU from being attacked by a large number of packets. This ensures that
the CPU operates properly under attacks.

2.2 Overview of Software Security

Being positioned at the transport layer of a communications network, the OptiX RTN 950
provides high-capacity and high-reliability transparent transmission tunnels, and is almost
invisible to end users. Therefore, the transmission tunnels are not easily exposed to external
attacks. To better address security requirements, the following part describes services
provided by the OptiX RTN 950, based on which security design is implemented.
The OptiX RTN 950 processes two categories of data: O&M data and service data. The
preceding data is transmitted over independent paths and does not affect each other. Therefore,
services on the OptiX RTN 950 are processed on two planes:
 Management plane
 Data plane
The management plane provides access to the required equipment and management functions,
such as managing accounts and passwords, communication protocols, and alarm reporting.
The management plane adopts a security architecture shown in Figure 2-2.
Figure 2-2 Security architecture on the management plane
SNMP
NTPv3 OSPFv2
v3
Account and
Password Security Log
Management Security Management
Operation Log
SSL 3.0/TLS 1.0 FTP/SFTP
TCP/IP Attack
ACL TCP/IP Protocol Stack Prevention
Vxworks OS
Hardware Platform
Security features on the management plane implement security access, integrated security
management, and all-round security audits.
The data plane processes the service data flow entering the equipment and forwards service
packets according to the forwarding table. Security features on the data plane ensure
confidentiality and integration of user data by preventing malicious theft, modification, and
removal of user service packets. They ensure stable and reliable operation of the forwarding
plane by protecting forwarding entries against malicious attacks and falsification. The data
plane provides:
 User service separation methods
 Access control methods

 Methods for controlling and managing ingress and egress bandwidth of the equipment to
ensure reliable operation, such as flow control and QoS. The data plane adopts a security
architecture shown in Figure 2-3.
Figure 2-3 Security architecture on the data plane
Service platform
Protocol Security Service

components components components
Protocol
security Access Flow control
control
Other Availability Quality of service

components
Product adapter/driver
VxWorks OS
Hardware platform
Figure 2-4 shows principles of data separation on the management plane and data
plane.Principles of data separation
D bytes Fiber or Radio D bytes
payload payload
VLAN Fiber or Radio VLAN
payload payload
The equipment supports two modes:

 In overhead+payload mode, data on the management plane is transmitted as D-byte
overheads and data on the data plane is transmitted as payloads. Data is physically
separated on the two planes.
 In VLAN+payload mode, data on the two planes is transmitted as service data, shares
physical bandwidth and is separated by the VLAN technology. Data on the two planes
uses different VLAN IDs.
Table 2-1 lists the security functions provided by the OptiX RTN 950.
Table 2-1 Security functions

Plane Function Description


Management Account and password Manages and stores maintenance accounts.
plane management
Local authentication and Authenticates and authorizes accounts.
authorization
Security log Records events related to account
management.
Operation log Records non-query operations are recorded.
TCP/IP attack defense Provides defense against TCP/IP attacks,
such as IP error packets, Internet Control
Message Protocol (ICMP) ping attacks and
Jolt attacks, and Dos attacks.
Access control list Provides access control lists based on IP
addresses and port IDs.
SSL/TLS encryption Uses the SSL3.0 and TLS1.0 protocols to
communication establish an encryption channel based on a
security certificate.
SSH communication Supports Secure File Transfer Protocol
(SFTP) clients.
Open Shortest Path First Uses the OSPFv2 protocol for standard MD5
(OSPF) authentication.
Network Time Protocol Uses the NTPv3 protocol for MD5
(NTP) authentication and permission control.
Simple Network Uses the SNMPv3 protocol for
Management Protocol authentication and data encryption.
(SNMP)
Flow control Controls traffic at ports. Broadcast packets
are suppressed. Unknown unicast packets
and multicast packets are discarded. QoS is
used to limit the service traffic.
Data plane Discarding of incorrect Discards incorrect packets, such as an
packets Ethernet packet shorter than 46 bytes.
Loop prevention Detects self-loops at service ports, blocks of
self-looped ports, and detects Ethernet loops.
Access control of Layer 2 Filters static MAC addresses in the static
services MAC address table, provides a blacklist,
enables and disables the MAC address
learning function, and filters packets based
on complex traffic classification.
Service separation Includes Layer 2 logical separation, split
horizon, and physical path separation.
Strict service separation Strictly separates MPLS services on the ISP


network from user services.

Security White Paper 3 System Security
3 System Security
3.1 Management Plane

3.1.1 Threats
The management plane of the OptiX RTN 950 supports O&M functionality. This functionality
allows you to activate and maintain services, monitor network problems, and identify security
risks. Threats to the management plane are a leakage of accounts and passwords and invalid
access. An authorized user who obtains accounts and passwords to log in can configure the
system or modify services. In serious cases, service interruption or termination may occur.
The OptiX RTN 950 adopts the following measures to protect the management plane against
the preceding threats:
 Strict account management and permission control
 Effective log management
 Private communication channels (to be described in chapter 4 "Network Security")
Account management and authorization prevent invalid accounts from accessing to the
equipment. Security logs and operation logs record security and configuration events of the
system, so users can check logs to prevent security risks at any time. Private communication
channels prevent accounts and passwords from leaking out. The following chapters describe
these security measures in detail.
3.1.2 Preventive Measures

Figure 3-1 shows the security management system provided by the OptiX RTN 950.

Figure 3-1 Security management system provided by the OptiX RTN 950
.Account Complexity
Account&Password .Password Complexity
Management .Valid Period of Password
.Encrypt Pollicy Password
.User Group Management

Account Authorization
Management
.State of Account
.Valid Period of Account
Authentication .Period of Login
.Disable Unused Account
.Lock Policy and Security Alarm
Security
Management
.Log Integrality
Security Log .Log Record
.Log Overflow Event
Log
Management .Log Integrality
.Log Record
Operation Log .Log Overflow Event
.log Upload
Accounts and Passwords

Accounts of the OptiX RTN 950 are divided into five levels: system monitoring, system
operation, system maintenance, system administration, and system super administrator.
Accounts at the system monitoring level represent the lowest rights and are authorized to
issue query commands of the smallest function collection. Accounts at the system super
administrator level represent the highest rights and are authorized to perform all operations of
the system. Accounts at the system administration level are authorized to manage accounts,
that is, to create, delete, modify, and query accounts. To create an account, an administrator
must set a user name, a password, a user level, and an active period. When a user first uses a
new account to log in, the system prompts the user to change the initial password.
The system supports default accounts. After the system starts up for the first time, a user
needs to log in to the system by using a default account. Passwords of default accounts can be
queried, deleted, or modified through Network Management System (NMS). When a user uses
a default account and a default password to log in, the system prompts the user to change the
password. Table 3-1 and Table 3-2 list default accounts and passwords of the system. The
PASSWORD_NEED_CHANGE alarm is reported if a default password is not changed.

Table 3-1 Default accounts and passwords
Account Password Group

szhw nesoft Super administrator
root password Administrator
lct password Administrator
LCD LCD Administrator
Moreover, when an NE is in BIOS state, the user need to enter the correct password for
authentication before logging in NE (without authentication, the account name can be any
character string). This is similar to the BIOS of Personal Computers. The default password in
BIOS state is "nesoft".
Table 3-2 Rules for accounts and passwords

Rule Description
Uniqueness of accounts All accounts held in the same system are unique.
Complexity of accounts An account consists of 4 to 16 characters, including letters in
lower case and upper case.
Length of passwords A password consists of 8 to 16 characters.
Complexity of passwords  A new password consists of at least three of the
following character types: lower case letters, upper case
letters, numbers, and special characters.
 A new password must be different from the previous five
passwords.
 A new password must be different from an account
name, either in the normal written format or in the
reversely written format.
 A new password must contain two or more characters
different from those of the old password.
Active periods of The maximum active period is 90 days. After the active
passwords period expires, the password can be used for only three
logins. The default value is 0, which indicates that the
passwoord is valid permanently.
A common user has a shortest active period of one day after
which the password can be changed.
Storage of passwords Passwords encrypted by using MD5 SHA256 are held in the
system beyond queries.
Management of accounts Accounts can be created, modified, deleted, and queried.
Query of online users Users of the administrator group can query other online
users.

Authentication
Authentication is the process wherein the system checks whether accounts and passwords are
valid. Terminals accessing the equipment through physical ports and protocol ports need to
pass authentication before they are authorized to operate the equipment.
 Local authentication
Table 3-3 lists the check items involved in local authentication.
Table 3-3 Check items involved in local authentication
Item Description Handling
Activation status If an account is activated, the The user who is logged in to the
of accounts login request is accepted; if an system by using an administrator
account is deactivated, the login account can change the activation
request is refused. status of other accounts.
Active periods of An account can be used for The user who is logged in to the
accounts logins within a specific period, system by using an administrator
namely, the active period. If the account can change the active
active period of an account periods of other accounts.
expires, the login request is
refused.
Active periods of The password of an account can The user who is logged in to the
passwords be used for logins within a system by using an administrator
specific period, namely, the account can change the active
active period. After the active periods of the passwords of other
period of the password expires, accounts.
the first three login requests are
accepted but the later ones are
refused.
Login time of An account can be used for The user who is logged in to the
accounts logins within a specific section system by using an administrator
of a day, namely, the login time. account can change the login time
If an account is used beyond its of other accounts.
login time, the login request is
refused.
Inactive time of An account is deactivated if a The user who is logged in to the
accounts specific period elapses from the system by using an administrator
last login. This period is called account can change the inactive
inactive time of accounts. If an time and enabled/disabled status of
account is deactivated, the login other accounts.
request is refused.
Locked accounts If an account is locked, the login After five login attempts using one
request is refused until the account fail and the interval
locking time expires. between two attempts is shorter
than three minutes, the account is
locked and cannot be unlocked
manually. An alarm is reported at
every login attempt since the sixth
one.

Item Description Handling
Automatic logout If an account does not exchange The specified time for automatic
of accounts data with the equipment for a logout is one hour, which cannot
specified time, the account will be changed by users.
be automatically logged out.
Then the account must be
authorized again before logging
in to the equipment.
Authorization
Authorization is the process wherein the system assigns operation rights to valid accounts that
have logged in.
Accounts are managed in groups. Table 3-4 lists division and definition of groups. Accounts
of the administrator group and higher-level groups are authorized to perform all security
management and maintenance operations. System super administrator-level account has the
highest rights and is only available in fault location. Operations that an account can perform
depend on the rights granted to a user when the account is created. If an account is used to
attempt any unauthorized operation, an error message is displayed and the attempt is logged.
Table 3-4 Groups of accounts
Group Rights
System monitoring This group represents the lowest rights. The accounts of this group
are authorized to issue query commands and modify their own
attributes.
System operation The accounts of this group are authorized to query the system
information and perform some configuration operations.
System The accounts of this group are authorized to perform all maintenance
maintenance operations.
System The accounts of this group are authorized to perform all query and
administration configuration operations.
Super The accounts of this group are authorized to perform all operations.
administration
Log Management
Logs record routine maintenance events of the equipment. Users can find security loopholes
and risks by checking logs. Considering security categories, the system provides security logs
and operation logs. Security logs record operation events related to account management.
Operation logs record all events related to system configurations.
 Operation log
The operation log tracks the non-query operations performed by each account, including the
account name, address of the client, time, operation, and results.

Table 3-5 Operation log
Operation Description
Querying the Only authorized accounts of administrator and higher-level groups
operation log can upload and query the operation log.
Checking the The system checks the integrity of the operation log and allows no
integrity of the manual changes.
operation log
Recovering the The operation log can be recovered even after a power-cycle of the
operation log system.
Overwriting the The operation log keeps records in time sequence. After the memory
operation log is exhausted, the earliest records of the operation log are overwritten
with the latest records. Once the memory is exhausted, a
performance event is reported to prompt the user.
 Security log
The security log tracks security-related configuration operations (including user management
and security settings) and the attempts of unauthorized operations. The security log provides
the information about the account name, address of the client, time, and operation.
Table 3-6 Security log
Operation Description
Querying the Only authorized accounts of administrator and higher-level groups
security log can upload and query the security log.
Checking the The system checks the integrity of the security log and allows no
integrity of the manual changes.
security log
Recovering the The security log can be recovered even after a power-cycle of the
security log system.
Overwriting the The security log keeps records in time sequence. After the memory
security log is exhausted, the earliest records of the operation log are overwritten
with the latest records. Once the memory is exhausted, a
performance event is reported to prompt the user.
3.2 Data Plane

The data plane of the OptiX RTN 950 transparently transmits services based on Layer 2
information, such as VLAN tags and MAC addresses. The boards of the equipment do not
listen to user services.
The OptiX RTN 950 handles the threats of flow bursts, malicious pockets, and data thefts
through access control, flow control, loop detection and avoidance, protocol security

guarantee, and service separation. Section 4.3 "Network Services" describes these
mechanisms.

Security White Paper 4 Network Security
4 Network Security
4.1 Network Security Management

Figure 4-1 shows the implementation mechanism of security management for a network.
Figure 4-1 Implementation of security management
NMS
External DCN
SSL
Firewall
ACL
Transport network
(Internal DCN)
4.1.1 Threats
According to the network topology, a data communication network (DCN) consists of an
external DCN and an internal DCN. The external DCN refers to a network from the NMS to
the gateway equipment. The external DCN is generally an IP network that is built or leased by
a customer, or the Internet. The internal DCN refers to a network consisting of the gateway
and non-gateway transmission equipment. The IP protocol has been widely developed and
applied because it is simple and open. However, an IP network has poor security and can be
easily attacked. The security threats brought by the external DCN on internal equipment are as
follows: invalid access, network attacks, and theft and modification of private data. To
counterattack such threats, the OptiX RTN 950 provides the following preventive measures:

 Access control
 TCP/IP attack prevention
 Encryption channel for access
 Secure communication protocols
4.1.2 Preventive Measures

Access Control
The OptiX RTN 950 provides Access Control Lists (ACLs). Users set IP addresses and
communication ports in whitelists and blacklists. In this manner, data from unauthorized IP
addresses and communication ports are filtered out to avoid network attacks.
Table 4-1 Classification of ACLs
Item Value Range Feature

Basic ACL 0–0xffffffff Rules are defined based on the source IP address.
Advanced 0–0xffffffff Rules are defined based on the source IP address of a data
ACL packet, destination IP address of a data packet, protocol
type of the IP bearer network, and protocol features. The
protocol features include source port of the TCP protocol,
destination port of the TCP protocol, and ICMP protocol
type.
Table 4-2 ACL parameters
Parameter Value Range Description

ACL operation type Permit and deny Indicates the ACL operation type. The values
are as follows:
 Deny: If a received message does not
comply with a rule in an ACL, the
message is discarded.
 Permit: If a received message complies
with a rule in an ACL, the message is
discarded.
Source IP address Source IP address The source IP address and the source
wildcard determine the addresses to which
that an access control rule is applicable.
Source wildcard 0–0xFFFFFFFF The value 0 represents a bit that must be
exactly matched and the value 1 represents a
bit that is ignored.
Sink IP address Sink IP address The destination IP address and the sink
wildcard determine the addresses to which
that an access control rule is applicable.

Parameter Value Range Description

Sink wildcard 0–0xFFFFFFFF The value 0 represents a bit that must be
exactly matched and the value 1 represents a
bit that is ignored.
Protocol type TCP, UDP, ICMP, Set this parameter to UDP or TCP when
and IP filtering packets at an UDP or a TCP port. Set
this parameter to ICMP when filtering packets
of the ICMP protocol and code type. The
value IP indicates that the protocol type is not
concerned.
Source port 0–65535 or This parameter is available only when
0xFFFFFFFF; Protocol type is set to TCP or UDP.
0xFFFFFFFF
indicates that this
parameter is not
concerned.
Sink port 0–65535 or This parameter is available only when
0xFFFFFFFF; Protocol type is set to TCP or UDP.
0xFFFFFFFF
indicates that this
parameter is not
concerned.
ICMP protocol type ICMP protocol type This parameter is available only when
Protocol type is set to ICMP. The value 255
indicates that this parameter is not concerned.
ICMP code type ICMP code type This parameter is available only when
Protocol type is set to ICMP. The value 255
indicates that this parameter is not concerned.
TCP/IP Attack Prevention

Gateway equipment may be under external attacks because it is directly connected to an
external DCN. The TCP/IP protocol stack needs to protect the equipment from attacks, so
services are transmitted normally by the equipment under attacks. Therefore, the equipment is
more secure and reliable.
Table 4-3 lists the attacks that the equipment can prevent currently.
Table 4-3 TCP/IP attacks

Attack Protocol Attack Mode Preventive Measure
Address ARP IP address If the IP address of an external device
spoofing conflict conflicts with that of the equipment, the
attack equipment sends a gratuitous ARP
packet to broadcast the correct MAC
address.

Attack Protocol Attack Mode Preventive Measure

IP IP address Before making an IP address to take
configuration effect, the equipment checks whether the
conflict IP address has been used. If the IP
address has been used, the equipment
does not make the IP address to take
effect.
Message IP IP option attack Prevents attacks by using ICMP, TCP,
spoofing or UDP messages that carry incorrect IP
attack options.
IP Defective IP Prevents attacks by using extremely
header attack short IP headers, defective IP headers,
special source IP addresses, and IP
headers with unknown protocols.
IP IP fragment attack Prevents IP fragment attacks such as
massive segments, huge offsets, repeated
segments, TearDrop, Bonk, SynDrop,
NewTear, Nesta, Rose, and Fawx.
TCP TCP flag bit Prevents TCP flag bit traversal such as
traversal packets without Flag, FIN bit without
ACK bit, packet with URG/OOB flag,
and SYN and FIN bits set.
ICMP Defective ICMP Prevents ping attacks and Jolt attacks.
packet
Flood attack IP IP non-payload Prevents IP packet attacks and generates

flood attack an alarm indicating an IP address attack
without affecting the normal operation
of the equipment.
UDP UDP flood attack Prevents fraggle attacks and diagnoses
port flooding, port 0 flooding, and loop
flooding.
ICMP ICMP flood Prevents ICMP flood attacks, Smurf
attack attacks, ping flood attacks, loop ping
flood attacks, time stamp request flood
attacks, mask request flood attacks, and
router request flood attacks.
DoS attack TCP Syn flood attack Prevents Syn flood attacks without
affecting the normal operation of the
equipment.
TCP Land attack Prevents land attacks without affecting
the normal operation of the equipment.

Security Access
Security access is the process wherein the OptiX RTN 950 uses secure communication
channels or secure communication protocols for access to prevent security risks. The NMS
can use SSL channels and SNMP to access the equipment. The following part respectively
describes the two access methods.
 The NMS accesses the equipment through SSL channels.
The NMS uses Ethernet ports or Operation, Administration, and Maintenance (OAM) ports to
access the equipment. OAM ports provide local access. Ethernet ports provide remote access
by using the external DCN for access. Communication between the NMS and GNE uses
standard TCP/IP protocols. When the NMS uses external DCN to access the equipment,
configuration data and account information of the NMS are transmitted over the external
DCN. The communication channels for access use the SSL3.0 and TLS1.0 protocols to
encrypt data to ensure secure transmission.SSL access of the NMS
NMS
External DCN
SSL
Firewall
GNE
Transportn etwork
( Internal DCN
)
Certificates are needed for establishing SSL and TLS encryption channels. The certificates are
managed and issued by carriers. The OptiX RTN 950 loads and activates SSL certificates. The
following part describes working principles of SSL. The delivered equipment has a default
SSL certificate by default. It is recommended that the customer replace the default SSL
certificate with its own SSL certificate. The equipment complies with RFC 2246 standards
and supports encryption algorithms specified in the standards, such as AES, DES, RC4, RC5,
IDEA, SHA-1, and MD5.
The SSL certificates stored on NEs are encrypted using AES12-8. If SSL certificates are not
encrypted, the SSL_CERT_NOENC alarm is reported.
The following part describes working principles of SSL.
The SSL protocol provides enhanced encryption and decryption algorithms to ensure all
security features except serviceability for communication. In addition, the algorithms cannot
be cracked in a short time. The SSL layer establishes an encryption channel based on TCP to
encrypt data that passes the SSL layer. The SSL protocol consists of the Handshake protocol
and the Record protocol. The Handshake protocol is used for cipher key negotiation. Most of
the contents in the protocol describe how to securely negotiate a cipher key between two
communication parties. The Record protocol defines the data transmission format.
Transport Layer Security (TLS) is a security protocol similar to the SSL protocol. TLS1.0 is
based on SSL3.0 and supports SSL3.0. Figure 4-3 shows the negotiation of the SSL protocol
key.

Figure 4-3 Negotiation of the SSL/TLS key
EMS External DCN GNE
ClientHello
1
ServerHello 2
Certificate
3
CertificateRequest
4
ServerHelloDone
5
6 Certificate
ClientKeyExchange
7
CertificateVerify
8
ChangeCipherSpec
9
Finished
10
ChangeCipherSpec 11
Finished 12
 SNMPv3 access
SNMP is a standard protocol for network management. The OptiX RTN 950 uses SNMP to
provide querying about alarms and performance and the TRAP function, but does not provide
the configuration function. The equipment supports the SNMPv3 protocol. MD5 and SHA
algorithms are used in authentication and the DES algorithm is used in data transmission. The
SNMP default accounts of the system are szhwSHA and szhwMD5. Their passwords are
Nesoft@!. SNMPv3 complies with RFC 2572, RFC 2574, and RFC 2575. Figure 4-4 shows the
application of the SNMP protocol.Application of SNMP
SNMP SNMP
manager manager
LAN
External DCN
Firewall
GNE
SNMP Agent
Transport network
NE (Internal DCN)
NE
SNMP Agent
NE
SNMP Agent
SNMP Agent

4.2 Protocols and Control

4.2.1 Threats
On an internal DCN, standard protocols on the IP layer are used for communication between
equipment. These protocols may be used for interconnection with third-party equipment. In
this case, the result calculated by the OptiX RTN 950 may be incorrect when the third-party
equipment transmits incorrect information. When interconnected with third-party equipment,
the OptiX RTN 950 takes the following preventive measures to ensure communication
security:
 Adding protocol authentication and access control
 Adopting secure standard protocols
4.2.2 SFTP Clients

The OptiX RTN 950 provides an SFTP client based on SSH for software upgrades. In this
application, the equipment serves as a client and the SFTP server is deployed outside the
equipment network and is provided by the carrier. Figure 4-5 shows the application of SFTP
clients.
The SFTP authentication policy is determined by the SFTP server. The OptiX RTN 950
supports password authentication and key authentication. Password authentication is the
process wherein an SFTP client uses a user name and password to log in to the SFTP server.
Key authentication is the process wherein an SFTP client and SFTP server adopt
Revist-Shamir-Adleman Algorithm (RSA) for cryptographic authentication. A user needs to
generate an RSA key on the equipment and to upload the public key to the SFTP server before
cryptographic authentication. The user can set the length of the RSA key from 2048 bits to
4096 bits.
The equipment uses passphrases to protect private keys on an SFTP client for cryptographic
authentication. When users generate key pairs, they need to set the passphrases.
The SFTP client of the OptiX RTN 950 is enabled when before deliver. Users can disable or
enable it using the NMS.
Figure 4-5 Application of SFTP clients
Sftp server NMS
LAN
External DCN
SSH
Firewall
GNE
sftp client
Transport network
NE (Internal DCN)
NE
sftp client
NE sftp client
sftp client

Figure 4-6 shows principles of SSH.Protocol layers
SSH client SSH server
Application layer Application layer

Session protocol
SSH protocol layer Authentication protocol

SSH protocol layer
Transmission protocol
TCP connection
Transmission layer Transmission layer
SSH protocols adopt Client/Server architecture and consist of three layers: transmission layer,
authentication layer, and connection layer.
Transmission protocols
Transmission protocols are used to establish a secure encryption channel between the SSH
client and SSH server. In this manner, confidentiality of data that requires high security in
transmission, such as authentication and data exchange, is protected.
The transmission layer provides origin authentication and integrity check, and enables a client
to authenticate a server.
The transmission protocols run on top of the TCP/IP connection. The well-known port
number used by the HHS server is 22.
Authentication protocols
Authentication protocols run on top of transmission protocols and process authentication
requests.
Connection protocols
Connection protocols divide an encryption channel into multiple logical channels for different
applications. Connection protocols run on top of authentication protocols and provide services
such as sessions and execution of remote commands.
Negotiation of SSH is described as follows:
1. Connection establishment
Port number 22 is listened on to establish TCP connections to SSH clients.
2. Version negotiation
The version of the SSH protocol is negotiated on TCP connections. The OptiX RTN 950
supports SSHv2.
3. Algorithm negotiation
An SSH client and an SSH server support different encryption algorithm collections, so they
need to negotiate encryption algorithms when the SSH protocol is running. The algorithms
that need to be negotiated are as follows:
 Key exchange algorithms: are used for generating session keys.
 Encryption algorithms: are used for encrypting data.
 Host public key algorithms: are used for signing and authentication.

 MAC algorithms: are used for integrity protection.

The SSH client and SSH server send to each other the algorithm collection that they
respectively support and the result is the intersection of algorithms supported by both parties.
4. Key exchange
The key exchange and encryption algorithms resulted from step 3 are used to negotiate the
keys required for data communication.
5. User authentication
Password authentication and public key authentication are provided.
6. Service requests
The OptiX RTN 950 supports SFTP clients.
4.2.3 OSPF Protocol

The management plane uses the OSPF protocol to dynamically calculate routes on the entire
network for network management. The OptiX RTN 950 supports OSPFv2 in compliance with
RFC 2328 standards. Besides the routing function, the equipment supports authentication
types as follows:
Null authentication
The OSPF packets are not authenticated. That is, the OSPF protocol does not process
authentication on packet reception.
Simple password authentication
A "clear" 64-bit password is used for authentication. Simple password authentication guards
against the equipment inadvertently joining the routing domain. The OptiX RTN 950s in the
same OSPF domain must be configured with the same password for authentication.
Cryptographic authentication
Cryptographic authentication uses MD5 to calculate the digest. Because the password used to
calculate the digest is never sent over the network, the protection is provided against passive
attacks. When employing cryptographic authentication, the OptiX RTN 950s in the same
OSPF domain must be configured with the same key for authentication.
The equipment uses null authentication as the default authentication. Users can configure
authentication types as required.
4.2.4 NTP Protocol

Network Time Protocol (NTP) is used to synchronize time between NEs. Possible security
loopholes in NTP result in time disturbance on the network. To enhance security of NTP, the
NTP protocol provides the authentication function and access control of local services.
The NTP authentication function verifies validity and integrity of NTP packets. This function
prevents the equipment from incorrect packets and ensures packet exchanges from valid
servers.
Access control of local services enables the system administrator to better control the NTP
protocol. This function prevents NTP information on the equipment from malicious query and
modification. Users have different rights as follows:
 Query: Users are authorized to query local NTP services.

 Synchronize: Users are authorized to use the local clock as the synchronization source
for other hosts.
 Server: is a combination of the rights above.
 Peer: Users have full control rights to query, being synchronized, and synchronize other
hosts.
NTP uses MD5 to check whether clients and servers are valid. If a client and server adopt
authentication, keys configured on both parties must be the same and be reliable. Table 4-4
shows the authentication relationship.
Table 4-4 Authentication relationship
Server Client Authentication

Enabled Enabled Pass
Enabled Disabled Pass
Disabled Disabled Pass
Disabled enabled Not pass
NTP complies with RFC 1305 standards. Figure 4-7 shows working principles of NTP time
synchronization.Principles of NTP time synchronization
NTP client NTP server
NTP
10:00:00am
Send packet message
time
NTP
10:00:00am 10:00:01am
message Receive
packet time
NTP
10:00:00am 10:00:01am 10:00:02am
message
Send packet
time
Receive
packet time：
10:0003am
1. An NTP client sends an NTP message to an NTP server. The NTP message carries a
timestamp recording the current time of its leaving the client. The timestamp is recorded
as T1 = 10:00:00am.
2. The current time of the NTP message arriving at the NTP server is recorded as a
timestamp. This timestamp is added to the NTP message as T2 = 10:00:01am.
3. The current time of the NTP message leaving the NTP server is recorded as another
timestamp. This timestamp is also added to the NTP message as T3 = 10:00:02am.
4. The current time of the NTP client receiving the response is recorded as a new
timestamp. The timestamp is recorded as T4 = 10:00:03am.
So far, the NTP client is able to calculate the time difference between NTP equipment.
ΔT = ((T2 + T3) - (T1 + T4))/2
The NTP client sets its clock based on the time difference to achieve clock synchronization to
the NTP server.

4.2.5 Layer 2 Protocols

Threats
Layer 2 protocols are generally attacked by flood, deformed, or malicious packets. Under an
attack, the equipment may fail to process the protocols and therefore services on the entire
network are affected. The following preventive measures are provided for Layer 2 protocols.
Flow Control
The rate for reporting protocol packets to the CPU is limited to prevent the equipment from
being attacked by a large number of protocol packets. The following methods are available:
 Protocol software rate limiting: The maximum number of packets that can be processed
in each second for each protocol is defined. When the number of received packets
exceeds this number, the excess packets are discarded. The maximum number is
specified by each data board.
 CPU queue rate limiting: The packets to be reported to the CPU are listed in the CPU
queue of the chip. When the number of packets exceeds the queue length, the chip
automatically discards the excess packets.
Discarding of Invalid Packets

All packets are verified and various invalid protocol packets are filtered out. Table 4-5 lists
the verification rules.
Table 4-5 Packet verification rules for Layer 2 protocols
Protocol Verification Rule

IGMP An IGMP packet is discarded when any of the following conditions is
met:
 Checksum of the IP header and checksum of the IGMP are incorrect.
 The TTL value of the IP header is not 1.
 The source IP address is an invalid unicast address.
 The multicast IP address is invalid. It is not in the multicast IP address
range, that is, 224.0.1.0 to 239.255.255.255.
 The destination IP address mismatches the destination MAC address.
BPDU DMAC = 01-80-c2-00-00-00 or 01-80-c2-00-00-08
Each protocol packet is verified according to the corresponding protocol.
Eth-OAM DMAC = 01-80-c2-00-00-02
(802.1ag) EthType = 0x8809
EthSubType = 0x01
Each TLV is verified according to the corresponding protocol.
Eth-OAM EthType = 0x8809 (private) or 0x8902 (IEEE 802.1ag standard)
(802.3ah) Each protocol packet is verified according to the corresponding protocol.

Protocol Verification Rule

ERPS DMAC = 01-19-A7-00-00-01
Each protocol packet is verified according to the corresponding protocol.
Robust Measures
Countermeasures under abnormal conditions are as follows:
 According ITU-T G.8032, R-APS packets are transmitted within an Ethernet ring and the
R-APS packets at ports not on the ring are not extracted or processed, so the robustness
of ring network protocols is improved.
4.3 Network Services

4.3.1 Threats
As described previously, data services are under the following threats:
 Attack of service flow bursts with network bandwidth being preempted and processing
capability and forwarding efficiency of the equipment being lowered. A typical case of
such a threat is a broadcast storm.
 Access of unauthorized users.
 Theft of user data.
Table 4-6 lists the preventive measures.
Table 4-6 Threats and preventive measures
Threat Preventive Measure Measure Description

Flow bursts Flow control Limiting the service flow within a
range using various methods
Loop detection and prevention Detecting physical loops on a
network to prevent a broadcast
storm
Discarding of incorrect packets Detecting the packets received by
the equipment and discarding
abnormal packets
Access of Defining rules for access to Layer Configuring rules for access to
unauthorized 2 according to features of the Layer 2 services
users Layer 2 service flow.
Theft of user data Service separation Logically or physically separating
services of different users

4.3.2 Ethernet Services

Ethernet services are classified into Ethernet private line (E-Line) services and Ethernet LAN
(E-LAN) services.
 E-Line services: Such services are forwarded based on VLAN tags and logically
separated at Layer 2. E-Line services are highly confidential. Therefore, flow control can
be applied to E-Line services using QoS and invalid packets can be filtered out using
ACL.
 E-LAN services: Such services include MAC-based and MAC+VLAN-based services
for Layer 2 switching. E-LAN services are flexible, the MAC addresses cannot be
controlled, and the MAC address learning and forwarding mechanism is affected by the
data packets. Therefore, E-LAN services are easily attacked. All the preceding described
preventive measures are applicable to E-LAN services.
NOTE
Ethernet aggregation (E-AGGR) services are also forwarded based on VLAN tags. Preventive measures
for E-AGGR services are the same as those for E-Line services.
Flow Control
The bandwidth of the equipment may bear load abnormally when there are a large number of
broadcast packets, multicast packets, or unicast packets with unknown destination addresses,
and a network may be congested when flow bursts occur. Flow control can prevent such
scenarios and ensure secure and stable operation of the network.
 Suppressing broadcast flow
− Broadcast storm suppression: The broadcast flow is limited and the flow that exceeds
the limit is discarded.
− Broadcast storm suppression enabled based on port: After broadcast storm
suppression is enabled at a port, the broadcast flow at the port is discarded when the
broadcast flow exceeds the broadcast flow suppression threshold. The default
threshold is 30%.
− Setting of broadcast flow suppression threshold: The threshold specifies the broadcast
flow that a port allows. When the actual broadcast flow exceeds the threshold, the
excess broadcast flow is discarded to ensure that the proportion of the broadcast flow
is within a proper range. This prevents a broadcast storm and network congestion so
the network services can run normally.
 Discarding unknown unicast packets
Unknown unicast packets can be discarded or forwarded.
 Discarding unknown multicast packets
Unknown multicast packets can be discarded or forwarded.
 Monitoring port flow
The flow at a port is monitored. When packets are received at rate faster than the specified
threshold, a flow threshold-crossing alarm is reported, prompting a user to take preventive
measures.
 Limiting service flow using QoS

Figure 4-8 QoS network model
The QoS function of the equipment can be implemented in the DiffServ mode. A network is
divided into several DiffServ domains (DS domains for short). A DS edge node classifies the
flow entering a DS domain and identifies the flow of different service types with different
PHBs. The PHB information is forwarded to all nodes in the DS domain. Then the nodes in
the DS domain perform flow control on the services based on the PHBs. The flow control
measures include CAR, flow shaping, and queue scheduling.
Loop Prevention
If a loop is generated on a Layer 2 switching network, packets will be duplicated and cycled
in the loop, and therefore a broadcast storm occurs. In this case, all available bandwidth
resources will be occupied by the broadcast storm and the network will be unavailable. The
OptiX RTN 950 provides the following methods to prevent loops from being formed on
networks.
 Detection of self-loops at service ports
The equipment can detect whether a service port is self-looped by transmitting and receiving
protocol packets.
 Blocking of self-looped ports
After self-loop detection and blocking of self-looped ports are enabled, a port is blocked to
prevent a broadcast storm when the port is self-looped.
 Detection of Ethernet loopbacksBy indicating Ethernet service IDs and logical ports,
users can detect service loops and set whether to automatically disconnect loops. If a service
loop is detected and automatic disconnection is enabled, the Ethernet VLAN service is
automatically disconnected. Users will receive alarms of service disconnection.Scenario of a
service loop
NOTE
This function is only supported by packet service boards.

Discarding of Incorrect Packets

Incorrect packets include packets with missing fields, disordered packets, duplicated packets,
and excessively large or small packets. Incorrect packets may be forged by malicious users, or
caused by bit errors on the transmission line, or caused by abnormal processing of the
equipment hardware. Processing incorrect packets brings extra load to the equipment and
reduces the bandwidth for normal services. Therefore, incorrect packets must be identified
and discarded.
The following incorrect packets are discarded:
 A packet whose source MAC address and destination MAC address are the same
 A packet whose size is smaller than 46 bytes
 A packet whose size is greater than the maximum transmission unit (MTU)
 An excessively large packet whose DATA is greater than 65535 bytes
 A packet whose FCS (CRC) is incorrect
Access Control of Layer 2 Services

Access control of Layer 2 services is provided to filter out unauthorized user data.
 Static MAC address table
For E-LAN services, static MAC addresses can be added to, deleted from, and queried in the
static MAC address table. When the MAC address learning function is disabled, MAC
addresses must be added to the static MAC address table to ensure that services are forwarded
properly. If the MAC address of a service does not match the static MAC address table, the
service is considered as invalid and is discarded.
 Black list
For E-LAN services, MAC addresses can be added to, deleted from, and queried in the black
list. Services whose MAC addresses are in the black list are considered as invalid and filtered
out.
 Disable of MAC address learning
E-LAN services can filter out invalid packets after MAC address learning is disabled.
When MAC address learning is enabled, the equipment can learn the MAC addresses.
When MAC address learning is disabled, the equipment can forward E-LAN services and
filter out invalid MAC addresses after static MAC addresses are configured.
NOTE
 Packet filter based on complex flow classification
Data flow is managed according to complex flow classification, preventing attacks of a large
number of packets and invalid packets.
Complex rules are used for flow classification. For example, packets can be classified
according to integrated link layer information, network layer information, and transport layer
information (including the source MAC address, destination MAC address, source IP address,
destination IP address, user group number, protocol type, and TCP/UDP port number of an
application). After being filtered based on the complex flow classification, packets are
forwarded or discarded.

− Discarding: A data flow is discarded if the data flow does not comply with rules in an
ACL.
− Forwarding: A data flow is forwarded if the data flow complies with rules in an ACL.
NOTE
Service Separation
The following logical and physical separation methods are provided to prevent malicious data
theft and reduce the impact of the broadcast flow.
 Layer 2 logical separation
Virtual local area network (VLAN) is the basic unit for managing network data equipment. A
VLAN is a logical subnet or a logical broadcast domain. Users are allocated to different
VLANs so that they cannot communicate with each other at Layer 2. In this manner, logical
separation is achieved for Layer 2 services. In addition, after VLANs are divided, the
broadcast flow is limited in each broadcast domain, which limits the broadcast range.
The OptiX RTN 950 supports identification and forwarding of VLAN tags, and switching of
VLAN tags. Figure 4-10 shows an example of V-LAN services.
Figure 4-10 Scenario of the QinQ service
Users who create an Ethernet private network can separate services by configuring the
"Hub/Spoke" attribute of logical ports. Services between Spoke ports are separate, so Spoke
ports cannot communicate with each other. NOTE
The "Hub/Spoke" feature is only supported by EOS boards.
 Split horizon
A group of physical or logical ports that cannot communicate with each other on the local
equipment are configured to prevent service loops and separate services for different users. In
this manner, service security is ensured.
The OptiX RTN 950 supports creation of split horizon groups for L2VPN services, and
supports adding and deleting of group members.

NOTE
 Physical path separation
Services for different users are carried on different physical paths. In this manner, services do
not share physical paths or communicate with each other at the physical layer, and therefore
service security is ensured.

Security White Paper A Appendix
A Appendix
A-1 Standards Compliance

Table A-1 shows the security standards that the OptiX RTN 950 complies with.
Table A-1 Standards compliance
Related Standard Description

ITU-T G.8011.1 Ethernet private line service
ITU-T G.8011.2 Ethernet virtual private line service
ITU-T G.8261/Y.1361 Timing and synchronization aspects in Packet Networks
ITU-T G.8262/Y.1362 Timing characteristics of synchronous Ethernet equipment slave
clock
ITU-T G.8032/Y.1344 Ethernet Ring Protection Switching
RFC 2474 Definition of the Differentiated Services Field(DS Field) in the
IPv4 and IPv6 Headers
RFC 2819 Remote Network Monitoring Management Information Base
RFC 0793 Transmission Control Protocol
RFC 0768 User Datagram Protocol
RFC 0791 Internet Protocol, Version 4 (IPv4)
RFC 0792 Internet Control Message Protocol
RFC 0826 An Ethernet Address Resolution Protocol
RFC 0894 A Standard for the Transmission of IP Datagrams over Ethernet
Networks
RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE)
RFC 1661 The Point-to-Point Protocol (PPP)
RFC 1662 PPP in HDLC-like Framing

Related Standard Description

RFC 1332 The PPP Internet Protocol Control Protocol (IPCP)
RFC 1990 The PPP Multilink Protocol (MP)
RFC 2131 Dynamic Host Configuration Protocol
RFC 2328 OSPF Version 2
RFC 2246 Security Socket Layer 3.0/ TLS 1.0
RFC 1305 Network Time Protocol 3.0
IEEE 802.3ah Media Access Control Parameters, Physical Layers, and
Management Parameters for Subscriber Access Networks
IEEE 802.1ad Virtual Bridged Local Area Networks Amendment 4: Provider
Bridges
IEEE 802.1ag Virtual Bridged Local Area Networks — Amendment 5:
Connectivity Fault Management
A-2 Acronyms and Abbreviations

Table A-2 Acronyms and abbreviations
Acronym and Abbreviation Full Name

ACL Access Control List
CAR Committed Access Rate
DCN Data Communication Network
DNS Domain Name System
ECC Embedded Control Channel
FEC Forward error correction
FTP File Transfer Protocol
GNE Gate Network Element
HTTP Hyper-Text Transmission Protocol
ID IDentification
IEEE Institute of Electrical and Electronics Engineers
IF Intermediate Frequency
IP Internet Protocol
ISO International Organization for Standardization

Acronym and Abbreviation Full Name

ISP Internet Service Provider
ITU-T International Telecommunication Union-
Telecommunication Standardization Sector
LAN Local Area Network
LCT Local Craft Terminal
NMS Network Management System
OAM Operation Administration and Maintenance
ODU Outdoor Unit
OSI Open Systems Interconnection
OSS Operation Support System
OSPF Open Shortest Path First
PDH Plesiochronous Digital Hierarchy
QoS Quality of Service
RMON Remote Monitoring
RTN Radio Transmission Node
SDH Synchronous Digital Hierarchy
SNMP Simple Network Management Protocol
TCP/IP Transmission Control Protocol/ Internet Protocol
VLAN Virtual Local Area Network


Document PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Document PDF

Hochgeladen von

Copyright:

Verfügbare Formate

OptiX RTN 950 Radio Transmission System

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2013-06-30) Huawei Proprietary and Confidential i

1 Product Introduction and Network Applications ................................................................... 1

2 Security Architecture .................................................................................................................... 3

3 System Security ............................................................................................................................. 8

4 Network Security ........................................................................................................................ 15

Issue 01 (2013-06-30) Huawei Proprietary and Confidential ii

1 Product Introduction and Network

1.1 Product Introduction

Table 1-1 Basic features of the IDU 950

Figure 1-1 IDU 950

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 1

1.2 Network Applications

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 2

2.1 Overview of Hardware Security

Figure 2-1 System block diagram

The following hardware preventive measures are provided:

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 3

2.2 Overview of Software Security

Figure 2-2 Security architecture on the management plane

SSL 3.0/TLS 1.0 FTP/SFTP

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 4

Figure 2-3 Security architecture on the data plane

Protocol Security Service

Other Availability Quality of service

D bytes Fiber or Radio D bytes

VLAN Fiber or Radio VLAN

The equipment supports two modes:

Table 2-1 Security functions

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 5

Plane Function Description

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 6

Plane Function Description

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 7

3.1 Management Plane

3.1.2 Preventive Measures

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 8

.User Group Management

Accounts and Passwords

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 9

Table 3-1 Default accounts and passwords

Account Password Group

Table 3-2 Rules for accounts and passwords

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 10

Table 3-3 Check items involved in local authentication

Item Description Handling

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 11

Item Description Handling

Table 3-4 Groups of accounts

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 12

Table 3-5 Operation log

Table 3-6 Security log

3.2 Data Plane

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 13

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 14

4.1 Network Security Management

Figure 4-1 Implementation of security management

Issue 01 (2013-06-30) Huawei Proprietary and Confidential 15

4.1.2 Preventive Measures

Table 4-1 Classification of ACLs