Beruflich Dokumente
Kultur Dokumente
V100R003C01SPC300
Security White Paper
Issue 01
Date 2013-06-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
A Appendix ..................................................................................................................................... 32
A-1 Standards Compliance ................................................................................................................................... 32
A-2 Acronyms and Abbreviations ........................................................................................................................ 33
Figure 1-2 Microwave transmission solution provided by the OptiX RTN 950
2 Security Architecture
SNMP
NTPv3 OSPFv2
v3
Account and
Password Security Log
Management Security Management
Operation Log
TCP/IP Attack
ACL TCP/IP Protocol Stack Prevention
Vxworks OS
Hardware Platform
Security features on the management plane implement security access, integrated security
management, and all-round security audits.
The data plane processes the service data flow entering the equipment and forwards service
packets according to the forwarding table. Security features on the data plane ensure
confidentiality and integration of user data by preventing malicious theft, modification, and
removal of user service packets. They ensure stable and reliable operation of the forwarding
plane by protecting forwarding entries against malicious attacks and falsification. The data
plane provides:
User service separation methods
Access control methods
Methods for controlling and managing ingress and egress bandwidth of the equipment to
ensure reliable operation, such as flow control and QoS. The data plane adopts a security
architecture shown in Figure 2-3.
Service platform
Product adapter/driver
VxWorks OS
Hardware platform
Figure 2-4 shows principles of data separation on the management plane and data
plane.Principles of data separation
payload payload
payload payload
3 System Security
Figure 3-1 Security management system provided by the OptiX RTN 950
.Account Complexity
Account&Password .Password Complexity
Management .Valid Period of Password
.Encrypt Pollicy Password
.State of Account
.Valid Period of Account
Authentication .Period of Login
.Disable Unused Account
.Lock Policy and Security Alarm
Security
Management
.Log Integrality
Security Log .Log Record
.Log Overflow Event
Log
Management .Log Integrality
.Log Record
Operation Log .Log Overflow Event
.log Upload
The system supports default accounts. After the system starts up for the first time, a user
needs to log in to the system by using a default account. Passwords of default accounts can be
queried, deleted, or modified through Network Management System (NMS). When a user uses
a default account and a default password to log in, the system prompts the user to change the
password. Table 3-1 and Table 3-2 list default accounts and passwords of the system. The
PASSWORD_NEED_CHANGE alarm is reported if a default password is not changed.
Moreover, when an NE is in BIOS state, the user need to enter the correct password for
authentication before logging in NE (without authentication, the account name can be any
character string). This is similar to the BIOS of Personal Computers. The default password in
BIOS state is "nesoft".
Authentication
Authentication is the process wherein the system checks whether accounts and passwords are
valid. Terminals accessing the equipment through physical ports and protocol ports need to
pass authentication before they are authorized to operate the equipment.
Local authentication
Table 3-3 lists the check items involved in local authentication.
Activation status If an account is activated, the The user who is logged in to the
of accounts login request is accepted; if an system by using an administrator
account is deactivated, the login account can change the activation
request is refused. status of other accounts.
Active periods of An account can be used for The user who is logged in to the
accounts logins within a specific period, system by using an administrator
namely, the active period. If the account can change the active
active period of an account periods of other accounts.
expires, the login request is
refused.
Active periods of The password of an account can The user who is logged in to the
passwords be used for logins within a system by using an administrator
specific period, namely, the account can change the active
active period. After the active periods of the passwords of other
period of the password expires, accounts.
the first three login requests are
accepted but the later ones are
refused.
Login time of An account can be used for The user who is logged in to the
accounts logins within a specific section system by using an administrator
of a day, namely, the login time. account can change the login time
If an account is used beyond its of other accounts.
login time, the login request is
refused.
Inactive time of An account is deactivated if a The user who is logged in to the
accounts specific period elapses from the system by using an administrator
last login. This period is called account can change the inactive
inactive time of accounts. If an time and enabled/disabled status of
account is deactivated, the login other accounts.
request is refused.
Locked accounts If an account is locked, the login After five login attempts using one
request is refused until the account fail and the interval
locking time expires. between two attempts is shorter
than three minutes, the account is
locked and cannot be unlocked
manually. An alarm is reported at
every login attempt since the sixth
one.
Automatic logout If an account does not exchange The specified time for automatic
of accounts data with the equipment for a logout is one hour, which cannot
specified time, the account will be changed by users.
be automatically logged out.
Then the account must be
authorized again before logging
in to the equipment.
Authorization
Authorization is the process wherein the system assigns operation rights to valid accounts that
have logged in.
Accounts are managed in groups. Table 3-4 lists division and definition of groups. Accounts
of the administrator group and higher-level groups are authorized to perform all security
management and maintenance operations. System super administrator-level account has the
highest rights and is only available in fault location. Operations that an account can perform
depend on the rights granted to a user when the account is created. If an account is used to
attempt any unauthorized operation, an error message is displayed and the attempt is logged.
Group Rights
System monitoring This group represents the lowest rights. The accounts of this group
are authorized to issue query commands and modify their own
attributes.
System operation The accounts of this group are authorized to query the system
information and perform some configuration operations.
System The accounts of this group are authorized to perform all maintenance
maintenance operations.
System The accounts of this group are authorized to perform all query and
administration configuration operations.
Super The accounts of this group are authorized to perform all operations.
administration
Log Management
Logs record routine maintenance events of the equipment. Users can find security loopholes
and risks by checking logs. Considering security categories, the system provides security logs
and operation logs. Security logs record operation events related to account management.
Operation logs record all events related to system configurations.
Operation log
The operation log tracks the non-query operations performed by each account, including the
account name, address of the client, time, operation, and results.
Operation Description
Querying the Only authorized accounts of administrator and higher-level groups
operation log can upload and query the operation log.
Checking the The system checks the integrity of the operation log and allows no
integrity of the manual changes.
operation log
Recovering the The operation log can be recovered even after a power-cycle of the
operation log system.
Overwriting the The operation log keeps records in time sequence. After the memory
operation log is exhausted, the earliest records of the operation log are overwritten
with the latest records. Once the memory is exhausted, a
performance event is reported to prompt the user.
Security log
The security log tracks security-related configuration operations (including user management
and security settings) and the attempts of unauthorized operations. The security log provides
the information about the account name, address of the client, time, and operation.
Operation Description
Querying the Only authorized accounts of administrator and higher-level groups
security log can upload and query the security log.
Checking the The system checks the integrity of the security log and allows no
integrity of the manual changes.
security log
Recovering the The security log can be recovered even after a power-cycle of the
security log system.
Overwriting the The security log keeps records in time sequence. After the memory
security log is exhausted, the earliest records of the operation log are overwritten
with the latest records. Once the memory is exhausted, a
performance event is reported to prompt the user.
guarantee, and service separation. Section 4.3 "Network Services" describes these
mechanisms.
4 Network Security
NMS
External DCN
SSL
Firewall
ACL
Transport network
(Internal DCN)
4.1.1 Threats
According to the network topology, a data communication network (DCN) consists of an
external DCN and an internal DCN. The external DCN refers to a network from the NMS to
the gateway equipment. The external DCN is generally an IP network that is built or leased by
a customer, or the Internet. The internal DCN refers to a network consisting of the gateway
and non-gateway transmission equipment. The IP protocol has been widely developed and
applied because it is simple and open. However, an IP network has poor security and can be
easily attacked. The security threats brought by the external DCN on internal equipment are as
follows: invalid access, network attacks, and theft and modification of private data. To
counterattack such threats, the OptiX RTN 950 provides the following preventive measures:
Access control
TCP/IP attack prevention
Encryption channel for access
Secure communication protocols
Security Access
Security access is the process wherein the OptiX RTN 950 uses secure communication
channels or secure communication protocols for access to prevent security risks. The NMS
can use SSL channels and SNMP to access the equipment. The following part respectively
describes the two access methods.
The NMS accesses the equipment through SSL channels.
The NMS uses Ethernet ports or Operation, Administration, and Maintenance (OAM) ports to
access the equipment. OAM ports provide local access. Ethernet ports provide remote access
by using the external DCN for access. Communication between the NMS and GNE uses
standard TCP/IP protocols. When the NMS uses external DCN to access the equipment,
configuration data and account information of the NMS are transmitted over the external
DCN. The communication channels for access use the SSL3.0 and TLS1.0 protocols to
encrypt data to ensure secure transmission.SSL access of the NMS
NMS
External DCN
SSL
Firewall
GNE
Transportn etwork
( Internal DCN
)
Certificates are needed for establishing SSL and TLS encryption channels. The certificates are
managed and issued by carriers. The OptiX RTN 950 loads and activates SSL certificates. The
following part describes working principles of SSL. The delivered equipment has a default
SSL certificate by default. It is recommended that the customer replace the default SSL
certificate with its own SSL certificate. The equipment complies with RFC 2246 standards
and supports encryption algorithms specified in the standards, such as AES, DES, RC4, RC5,
IDEA, SHA-1, and MD5.
The SSL certificates stored on NEs are encrypted using AES12-8. If SSL certificates are not
encrypted, the SSL_CERT_NOENC alarm is reported.
The following part describes working principles of SSL.
The SSL protocol provides enhanced encryption and decryption algorithms to ensure all
security features except serviceability for communication. In addition, the algorithms cannot
be cracked in a short time. The SSL layer establishes an encryption channel based on TCP to
encrypt data that passes the SSL layer. The SSL protocol consists of the Handshake protocol
and the Record protocol. The Handshake protocol is used for cipher key negotiation. Most of
the contents in the protocol describe how to securely negotiate a cipher key between two
communication parties. The Record protocol defines the data transmission format.
Transport Layer Security (TLS) is a security protocol similar to the SSL protocol. TLS1.0 is
based on SSL3.0 and supports SSL3.0. Figure 4-3 shows the negotiation of the SSL protocol
key.
ClientHello
1
ServerHello 2
Certificate
3
CertificateRequest
4
ServerHelloDone
5
6 Certificate
ClientKeyExchange
7
CertificateVerify
8
ChangeCipherSpec
9
Finished
10
ChangeCipherSpec 11
Finished 12
SNMPv3 access
SNMP is a standard protocol for network management. The OptiX RTN 950 uses SNMP to
provide querying about alarms and performance and the TRAP function, but does not provide
the configuration function. The equipment supports the SNMPv3 protocol. MD5 and SHA
algorithms are used in authentication and the DES algorithm is used in data transmission. The
SNMP default accounts of the system are szhwSHA and szhwMD5. Their passwords are
Nesoft@!. SNMPv3 complies with RFC 2572, RFC 2574, and RFC 2575. Figure 4-4 shows the
application of the SNMP protocol.Application of SNMP
SNMP SNMP
manager manager
LAN
External DCN
Firewall
GNE
SNMP Agent
Transport network
NE (Internal DCN)
NE
SNMP Agent
NE
SNMP Agent
SNMP Agent
LAN
External DCN
SSH
Firewall
GNE
sftp client
Transport network
NE (Internal DCN)
NE
sftp client
NE sftp client
sftp client
TCP connection
Transmission layer Transmission layer
SSH protocols adopt Client/Server architecture and consist of three layers: transmission layer,
authentication layer, and connection layer.
Transmission protocols
Transmission protocols are used to establish a secure encryption channel between the SSH
client and SSH server. In this manner, confidentiality of data that requires high security in
transmission, such as authentication and data exchange, is protected.
The transmission layer provides origin authentication and integrity check, and enables a client
to authenticate a server.
The transmission protocols run on top of the TCP/IP connection. The well-known port
number used by the HHS server is 22.
Authentication protocols
Authentication protocols run on top of transmission protocols and process authentication
requests.
Connection protocols
Connection protocols divide an encryption channel into multiple logical channels for different
applications. Connection protocols run on top of authentication protocols and provide services
such as sessions and execution of remote commands.
Negotiation of SSH is described as follows:
1. Connection establishment
Port number 22 is listened on to establish TCP connections to SSH clients.
2. Version negotiation
The version of the SSH protocol is negotiated on TCP connections. The OptiX RTN 950
supports SSHv2.
3. Algorithm negotiation
An SSH client and an SSH server support different encryption algorithm collections, so they
need to negotiate encryption algorithms when the SSH protocol is running. The algorithms
that need to be negotiated are as follows:
Key exchange algorithms: are used for generating session keys.
Encryption algorithms: are used for encrypting data.
Host public key algorithms: are used for signing and authentication.
Synchronize: Users are authorized to use the local clock as the synchronization source
for other hosts.
Server: is a combination of the rights above.
Peer: Users have full control rights to query, being synchronized, and synchronize other
hosts.
NTP uses MD5 to check whether clients and servers are valid. If a client and server adopt
authentication, keys configured on both parties must be the same and be reliable. Table 4-4
shows the authentication relationship.
NTP complies with RFC 1305 standards. Figure 4-7 shows working principles of NTP time
synchronization.Principles of NTP time synchronization
NTP
10:00:00am
Send packet message
time
NTP
10:00:00am 10:00:01am
message Receive
packet time
NTP
10:00:00am 10:00:01am 10:00:02am
message
Send packet
time
Receive
packet time:
10:0003am
1. An NTP client sends an NTP message to an NTP server. The NTP message carries a
timestamp recording the current time of its leaving the client. The timestamp is recorded
as T1 = 10:00:00am.
2. The current time of the NTP message arriving at the NTP server is recorded as a
timestamp. This timestamp is added to the NTP message as T2 = 10:00:01am.
3. The current time of the NTP message leaving the NTP server is recorded as another
timestamp. This timestamp is also added to the NTP message as T3 = 10:00:02am.
4. The current time of the NTP client receiving the response is recorded as a new
timestamp. The timestamp is recorded as T4 = 10:00:03am.
So far, the NTP client is able to calculate the time difference between NTP equipment.
ΔT = ((T2 + T3) - (T1 + T4))/2
The NTP client sets its clock based on the time difference to achieve clock synchronization to
the NTP server.
Flow Control
The rate for reporting protocol packets to the CPU is limited to prevent the equipment from
being attacked by a large number of protocol packets. The following methods are available:
Protocol software rate limiting: The maximum number of packets that can be processed
in each second for each protocol is defined. When the number of received packets
exceeds this number, the excess packets are discarded. The maximum number is
specified by each data board.
CPU queue rate limiting: The packets to be reported to the CPU are listed in the CPU
queue of the chip. When the number of packets exceeds the queue length, the chip
automatically discards the excess packets.
Robust Measures
Countermeasures under abnormal conditions are as follows:
According ITU-T G.8032, R-APS packets are transmitted within an Ethernet ring and the
R-APS packets at ports not on the ring are not extracted or processed, so the robustness
of ring network protocols is improved.
Flow Control
The bandwidth of the equipment may bear load abnormally when there are a large number of
broadcast packets, multicast packets, or unicast packets with unknown destination addresses,
and a network may be congested when flow bursts occur. Flow control can prevent such
scenarios and ensure secure and stable operation of the network.
Suppressing broadcast flow
− Broadcast storm suppression: The broadcast flow is limited and the flow that exceeds
the limit is discarded.
− Broadcast storm suppression enabled based on port: After broadcast storm
suppression is enabled at a port, the broadcast flow at the port is discarded when the
broadcast flow exceeds the broadcast flow suppression threshold. The default
threshold is 30%.
− Setting of broadcast flow suppression threshold: The threshold specifies the broadcast
flow that a port allows. When the actual broadcast flow exceeds the threshold, the
excess broadcast flow is discarded to ensure that the proportion of the broadcast flow
is within a proper range. This prevents a broadcast storm and network congestion so
the network services can run normally.
Discarding unknown unicast packets
Unknown unicast packets can be discarded or forwarded.
Discarding unknown multicast packets
Unknown multicast packets can be discarded or forwarded.
Monitoring port flow
The flow at a port is monitored. When packets are received at rate faster than the specified
threshold, a flow threshold-crossing alarm is reported, prompting a user to take preventive
measures.
Limiting service flow using QoS
The QoS function of the equipment can be implemented in the DiffServ mode. A network is
divided into several DiffServ domains (DS domains for short). A DS edge node classifies the
flow entering a DS domain and identifies the flow of different service types with different
PHBs. The PHB information is forwarded to all nodes in the DS domain. Then the nodes in
the DS domain perform flow control on the services based on the PHBs. The flow control
measures include CAR, flow shaping, and queue scheduling.
Loop Prevention
If a loop is generated on a Layer 2 switching network, packets will be duplicated and cycled
in the loop, and therefore a broadcast storm occurs. In this case, all available bandwidth
resources will be occupied by the broadcast storm and the network will be unavailable. The
OptiX RTN 950 provides the following methods to prevent loops from being formed on
networks.
Detection of self-loops at service ports
The equipment can detect whether a service port is self-looped by transmitting and receiving
protocol packets.
Blocking of self-looped ports
After self-loop detection and blocking of self-looped ports are enabled, a port is blocked to
prevent a broadcast storm when the port is self-looped.
Detection of Ethernet loopbacksBy indicating Ethernet service IDs and logical ports,
users can detect service loops and set whether to automatically disconnect loops. If a service
loop is detected and automatic disconnection is enabled, the Ethernet VLAN service is
automatically disconnected. Users will receive alarms of service disconnection.Scenario of a
service loop
NOTE
This function is only supported by packet service boards.
− Discarding: A data flow is discarded if the data flow does not comply with rules in an
ACL.
− Forwarding: A data flow is forwarded if the data flow complies with rules in an ACL.
NOTE
This function is only supported by packet service boards.
Service Separation
The following logical and physical separation methods are provided to prevent malicious data
theft and reduce the impact of the broadcast flow.
Layer 2 logical separation
Virtual local area network (VLAN) is the basic unit for managing network data equipment. A
VLAN is a logical subnet or a logical broadcast domain. Users are allocated to different
VLANs so that they cannot communicate with each other at Layer 2. In this manner, logical
separation is achieved for Layer 2 services. In addition, after VLANs are divided, the
broadcast flow is limited in each broadcast domain, which limits the broadcast range.
The OptiX RTN 950 supports identification and forwarding of VLAN tags, and switching of
VLAN tags. Figure 4-10 shows an example of V-LAN services.
Users who create an Ethernet private network can separate services by configuring the
"Hub/Spoke" attribute of logical ports. Services between Spoke ports are separate, so Spoke
ports cannot communicate with each other. NOTE
The "Hub/Spoke" feature is only supported by EOS boards.
Split horizon
A group of physical or logical ports that cannot communicate with each other on the local
equipment are configured to prevent service loops and separate services for different users. In
this manner, service security is ensured.
The OptiX RTN 950 supports creation of split horizon groups for L2VPN services, and
supports adding and deleting of group members.
NOTE
This function is only supported by packet service boards.
Physical path separation
Services for different users are carried on different physical paths. In this manner, services do
not share physical paths or communicate with each other at the physical layer, and therefore
service security is ensured.
A Appendix