rtn 310 security white paper 01

7/30/2019 RTN 310 Security White Paper 01

http://slidepdf.com/reader/full/rtn-310-security-white-paper-01 1/37

OptiX RTN 310 Radio Transmission System

Security White Paper

Issue 01

Date 2012-07-20

HUAWEI TECHNOLOGIES CO., LTD.



Issue 01 (2012-07-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd

i

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respectiveholders.

NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or impli ed.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

http://www.huawei.com/


mailto:[email protected]






OptiX RTN 310 Radio Transmission SystemSecurity White Paper Contents


ii

Contents

1 Product Introduction and Network Applications ................................................................... 1

1.1 Product Introduction..........................................................................................................................................................1

1.2 Network Applications........................................................................................................................................................2

2 Security Architecture .................................................................................................................... 4

2.1 Overvie w of Hard ware Security ......................................................................................................................................4

2.2 Overview of Software Security .......................................................................................................................................5

3 System Security ............................................................................................................................. 9

3.1 Management Plane ............................................................................................................................................................9

3.1.1 Threats .......................................................................................................................................................................9

3.1.2 Preventive Measures ...............................................................................................................................................9

3.2 Data Plane .........................................................................................................................................................................16

4 Network Security ........................................................................................................................ 17

4.1 Network Security Management .....................................................................................................................................17 4.1.1 Threats .....................................................................................................................................................................17

4.1.2 Preventive Measures .............................................................................................................................................18

4.2 Protocols and Control......................................................................................................................................................23

4.2.1 Threats .....................................................................................................................................................................23

4.2.2 SFTP Clients...........................................................................................................................................................23

4.2.3 OSPF Protocol........................................................................................................................................................25

4.2.4 NTP Protocol ..........................................................................................................................................................25

4.2.5 Layer 2 Protocols ...................................................................................................................................................27

4.3 Network Services .............................................................................................................................................................28

4.3.1 Threats .....................................................................................................................................................................28

4.3.2 Ethernet Serv ices ...................................................................................................................................................29

A Appendix ..................................................................................................................................... 32



OptiX RTN 310 Radio Transmission SystemSecurity White Paper 1 Product Introduction and Network Applications


1

1 Product Introduction and NetworkApplications

1.1 Product IntroductionThe OptiX RTN 310 is a new-generation full-outdoor radio transmission system developed byHuawei. It provides a seamless radio transmission solution for a mobile communicationnetwork or private network. Table 1-1 lists the basic features of the OptiX RTN 310.

Table 1-1 Basic features of the OptiX RTN 310

Item Performance

Chassis dimensions (H x W x D) 290 mm x 265 mm x 98 mm

Number of microwave directions 1

Service port 2 GE service ports

RF configuration mode 1+0 non-protection configuration

2+0 non-protection configuration

Cross polarization interference cancellation (XPIC)configuration

Multi-direction configuration

NOTE

XPIC and 2+0 non-protection configurations require twoOptiX RTN 310s in concatenation. In the multi-directionconfiguration, the OptiX RTN 310 can be concatenated withother OptiX RTN 310s or the OptiX RTN 900s to increasemicrowave directions.





2

Item Performance

Power supply Power over Ethernet (PoE)

DC power supply

NOTE

The PoE supports a maximum distance of 100 meters.

The DC power supply supports a maximum distance of 300meters.

Figure 1-1 OptiX RTN 310

1.2 Network ApplicationsThe OptiX RTN 310 is a highly-integrated full-outdoor microwave product. In contrast tosplit microwave equipment, the OptiX RTN 310 integrates all its functions to an outdoor chassis and supports zero footprint installation. Therefore, it provides carriers a low-costsolution for building and operating network.

The OptiX RTN 310 can works with other OptiX RTN 310s or OpitX RTN 900s. The latter option provides more functions and makes full use of existing microwave equipment. For example:

Figure 1-2 and Figure 1-3 describe the radio transmission solutions provided by the OptiXRTN 310.Radio transmission solution provided by only the OptiX RTN 310





3

Figure 1-3 Radio transmission solution provided by the OptiX RTN 310 and the OptiX RTN 900



OptiX RTN 310 Radio Transmission SystemSecurity White Paper 2 Security Architecture


4

2 Security Architecture

2.1 Overview of Hardware SecurityFigure 2-1 shows the system block diagram of the OptiX RTN 310. The system adoptshigh-reliability hardware design to ensure that the system runs properly under security threats.

Figure 2-1 System block diagram

The following hardware preventive measures are provided:

Microwave interfaces: The FEC encoding mode is adopted and the adaptive time-domainequalizer for baseband signals is used. This enables the microwave interfaces to toleratestrong interference. Therefore, an interceptor cannot restore the contents in a data frameif coding details and service configurations are not obtained.





5

Modular design: Control units are separated from service units and service units areseparated from each other. In this manner, a fault on any unit can be properly isolated,minimizing the impact of the fault on other units in the system.

CPU flow control: Data flow sent to the CPU for processing is classified and controlled

to prevent the CPU from being attacked by a large number of packets. This ensures thatthe CPU operates properly under attacks. USB port control: The USB port is disabled when the USB port is not used, to avoid

invalid access.

2.2 Overview of Software SecurityBeing positioned at the transport layer of a communications network, the OptiX RTN 310

provides high-capacity and high-reliability transparent transmission tunnels, and is almostinvisible to end users. Therefore, the transmission tunnels are not easily exposed to external

attacks. To better address security requirements, the following part describes services provided by the OptiX RTN 310, based on which security design is implemented.

The OptiX RTN 310 processes two categories of data: O&M data and service data. The preceding data is transmitted over independent paths and does not affect each other. Therefore,services on the OptiX RTN 310 are processed on two planes:

Management plane Data plane

The management plane provides access to the required equipment and management functions,such as managing accounts and passwords, communication protocols, and alarm reporting.

The management plane adopts a security architecture shown in Figure 2-2.

Figure 2-2 Security architecture on the management plane

Hardware Platform

Vxworks OS

TCP/IP Protocol Stack

Security Management

Account andPassword

Management

Security Log

SSL 3.0/TLS 1.0

OSPFv2

AC L

NTPv3

TCP/IP AttackPrevention

RADIUS

SNMPv3 SYSLOG

Operation Log

FTP/SFTP





6

Security features on the management plane implement security access, integrated securitymanagement, and all-round security audits. The Secure Sockets Layer (SSL) features providesecurity access to the required equipment. The Remote Authentication Dial-In User Service(RADIUS) feature implements centralized security authentication for the equipment on theentire network. The Syslog feature implements offline storage of more security-related logsfor audits.

The data plane processes the service data flow entering the equipment and forwards service packets according to the forwarding table. Security features on the data plane ensureconfidentiality and integration of user data by preventing malicious theft, modification, andremoval of user service packets. They ensure stable and reliable operation of the forwarding

plane by protecting forwarding entries against malicious attacks and falsification. The data plane provides:

User service separation methods Access control methods Methods for controlling and managing ingress and egress bandwidth of the equipment to

ensure reliable operation, such as flow control and QoS. The data plane adopts a securityarchitecture shown in Figure 2-3.

Figure 2-3 Security architecture on the data plane

Hardware platform

Product adapter/driver

VxWorks OS

Service platform

Accesscontrol

Quality of service

Servicecomponents

Protocolsecurity Flow control

Securitycomponents

Protocolcomponents

Other components

Availability

Figure 2-4 shows principles of data separation on the management plane and data plane.





7

Figure 2-4 Principles of data separation

Fiber or Radio

payload

D bytes

payload

D bytes

Fiber or Radio

payload

VLAN

payload

VLAN

The equipment supports two modes:

In overhead+payload mode, data on the management plane is transmitted as D1-D3D-byte overheads and data on the data plane is transmitted as payloads. Data is

physically separated on the two planes.

In VLAN+payload mode, data on the two planes is transmitted as service data, shares physical bandwidth and is separated by the VLAN technology. Data on the two planesuses different VLAN IDs.

Table 2-1 lists the security functions provided by the OptiX RTN 310.

Table 2-1 Security functions

Plane Function Description

Management plane

Account and passwordmanagement

Manages and stores maintenance accounts.

Local authentication andauthorization Authenticates and authorizes accounts.

RADIUS authenticationand authorization

Authenticates and authorizes remoteaccounts in a centralized manner to reducemaintenance costs.

Security log Records events related to accountmanagement.

Operation log Records non-query operations are recorded.

Syslog management Provides a standard solution for offlinestorage of logs.

TCP/IP attack defense Provides defense against TCP/IP attacks,such as IP error packets, Internet ControlMessage Protocol (ICMP) ping attacks andJolt attacks, and Dos attacks.

Access control list Provides access control lists based on IPaddresses and port IDs.

SSL/TLS encryptioncommunication

Uses the SSL3.0 and TLS1.0 protocols toestablish an encryption channel based on asecurity certificate.

Secure File Transfer Provides SFTP services.





8

Plane Function Description

Protocol (SFTP)

Open Shortest Path First

(OSPF)

Uses the OSPFv2 protocol for standard MD5

authentication. Network Time Protocol(NCP)

Uses the NTPv3 protocol for MD5authentication and permission control.

Simple Network Management Protocol(SNMP)

Uses the SNMPv3 protocol for authentication and data encryption.

Data plane Flow control Controls traffic at ports. Broadcast packetsare suppressed. Unknown unicast packetsand multicast packets are discarded. QoS isused to limit the service traffic.

Discarding of incorrect packets

Discards incorrect packets, such as anEthernet packet shorter than 64 bytes.

Loop prevention Detects self-loops at service ports and blocksself-looped ports.

Access control of Layer 2services

Filters static MAC addresses in the staticMAC address table, provides a blacklist,enables and disables the MAC addresslearning function, and filters packets basedon traffic classification.

Service separation Includes Layer 2 logical separation, split

horizon, and physical path separation.



OptiX RTN 310 Radio Transmission SystemSecurity White Paper 3 System Security


9

3 System Security

3.1 Management Plane

3.1.1 ThreatsThe management plane of the OptiX RTN 310 supports O&M functionality. This functionalityallows you to activate and maintain services, monitor network problems, and identify securityrisks. Threats to the management plane are a leakage of accounts and passwords and invalidaccess. An authorized user who obtains accounts and passwords to log in can configure thesystem or modify services. In serious cases, service interruption or termination may occur.

The OptiX RTN 310 adopts the following measures to protect the management plane againstthe preceding threats:

Strict account management and permission control Effective log management Private communication channels (to be described in chapter 4 "Network Security")

Account management and authorization prevent invalid accounts from accessing to theequipment. Security logs and operation logs record security and configuration events of thesystem, so users can check logs to prevent security risks at any time. Private communicationchannels prevent accounts and passwords from leaking out. The following chapters describethese security measures in detail.

3.1.2 Preventive MeasuresFigure 3-1 shows the security management system provided by the OptiX RTN 310.





10

Figure 3-1 Security management system provided by the OptiX RTN 310

SecurityManagement

LogManagement

AccountManagement

Account&PasswordManagement

Authorization

Authentication

SYSLOG

Operation Log

Security Log

.Account Complexity

.Password Complexity

.Valid Period of Password

.Encrypt Pollicy Password

.Radius Account Management

.User Group Management

.Radius Authorization

.State of Account

.Valid Period of Account

.Period of Login

.Disable Unused Account

.Lock Policy and SecurityAlarm.Radius Authentication

.Log Integrality

.Log Record

.Log Overflow Event

.Log Integrality

.Log Record

.Log Overflow Event

.log Upload

.Submit SYSLOG to SYSLOGServer.SYSLOG Record

Accounts and Passwords

Accounts of the OptiX RTN 310 are divided into five levels: system monitoring, systemoperation, system maintenance, system administrator, and super administrator. Accounts at thesystem monitoring level represent the lowest rights and are authorized to issue querycommands of the smallest function collection. Accounts at the super administrator levelrepresent the highest rights and are authorized to perform all operations of the system.Accounts at the system administrator level are authorized to manage accounts, that is, tocreate, delete, modify, and query accounts. To create an account, an administrator must set auser name, a password, a user level, and an active period. When a user first uses a new accountto log in, the sys tem prompts the us er to change the initial pass word.

The system supports default accounts. After the system starts up for the first time, a user needs to log in to the system by using a default account. When a user uses a default account anda default pass word to log in, the system prompts the user to change the password . Table 3-1 andTable 3-2 list default accounts and passwords of the system.

Table 3-1 Default accounts and passwords in bios state

Account

Password

szhw nesoft

Table 3-2 Default accounts and passwords in host state

Account Password Group

szhw nesoft Super administrator

root password Administrator

lct password Administrator





11

Account Password Group

LCD LCD Administrator

Table 3-3 Rules for accounts and passwords

Rule Description

Uniqueness of accounts All accounts held in the same system are unique.

Complexity of accounts An account consists of 4 to 16 characters, including letters inlower case and upper case.

Length of passwords A password consists of 8 to 16 characters. To change a password, a user needs to enter the original passw ord onceand a new password twice.

Complexity of passwords A new password consists of at least three of the followingcharacter types: lower case letters, upper case letters,numbers, and special characters.

A new password must be different from the previous five passwords. A new password must be different from an account name,either in the normal written format or in the reverselywritten format.

A new password must contain two or more charactersdifferent from those of the old password.

Active periods of passwords

After the active period expires, the password can be used for only three logins. The default value is 0, which indicates thatthe passwoord is valid permanently.

A common user has a shortest active period of one day after which the password can be changed.

Storage of passwords Passwords encrypted by using MD5 are held in the system beyond queries.

Management of accounts Accounts can be created, modified, deleted, and queried.

Query of online users Users of the administrator group can query other onlineusers.

Authentication

Authentication is the process wherein the system checks whether accounts and passwords arevalid. Terminals accessing the equipment through physical ports and protocol ports need to

pass authentication before they are authorized to operate the equipment.

The equipment supports two authentication modes: local authentication and RADIUSauthentication. In local authentication mode, accounts and passwords are saved on theequipment. The equipment uses locally stored accounts to authenticate users in login attempts.

In RADIUS authentication mode, accounts and passwords are saved on the RADIUS server.





12

The equipment uses the RADIUS protocol to forward accounts and passwords to the RADIUSserver. The RADIUS server checks whether the accounts and passwords are valid. InRADIUS authentication mode, accounts and passwords of equipment on the entire network are saved on the RADIUS server. These accounts and passwords can be easily maintained andhave high security.

Local authentication

Table 3-4 lists the check items involved in local authentication.

Table 3-4 Check items involved in local authentication

Item Description Handling

Activation s tatusof accounts

If an account is activated, thelogin request is accepted; if anaccount is deactivated, the loginrequest is refused.

The user who is logged in to thesystem by using an administrator account can change the activationstatus of other accounts.

Active periods of accounts

An account can be used for logins within a specific period,namely, the active period. If theactive period of an accountexpires, the login request isrefused.

The user who is logged in to thesystem by using an administrator account can change the active

periods of other accounts.

Active periods of passwords

The password of an account can be used for logins within aspecific period, namely, theactive period. After the active

period of the password expires,the first three login requests areaccepted but the later ones arerefused.

The user who is logged in to thesystem by using an administrator account can change the active

periods of the passwords of other accounts.

Login time of accounts

An account can be used for logins within a specific sectionof a day, namely, the login time.If an account is used beyond itslogin time, the login request isrefused.

The user who is logged in to thesystem by using an administrator account can change the login timeof other accounts.

Inactive time of accounts

An account is deactivated if aspecific period elapses from thelast login. This period is calledinactive time of accounts. If anaccount is deactivated, the loginrequest is refused.

The user who is logged in to thesystem by using an administrator account can change the inactivetime and enabled/disabled status of other accounts.

Locked accounts If an account is locked, the loginrequest is refused until thelocking time expires.

After five login attempts using oneaccount fail and the interval

between two attempts is shorter than three minutes, the account islocked and cannot be unlockedmanually. An alarm is reported atevery login attempt since the sixth

one.





13

Item Description Handling

Automatic logoutof accounts

If an account does not exchangedata with the equipment for aspecified time, the account will

be automatically logged out.Then the account must beauthorized again before loggingin to the equipment.

The specified time for triggeringautomatic logouts is one hour,which cannot be changed by users.

RADIUS authentication

In RADIUS authentication mode, accounts and passwords are managed by the RADIUSserver and only the accounts that pass the authentication can be used to log in to theequipment. The RADIUS authentication mode takes precedence over the local authenticationmode. If the RADIUS server is unreachable, the local authentication mode is automaticallyused. Successful local authentication also requires valid accounts and passwords. When theconsecutive authentication failures reach a specified value, a security alarm is reported. Inaddition, the RADIUS protocol supported by the system complies with RFC 2856 and RFC2866. Figure 3-2 and Figure 3-3 show the principle and process of RADIUS authentication.

Figure 3-2 Networking of RADIUS authentication

U2000 server

RADIUSmaster server

RADIUSSlave server

U2000 client

U2000 client

U2000 client

Device

NAS

NAS

NAS

NAS

Figure 3-3 Process of RADIUS authentication

U2000 server

1 Login(username+ password) 2 Radius request

3 Radius response4 Login success/failure

NAS RADIUS server

Reliability is critical to a RADIUS server because accounts of equipment on the entirenetwork are managed and authenticated by the RADIUS server. The OptiX RTN 310 supportsmaster and slave RADIUS servers to ensure reliability of the external server.





14

Table 3-5 RADIUS functions

Function Description

RADIUS authentication,

authorization, andaccounting

After the RADIUS function is enabled, accounts attempting to

log in to an NE are forwarded to the RADIUS server. TheRADIUS server determines whether these accounts can log into the NE.

RADIUS authentication policy

The system prefers RADIUS authentication to localauthentication.

Authorization

Authorization is the process wherein the system assigns operation rights to valid accounts thathave logged in.

Accounts are managed in groups. Table 3-6 lists groups of accounts. Accounts of theadministrator and higher-level groups are authorized to perform all security management andmaintenance operations. Super administrator users have the highest rights and are onlyavailable in fault location. Operations that an account can perform depend on the rightsgranted to a user when the account is created. If an account is used to attempt anyunauthorized operation, an error message is displayed and the attempt is logged.

Table 3-6 Groups of accounts

Group Rights

System monitoring This group represents the lowest rights. The accounts of this groupare authorized to issue query commands and modify their ow nattributes.

System operation The accounts of this group are authorized to query the systeminformation and perform some configuration operations.

Systemmaintenance

The accounts of this group are authorized to perform all maintenanceoperations.

Systemadministration

The accounts of this group are authorized to perform all query andconfiguration operations.

Super administrator The accounts of this group are authorized to perform all operations.

Log Management

Logs record routine maintenance events of the equipment. Users can find security loopholesand risks by checking logs. Considering security categories, the system provides security logsand operation logs. Security logs record operation events related to account management.Operation logs record all events related to system configurations. The OptiX RTN 310

provides a Syslog solution to solve the problem wherein the storage space of the equipment islimited. That is, logs are transmitted to and stored on the external Syslog servers. Currently,only security logs are saved on the Syslog server.





15

Operation log

The operation log tracks the non-query operations performed by each account, including theaccount name, address of the client, time, operation, and results.

Table 3-7 Operation log

Operation Description

Querying theoperation log

Only authorized accounts of administrator and higher-level groupscan upload and query the operation log.

Checking theintegrity of theoperation log

The system checks the integrity of the operation log and allows nomanual changes.

Recovering theoperation log

The operation log can be recovered even after a power-cycle of thesystem.

Overwriting theoperation log

The operation log keeps records in time sequence. After the memoryis exhausted, the earliest records of the operation log are overwrittenwith the latest records. Once the memory is exhausted, a

performance event is reported to prompt the user.

Security log

The security log tracks security-related configuration operations (including user managementand security settings) and the attempts of unauthorized operations. The security log providesthe information about the account name, address of the client, time, and operation.

Table 3-8 Security log

Operation Description

Querying thesecurity log

Only authorized accounts of administrator and higher-level groupscan upload and query the security log.

Checking theintegrity of thesecurity log

The system checks the integrity of the security log and allows nomanual changes.

Recovering the

security log

The security log can be recovered even after a power-cycle of the

system.Overwriting thesecurity log

The security log keeps records in time sequence. After the memoryis exhausted, the earliest records of the operation log are overwrittenwith the latest records. Once the memory is exhausted, a

performance event is reported to prompt the user.

SYSLOG

The Syslog function of the equipment allows all security logs to be uploaded to the Syslogserver. Security logs of non-query operations, unauthorized operations, and Syslogconfiguration operations are saved on the Syslog server. The Syslog function uses the UDP





16

and TCP protocols that are compliant with the RFC 3164 and RFC 3195 s tandards. Figure 3-4 shows the working principle of the Syslog protocol.

Figure 3-4 Application of the Syslog function

U2000 server

Syslog server1

U2000 client

U2000 client

U2000 client

NE1

NE3

NE4

Syslog server2

NE2

The Syslog function of the equipment needs to be configured by the NMS. When the addressinformation is set on the equipment, the Syslog service is available.

3.2 Data PlaneThe data plane of the OptiX RTN 310 transparently transmits services based on Layer 2information, such as VLAN tags and MAC addresses. The boards of the equipment do notlisten to user services.

The OptiX RTN 310 handles the threats of flow bursts, malic ious pockets, and data theftsthrough access control, flow control, loop detection and avoidance, protocol securityguarantee, and service separation. Section 4.3 "Network Services " describes details of thesemechanisms.



OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Security


17

4 Network Security

4.1 Network Security ManagementFigure 4-1 shows the implementation mechanism of security management for a network.

Figure 4-1 Implementation of security management

External DCN

Transport network(Internal DCN)

Firewall

SSL

NMS

ACL

4.1.1 ThreatsAccording to the network topology, a data communication network (DCN) consists of anexternal DCN and an internal DCN. The external DCN refers to a network from the NMS tothe gateway equipment. The external DCN is generally an IP network that is built or leased bya customer, or the Internet. The internal DCN refers to a self-organization network of equipment. The IP protocol has been widely developed and applied because it is simple andopen. However, an IP network has poor security and can be easily attacked. The securitythreats brought by the external DCN on internal equipment are as follows: invalid access,network attacks, and theft and modification of private data. To counterattack such threats, theOptiX RTN 310 provides the following preventive measures:



OptiX RTN 310 Radio Transmission SystemSecurity White Paper 4 Network Secur ity


18

Access control TCP/IP attack prevention Encryption channel for access Secure communication protocols

4.1.2 Preventive Measures

Access Control

The OptiX RTN 310 provides Access Control Lists (ACLs). Users set IP addresses andcommunication ports in whitelists and blacklists to limit data from specific IP addresses andto filter data from specific communication ports. The ACL function protects the equipmentfrom network attacks by controlling data of access requests from unauthorized IP addressesand communication ports.

Table 4-1 Classification of ACLs

Item Value Range Feature

Basic ACL 0 – 0xffffffff Rules are defined based on the source IP address.

AdvancedACL

0 – 0xffffffff Rules are defined based on the source IP address of adata packet, destination IP address of a data packet,

protocol type of the IP bearer network, and protocolfeatures. The protocol features include source port of theTCP protocol, destination port of the TCP protocol, andICMP protocol type.

Table 4-2 ACL parameters

Parameter Value Range Description

ACL operation type Permit and deny Indicates the ACL operation type. The valuesare as follows:

Deny: If a received message does notcomply with a rule in an ACL, the messageis discarded.

Permit: If a received message complieswith a rule in an ACL, the message isdiscarded.

Source IP address Source IP address The source IP address and the sourcewildcard determine the addresses to whichthat an access control rule is applicable.

Source wildcard 0 – 0xFFFFFFFF The value 0 represents a bit that must beexactly matched and the value 1 represents a

bit that is ignored.

Sink IP address Sink IP address The destination IP address and the sink wildcard determine the addresses to which

that an access control rule is applicable.





19

Parameter Value Range Description

Sink wildcard 0 – 0xFFFFFFFF The value 0 represents a bit that must beexactly matched and the value 1 represents a

bit that is ignored.

Protocol type TCP, UDP, ICMP,and IP

Set this parameter to UDP or TCP whenfiltering packets at an UDP or a TCP port.Set this parameter to ICMP when filtering

packets of the ICMP protocol and code type.The value IP indicates that the protocol typeis not concerned.

Source port 0 – 65535 or 0xFFFFFFFF;0xFFFFFFFFindicates that this

parameter is notconcerned.

This parameter is available only whenProtocol type is set to TCP or UDP .

Sink port 0 – 65535 or 0xFFFFFFFF;0xFFFFFFFFindicates that this

parameter is notconcerned.

This parameter is available only whenProtocol type is set to TCP or UDP .

ICMP protocol type ICMP protocol type This parameter is available only whenProtocol type is set to ICMP . The value 255indicates that this parameter is not

concerned.ICMP code type ICMP code type This parameter is available only when

Protocol type is set to ICMP . The value 255indicates that this parameter is notconcerned.

TCP/IP Attack Prevention

Gateway equipment may be under external attacks because it is directly connected to anexternal DCN. The TCP/IP protocol stack needs to protect the equipment from attacks, soservices are transmitted normally by the equipment under attacks. Therefore, the equipment ismore secure and reliable.

Table 4-3 lists the attacks that the equipment can prevent currently.





20

Table 4-3 TCP/IP attacks

Attack Protocol Attack Mode Preventive Measure

Address

spoofingattack

ARP IP address

conflict

If the IP address of an external device

conflicts with that of the equipment, theequipment sends a gratuitous ARP packet to broadcast the correct MACaddress.

IP IP addressconfigurationconflict

Before making an IP address to takeeffect, the equipment checks whether the IP address has been used. If the IPaddress has been used, the equipmentdoes not make the IP address to takeeffect.

Messagespoofingattack

IP IP option attack Prevents attacks by using ICMP, TCP,or UDP messages that carry incorrect IPoptions.

IP Defective IPheader attack

Prevents attacks by using extremelyshort IP headers, defective IP headers,special source IP addresses, and IPheaders with unknown protocols.

IP IP fragmentattack

Prevents IP fragment attacks such asmassive segments, huge offsets,repeated segments, TearDrop, Bonk,

SynDrop, NewTear, Nesta, Rose, andFawx.

TCP TCP flag bittraversal

Prevents TCP flag bit traversal such as packets without Flag, FIN bit withoutACK bit, packet with URG/OOB flag,and SYN and FIN bits set.

ICMP Defective ICMP packet

Prevents ping attacks and Jolt attacks.

Flood attack IP IP non-payloadflood attack

Prevents IP packet attacks andgenerates an alarm indicating an IPaddress attack without affecting thenormal operation of the equipment.

UDP UDP flood attack Prevents fraggle attacks and diagnoses port flooding, port 0 flooding, and loopflooding.

ICMP ICMP floodattack

Prevents ICMP flood attacks, Smurf attacks, ping flood attacks, loop pingflood attacks, time stamp request floodattacks, mask request flood attacks, androuter request flood attacks.





21

Attack Protocol Attack Mode Preventive Measure

DoS attack TCP Syn flood attack Prevents Syn flood attacks withoutaffecting the normal operation of theequipment.

TCP Land attack Prevents land attacks without affectingthe normal operation of the equipment.

Security Access

Security access is the process wherein the OptiX RTN 310 uses secure communicationchannels or secure communication protocols for access to prevent security risks. The NMScan use SSL channels and SNMP to access the equipment. The following part respectivelydescribes the two access methods.

The NMS accesses the equipment by using SSL channels.

The NMS uses Ethernet ports or Operation, Administration, and Maintenance (OAM) ports toaccess the equipment. OAM ports provide local access. Ethernet ports provide remote access

by using the external DCN for access. Communication between the NMS and GNE usesstandard TCP/IP protocols. When the NMS uses external DCN to access the equipment,configuration data and account information of the NMS transmit over the external DCN. Thecommunication channels for access use the SSL3.0 and TLS1.0 protocols to encrypt data toensure secure transmission.NMS access

External DCN

Transport n etwork( Internal DCN)

Firewall

SSL

NMS

GNE

Certificates are needed for establishing SSL and TLS encryption channels. The certificates aremanaged and issued by carriers. The OptiX RTN 310 loads and activates SSL certificates. Thedelivered equipment has a default SSL certificate by default. It is recommended that thecustomer replace the default SSL certificate with its own SSL certificate. The equipmentcomplies with RFC 2246 standards and supports encryption algorithms specified in thestandards, such as AES, DES, RC4, RC5, IDEA, SHA-1, and MD5.

The following part describes working principles of SSL.

The SSL protocol provides enhanced encryption and decryption algorithms to ensure allsecurity features except serviceability for communication. In addition, the algorithms cannot

be cracked in a short time. The SSL layer establishes an encryption channel based on TCP to





22

encrypt data that passes the SSL layer. The SSL protocol consists of the Handshake protocoland the Record protocol. The Handshake protocol is used for cipher key negotiation. Most of the contents in the protocol describe how to securely negotiate a cipher key between twocommunication parties. The Record protocol defines the data transmission format.

Transport Layer Security (TLS) is a security protocol similar to the SSL protocol. TLS1.0 is based on SSL3.0 and supports SSL3.0. Figure 4-3 shows the negotiation of the SSL protocolkey.

Figure 4-3 Negotiation of the SSL/TLS key

G N EM S E x t e r n a l D C N

1

6

5

4

3

2

7

8

9

10

12

11

ClientHello

ServerHel lo

Certificate

CertificateRequest

ServerHelloDone

Certificate

ClientKeyExchange

CertificateVerify

ChangeCipherSpec

Finished

ChangeCipherSpec

Finished

SNMPv3 access

SNMP is a standard protocol for network management. The OptiX RTN 310 uses SNMP to provide query of alarms and performance and the TRAP function. The equipment supports theSNMPv3 protocol. MD5 and SHA algorithms are used in the authentication and the DESalgorithm is used in data transmission. SNMP default accounts of the system are szhwSHAand szhwMD5. Their passwords are Nesoft@!. SNMPv3 complies with the RFC 2572, RFC2574, and RFC 2575 standards. Figure 4-4 shows the application of the SNMP

protocol.SNMPv3 access

External DCN


Firewall

GNE

NE

NE

NE

SNMPmanager

LAN

SNMP

manager

SNMP Agent

SNMP Agent

SNMP Agent

SNMP Agent





23

4.2 Protocols and Control

4.2.1 ThreatsOn an internal DCN, standard protocols on the IP layer are used for communication betweenequipment. These protocols may be used for interconnection with third-party equipment. Inthis case, the result calculated by the OptiX RTN 310 may be incorrect when the third-partyequipment transmits incorrect information. When interconnected with third-party equipment,the OptiX RTN 310 takes the following preventive measures to ensure communicationsecurity:

Adding protocol authentication and access control Adopting secure standard protocols

4.2.2 SFTP Clients

The OptiX RTN 310 provides an SFTP client based on SSH for software upgrades. In thisapplication, the equipment serves as a client and the SFTP server is deployed outside theequipment network and is provided by the carrier. Figure 4-5 shows the application of SFTPclients.

The SFTP authentication policy is determined by the SFTP server. The OptiX RTN 310supports password authentication and key authentication. Password authentication is the

process wherein an SFTP client uses a user name and password to log in to the SFTP server.Key authentication is the process wherein an SFTP client and SFTP server adoptRevist-Shamir-Adleman Algorithm (RSA) for cryptographic authentication. A user needs togenerate an RSA key on the equipment and to upload the public key to the SFTP server beforecryptographic authentication. The user can set the length of the RSA key from 2048 bits to4096 bits.

The equipment uses passphrases to protect private keys on an SFTP client for cryptographicauthentication. When users generate key pairs, they need to set the passphrases.

The SFTP client of the OptiX RTN 310 is enabled when before deliver. Users can disable or enable it using the NMS.

Figure 4-5 Application of SFTP clients

External DCN


Firewall

SSH

GNE

NE

NE

NE

Sftp server

LAN

sftp client

sftp clientsftp client

sftp client

NMS





24

Figure 4-6 shows principles of SSH.Protocol layers

SSH client SSH server

Application layer Application layer

Transmission layer Transmission layer

SSH protocol layer SSH protocol layer

TCP connection

Transmission protocol

Authentication protocol

Session protocol

SSH protocols adopt Client/Server architecture and consist of three layers: transmission layer,authentication layer, and connection layer.

Transmission protocols

Transmission protocols are used to establish a secure encryption channel between the SSHclient and SSH server. In this manner, confidentiality of data that requires high security intransmission, such as authentication and data exchange, is protected.

The transmission layer provides origin authentication and integrity check, and enables a clientto authenticate a server.

The transmission protocols run on top of the TCP/IP connection. The well-known portnumber used by the HHS server is 22.

Authentication protocolsAuthentication protocols run on top of transmission protocols and process authenticationrequests.

Connection protocols

Connection protocols divide an encryption channel into multiple logical channels for differentapplications. Connection protocols run on top of authentication protocols and provide servicessuch as sessions and execution of remote commands.

Negotiation of SSH is described as follows:

1. Connection establishment

Port number 22 is listened on to establish TCP connections to SSH clients.

2. Version negotiation

The version of the SSH protocol is negotiated on TCP connections. The OptiX RTN 310supports SSHv2.

3. Algorithm negotiation

An SSH client and an SSH server support different encryption algorithm collections, so theyneed to negotiate encryption algorithms when the SSH protocol is running. The algorithmsthat need to be negotiated are as follows:

Key exchange algorithms: are used for generating session keys.





25

Encryption algorithms: are used for encrypting data. Host public key algorithms: are used for signing and authentication. MAC algorithms: are used for integrity protection.

The SSH client and SSH server send to each other the algorithm collection that theyrespectively support and the result is the intersection of algorithms supported by both parties.

4. Key exchange

The key exchange and encryption algorithms resulted from step 3 are used to negotiate thekeys required for data communication.

5. User authentication

Password authentication and public key authentication are provided.

6. Service requests

The OptiX RTN 310 supports SFTP clients.

4.2.3 OSPF ProtocolThe management plane uses the OSPF protocol to dynamically calculate routes on the entirenetwork for network management. The OptiX RTN 310 supports OSPFv2 in compliance withRFC 2328 standards. Besides the routing function, the equipment supports authenticationtypes as follows:

Null authentication

The OSPF packets are not authenticated. That is, the OSPF protocol does not processauthentication on packet reception.

Simple password authentication

A "clear" 64-bit password is used for authentication. Simple password authentication guardsagainst the equipment inadvertently joining the routing domain. The OptiX RTN 310s in thesame OSPF domain must be configured with the same password for authentication.

Cryptographic authentication

Cryptographic authentication uses MD5 to calculate the digest. Because the password used tocalculate the digest is never sent over the network, the protection is provided against passiveattacks. When employing cryptographic authentication, the OptiX RTN 310s in the sameOSPF domain must be configured with the same key for authentication.

The equipment uses null authentication as the default authentication. Users can configureauthentication types as required.

4.2.4 NTP Protocol Network Time Protocol (NTP) is used to synchronize time between NEs. Possible securityloopholes in NTP result in time disturbance on the network. To enhance security of NTP, the

NTP protocol provides the authentication function and access control of local services.

The NTP authentication function verifies validity and integrity of NTP packets. This function prevents the equipment from incorrect packets and ensures packet exchanges from validservers.





26

Access control of local services enables the system administrator to better control the NTP protocol. This function prevents NTP information on the equipment from malicious query andmodification. Users have different rights as follows:

Query: Users are authorized to query local NTP services.

Synchronize: Users are authorized to use the local clock as the synchronization sourcefor other hosts.

Server: is a combination of the rights above. Peer: Users have full control rights to query, being synchronized, and synchronize other

hosts.

NTP uses MD5 to check whether clients and servers are valid. If a client and server adoptauthentication, keys configured on both parties must be the same and be reliable. Table 4-4shows the authentication relationship.

Table 4-4 Authentication relationship

Server Client Authentication

Enabled Enabled Pass

Enabled Disabled Pass

Disabled Disabled Pass

Disabled enabled Not pass

NTP complies w ith RFC 1305 standards. Figure 4-7 shows working principles of NTP timesynchronization.Principles of NTP time synchronization

NTP serverTP client

NTPmessage

10:00:00am

NTPmessage

10:00:00am 10:00:01am

NTPmessage

10:00:00am 10:00:01am 10:00:02am

Receivepacket time10:0003am

Send packettime

Receivepacket time

Send packettime

1. An NTP client sends an NTP message to an NTP server. The NTP message carries atimestamp recording the current time of its leaving the client. The timestamp is recordedas T1 = 10:00:00am.

2. The current time of the NTP message arriving at the NTP server is recorded as atimestamp. This timestamp is added to the NTP message as T2 = 10:00:01am.

3. The current time of the NTP message leaving the NTP server is recorded as another timestamp. This timestamp is also added to the NTP message as T3 = 10:00:02am.

4. The current time of the NTP client receiving the response is recorded as a newtimestamp. The timestamp is recorded as T4 = 10:00:03am.

So far, the NTP client is able to calculate the time difference between NTP equipment.





27

Δ T = ((T2 + T3) - (T1 + T4))/2

The NTP client sets its clock based on the time difference to achieve clock synchronization tothe NTP server.

4.2.5 Layer 2 ProtocolsThreats

Layer 2 protocols are generally attacked by flood, deformed, or malicious packets. Under anattack, the equipment may fail to process the protocols and therefore services on the entirenetwork are affected. The following preventive measures are provided for Layer 2 protocols.

Flow Control

The rate for reporting protocol packets to the CPU is limited to prevent the equipment from being attacked by a large number of protocol packets. The following methods are available:

Protocol software rate limiting: The maximum number of packets that can be processedin each second for each protocol is defined. When the number of received packetsexceeds this number, the excess packets are discarded. The maximum number isspecified by each data board.

CPU queue rate limiting: The packets to be reported to the CPU are listed in the CPUqueue of the chip. When the number of packets exceeds the queue length, the chipautomatically discards the excess packets.

Discarding of Invalid Packets

All packets are verified and various invalid protocol packets are filtered out. Table 4-5 liststhe verification rules.

Table 4-5 Packet verification rules for Layer 2 protocols

Protocol Verification Rule

BPDU DMAC = 01-80-c2-00-00-00 or 01-80-c2-00-00-08

Each protocol packet is verified according to the corresponding protocol.

LACP DMAC = 01-80-c2-00-00-02

EthType = 0x8809

EthSubType = 0x01 and 0x02

Each TLV is verified according to the corresponding protocol.

Eth-OAM(802.1ag)

EthType = 0x8902 (IEEE802.1ag standard)


Eth-OAM(802.3ah)

DMAC = 01-80-c2-00-00-02

EthType = 0x8809

EthSubType = 0x03

Each TLV is verified according to the corresponding protocol.





28

Protocol Verification Rule

ERPS DMAC = 01-19-A7-00-00-01


Robust Measures Countermeasures under abnormal conditions are as follows:

According ITU-T G.8032, R-APS packets are transmitted within an Ethernet ring and theR-APS packets at ports not on the ring are not extracted or processed, so the robustnessof ring network protocols is improved.

4.3 Network Services4.3.1 Threats

As described previously, data services are under the following threats:

Attack of service flow bursts with network bandwidth being preempted and processingcapability and forwarding efficiency of the equipment being lowered. A typical case of such a threat is a broadcast storm.

Access of unauthorized users. Theft of user data.

Table 4-6 lists the preventive measures.

Table 4-6 Threats and preventive measures

Threat Preventive Measure Measure Description

Flow bursts Flow control Limiting the service flow within arange using various methods

Loop detection and prevention Detecting physical loops on anetwork to prevent a broadcaststorm

Discarding of incorrect packets Detecting the packets received bythe equipment and discardingabnormal packets

Access of unauthorizedusers

Defining rules for access to Layer 2 according to features of theLayer 2 service flow.

Configuring rules for access toLayer 2 services

Theft of user data Service separation Logically or physically separatingservices of different users





29

4.3.2 Ethernet ServicesEthernet services are classified into Ethernet private line (E-Line) services and Ethernet LAN(E-LAN) services.

E-Line services: Such services are forwarded based on VLAN tags and logicallyseparated at Layer 2. E-Line services are highly confidential. Therefore, flow control can

be applied to E-Line services using QoS and invalid packets can be filtered out usingACL.

E-LAN services: Such services include MAC-based and MAC+VLAN-based servicesfor Layer 2 switching. E-LAN services are flexible, the MAC addresses cannot becontrolled, and the MAC address learning and forwarding mechanism is affected by thedata packets. Therefore, E-LAN services are easily attacked. All the preceding described

preventive measures are applicable to E-LAN services.

NOTE

Ethernet aggregation (E-AGGR) services are also forwarded based on VLAN tags. Preventive measures

for E-AGGR services are the same as those for E-Line services.

Flow Control

The bandwidth of the equipment may bear load abnormally when there are a large number of broadcast packets, multicast packets, or unicast packets with unknown destination addresses,and a network may be congested when flow bursts occur. Flow control can prevent suchscenarios and ensure secure and stable operation of the network.

Suppressing broadcast flow− Broadcast storm suppression: The broadcast flow is limited and the flow that exceeds

the limit is discarded.−

Broadcast storm suppression enabled based on port: After broadcast stormsuppression is enabled at a port, the broadcast flow at the port is discarded when the broadcast flow exceeds the broadcast flow suppression threshold. The defaultthreshold is 30%.

− Setting of broadcast flow suppression threshold: The threshold specifies the broadcastflow that a port allows. When the actual broadcast flow exceeds the threshold, theexcess broadcast flow is discarded to ensure that the proportion of the broadcast flowis within a proper range. This prevents a broadcast storm and network congestion sothe network services can run normally.

Discarding unknown unicast packets

Unknown unicast packets can be discarded or forwarded.

Discarding unknown multicast packets

Unknown multicast packets can be discarded or forwarded.

Monitoring port flow

The flow at a port is monitored. When packets are received at rate faster than the specifiedthreshold, a flow threshold-crossing alarm is reported, prompting a user to take preventivemeasures.

Limiting service flow using QoS





30

Figure 4-8 QoS network model

The QoS function of the equipment can be implemented in the DiffServ mode. A network isdivided into several DiffServ domains (DS domains for short). A DS edge node classifies theflow entering a DS domain and identifies the flow of different service types with differentPHBs. The PHB information is forwarded to all nodes in the DS domain. Then the nodes inthe DS domain perform flow control on the services based on the PHBs. The flow controlmeasures include flow shaping and queue scheduling.

Loop Prevention

If a loop is generated on a Layer 2 switching network, packets will be duplicated and cycledin the loop, and therefore a broadcast storm occurs. In this case, all available bandwidthresources will be occupied by the broadcast storm and the network will be unavailable.

Detection of self-loops at service ports

The equipment can detect whether a service port is self-looped by transmitting and receiving protocol packets.

Blocking of self-looped ports

After self-loop detection and blocking of self-looped ports are enabled, a port is blocked to prevent a broadcast storm when the port is self-looped.

Discarding of Incorrect Packets

Incorrect packets include packets with missing fields, disordered packets, duplicated packets,and excessively large or small packets. Incorrect packets may be forged by malicious users, or caused by bit errors on the transmission line, or caused by abnormal processing of theequipment hardware. Processing incorrect packets brings extra load to the equipment and

reduces the bandwidth for normal services. Therefore, incorrect packets must be identifiedand discarded.

The following incorrect packets are discarded:

A packet whose source MAC address and destination MAC address are the same A packet whose size is smaller than 64 bytes A packet whose size is greater than the maximum transmission unit (MTU) A packet whose FCS (CRC) is incorrect

Access Control of Layer 2 Services

Access control of Layer 2 services is provided to filter out unauthorized user data.





31

Static MAC address table

For E-LAN services, static MAC addresses can be added to, deleted from, and queried in thestatic MAC address table. When the MAC address learning function is disabled, MACaddresses must be added to the static MAC address table to ensure that services are forwarded

properly. If the MAC address of a service does not match the static MAC address table, theservice is considered as invalid and is discarded.

Black list

For E-LAN services, MAC addresses can be added to, deleted from, and queried in the black list. Services whose MAC addresses are in the black list are considered as invalid and filteredout.

Disable of MAC address learning

E-LAN services can filter out invalid packets after MAC address learning is disabled.

When MAC address learning is enabled, the equipment can learn the MAC addresses.

When MAC address learning is disabled, the equipment can forward E-LAN services andfilter out invalid MAC addresses after static MAC addresses are configured.

Service Separation

The following logical and physical separation methods are provided to prevent malicious datatheft and reduce the impact of the broadcast flow.

Layer 2 logical separation

Virtual local area network (VLAN) is the basic unit for managing network data equipment. AVLAN is a logical subnet or a logical broadcast domain. Users are allocated to differentVLANs so that they cannot communicate with each other at Layer 2. In this manner, logicalseparation is achieved for Layer 2 services. In addition, after VLANs are divided, the

broadcast flow is limited in each broadcast domain, which limits the broadcast range.

The OptiX RTN 310 supports identification and forwarding of VLAN tags, and switching of VLAN tags.

A group of physical or logical ports that cannot communicate with each other on the localequipment are configured to prevent service loops and separate services for different users. Inthis manner, service security is ensured.

Split horizon

The OptiX RTN 310 supports creation of split horizon groups for L2VPN services, andsupports adding and deleting of group members.

Physical path separation

Services for different users are carried on different physical paths. In this manner, services donot share physical paths or communicate with each other at the physical layer, and thereforeservice security is ensured.



OptiX RTN 310 Radio Transmission SystemSecurity White Paper A Appendix


32

A Appendix

A.1 Standards ComplianceTable A-1 shows the security standards that the OptiX RTN 310 complies with.

Table A-1 Standards compliance

Related Standard Description

ITU-T G.8011.1 Ethernet private line service

ITU-T G.8011.2 Ethernet virtual private line service

ITU-T G.8261/Y.1361 Timing and synchronization aspects in Packet Networks

ITU-T G.8262/Y.1362 Timing characteristics of synchronous Ethernet equipment slaveclock

ITU-T G.8032/Y.1344 Ethernet Ring Protection Switching

RFC 2474 Definition of the Differentiated Services Field(DS Field) in theIPv4 and IPv6 Headers

RFC 2819 Remote Network Monitoring Management Information Base

RFC 0793 Transmission Control Protocol

RFC 0768 User Datagram Protocol

RFC 0791 Internet Protocol, Version 4 (IPv4)

RFC 0792 Internet Control Message Protocol

RFC 0826 An Ethernet Address Resolution Protocol

RFC 0894 A Standard for the Transmiss ion of IP Datagrams over Ethernet Networks

RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE)

RFC 1661 The Point-to-Point Protocol (PPP)

RFC 1662 PPP in HDLC-like Framing





33

Related Standard Description

RFC 1332 The PPP Internet Protocol Control Protocol (IPCP)

RFC 1990 The PPP Multilink Protocol (MP)

RFC 2131 Dynamic Host Configuration Protocol

RFC 2328 OSPF Version 2

RFC 2246 Security Socket Layer 3.0/ TLS 1.0

RFC 1305 Network Time Protocol 3.0

IEEE 802.3ah Media Access Control Parameters, Physical Layers, andManagement Parameters for Subscriber Access Networks

IEEE 802.1ad Virtual Bridged Local Area Networks Amendment 4: Provider Bridges

IEEE 802.1ag Virtual Bridged Local Area Networks — Amendment 5:Connectivity Fault Management

A.2 Acronyms and Abbreviations

Table A-2 Acronyms and abbreviations

Acronym and Abbreviation Full Name

ACL Access Control List

CAR Committed Access Rate

DCN Data Communication Network

DNS Domain Name System

ECC Embedded Control Channel

FTP File Transfer Protocol

GNE Gate Network Element

HTTP Hyper-Text Transmission Protocol

ID IDentification

IEEE Institute of Electrical and Electronics Engineers

IF Intermediate Frequency

IP Internet Protocol

ISO International Organization for Standardization

ISP Internet Service Provider




Acronym and Abbreviation Full Name

ITU-T International Telecommunication Union-Telecommunication Standardization Sector

LAN Local Area Network

LCT Local Craft Terminal

NMS Network Management System

OAM Operation Administration and Maintenance

ODU Outdoor Unit

OSI Open Systems Interconnection

OSS Operation Support System

OSPF Open Shortest Path First

PDH Plesiochronous Digital Hierarchy

QoS Quality of Service

RMON Remote Monitoring

RTN Radio Transmission Node

SDH Synchronous Digital Hierarchy

SNMP Simple Network Management Protocol

TCP/IP Transmission Control Protocol/ Internet ProtocolVLAN Virtual Local Area Network

rtn 310 security white paper 01

Documents