SM r6c20 18c

OptiX OSN 1800I/II Compact Multi-Service Edge
Optical Transport Platform

V100R006C20
Security Configuration,
Maintenance, and Hardening Manual
Issue 02
Date 2016-10-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2016-10-30) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
OptiX OSN 1800I/II Compact Multi-Service Edge Optical
Transport Platform
Security Configuration, Maintenance, and Hardening
Manual Contents
Contents
1 Introduction.................................................................................................................................... 1
1.1 Purposes for Security Configuration Maintenance & Hardening...................................................................................2
1.2 Definition of Layer-based Security Configuration, Maintenance, and Hardening.........................................................2
2 Security Configuration at the Device Management Layer.................................................... 3

2.1 NE User Management.................................................................................................................................................... 4
2.1.1 Querying the NE User Information............................................................................................................................. 4
2.1.2 Creating an NE User....................................................................................................................................................5
2.1.3 Deleting an NE User....................................................................................................................................................8
2.1.4 Modifying NE User Attributes.................................................................................................................................... 9
2.1.5 Changing an NE User Password................................................................................................................................12
2.1.6 Changing the Password for an Online NE User........................................................................................................ 13
2.1.7 Modifying User Additional Parameters.....................................................................................................................14
2.1.8 Querying NE User Groups........................................................................................................................................ 16
2.1.9 Querying NE Security Parameters.............................................................................................................................17
2.1.10 Setting Blacklisted User Passwords........................................................................................................................ 18
2.1.11 Managing Encryption Types of NE User Passwords...............................................................................................20
2.2 Managing NE User Logins........................................................................................................................................... 20
2.2.1 Managing Online NE Users.......................................................................................................................................20
2.2.2 Switching a Logged-In NE User............................................................................................................................... 21
2.2.3 Setting the NE Login Message.................................................................................................................................. 23
2.3 Access Control..............................................................................................................................................................23
2.3.1 Ethernet Access Control............................................................................................................................................ 23
2.3.2 Serial Port Access Control.........................................................................................................................................24
2.3.3 USB Access Control.................................................................................................................................................. 25
2.4 Checking Device Logs..................................................................................................................................................26
2.4.1 Browsing Device Logs.............................................................................................................................................. 26
2.4.2 Device Syslog Logs................................................................................................................................................... 27
2.5 NE KMC Service Management.................................................................................................................................... 31
3 Security Configuration at the Network Layer....................................................................... 34

3.1 Network Security Management.................................................................................................................................... 35
3.1.1 Access Control List................................................................................................................................................... 35
3.1.2 Access Management.................................................................................................................................................. 37
Issue 02 (2016-10-30) Huawei Proprietary and Confidential ii

Transport Platform
Manual Contents
3.2 Protocols and Controls..................................................................................................................................................45

3.2.1 SSL/TLS Protocol......................................................................................................................................................45
3.2.2 SFTP Client Protocol.................................................................................................................................................49
3.2.3 NTP Protocol............................................................................................................................................................. 51
3.3 Network Access Authentication................................................................................................................................... 53
3.3.1 Configuring the User Permission VSA Attribute on the RADIUS Server................................................................53
3.3.2 Enabling a RADIUS Client or a RADIUS Proxy Server.......................................................................................... 54
3.3.3 Creating a RADIUS Server....................................................................................................................................... 54
3.3.4 Configuring a Key from an RADIUS Proxy to a NAS............................................................................................. 56
3.3.5 Configuring Forced Authentication on a RADIUS Proxy.........................................................................................57
3.3.6 Configuring RADIUS Server Parameters..................................................................................................................58
3.4 Network Service Security............................................................................................................................................. 60
3.4.1 Security Threats......................................................................................................................................................... 60
3.4.2 Ethernet Services....................................................................................................................................................... 60
4 Security Maintenance................................................................................................................. 66
4.1 Suggestions on Port Maintenance.................................................................................................................................67
4.1.1 TCP Ports...................................................................................................................................................................67
4.1.2 UDP Ports.................................................................................................................................................................. 70
4.2 NE Account Maintenance.............................................................................................................................................74
4.3 Log Audit......................................................................................................................................................................74
4.4 Weak Password Policy Detection................................................................................................................................. 74
4.5 Security Patch Upgrade................................................................................................................................................ 75
4.6 Software Package Integrity Verification.......................................................................................................................75
5 Security Hardening..................................................................................................................... 76
5.1 Device Layer Security Hardening................................................................................................................................ 77
5.1.1 Account Management Hardening.............................................................................................................................. 77
5.1.2 Security Log Hardening.............................................................................................................................................78
5.1.3 Security Hardening for Database Uploading and Downloading............................................................................... 78
5.1.4 CF Card Data Hardening........................................................................................................................................... 79
5.1.5 Integrity Protection for Data in a USB Flash Drive.................................................................................................. 80
5.1.6 Reverse Software Loading Authorization for Decoupling Boards............................................................................81
5.2 Network Layer Security Hardening..............................................................................................................................83
5.2.1 Managing DCN Network Security Hardening.......................................................................................................... 83
5.2.2 Configuring an ACL to Prevent Unauthorized Access............................................................................................. 85
5.2.3 Using SSL to Prevent Unauthorized Access to Sensitive Data................................................................................. 86
5.2.4 Using Encrypted Channels to Prevent Sensitive Data from Theft............................................................................ 86
5.2.5 Using SFTP to Load Software...................................................................................................................................88
5.2.6 Using Secure SNMPv3 to Manage NEs.................................................................................................................... 88
5.2.7 Data Service Security Hardening.............................................................................................................................. 88
5.2.8 Configuring Extended ECC Authentication to Prevent Unauthorized Access..........................................................89
6 Appendixes................................................................................................................................... 90
Issue 02 (2016-10-30) Huawei Proprietary and Confidential iii

Transport Platform
Manual Contents
6.1 References.................................................................................................................................................................... 91
7 Acronyms and Abbreviations................................................................................................... 92

7.1 Maintenance Tools........................................................................................................................................................94
7.1.1 EMS and NMS Tool.................................................................................................................................................. 94
7.1.2 Software Upgrade Tool..............................................................................................................................................95
7.1.3 Fault Collection Tool................................................................................................................................................. 95
7.1.4 Network Health Check Tool...................................................................................................................................... 96
7.2 Other Maintenance Methods........................................................................................................................................ 96
Issue 02 (2016-10-30) Huawei Proprietary and Confidential iv

Transport Platform
Manual 1 Introduction
1 Introduction
About This Chapter
1.1 Purposes for Security Configuration Maintenance & Hardening

1.2 Definition of Layer-based Security Configuration, Maintenance, and Hardening
Issue 02 (2016-10-30) Huawei Proprietary and Confidential 1

Transport Platform
Manual 1 Introduction
1.1 Purposes for Security Configuration Maintenance &

Hardening
Application systems are facing increased security threats that may interrupt services, reduce
profits, and even crash systems. Operators must build and maintain powerful security systems
to mitigate such threats.
1.2 Definition of Layer-based Security Configuration,

Maintenance, and Hardening
Because security attacks continue to evolve, operators must harden the system security
maintenance at the device management layer and network layer to ensure that application
systems operate safely.
At the Device Management Layer

Security maintenance at the device management layer is to guarantee normal operation of the
device hardware and software and their normal service provision.
Security maintenance at the device management layer is conducted by using maintenance
terminals and maintenance tools.
At the Network Layer

Security maintenance at the network layer helps ensure normal operation of NEs.
Security maintenance at the network layer is conducted by using maintenance terminals and
maintenance tools.
About Security Hardening

You can configure additional security functions at the device management and data planes to
harden attack defense for devices.

Transport Platform
Manual 2 Security Configuration at the Device Management Layer
2 Security Configuration at the Device

Management Layer
About This Chapter
2.1 NE User Management

2.2 Managing NE User Logins
2.3 Access Control
Equipment is controlled using various access physical ports. These ports are enabled or
disabled to meet the security requirements of equipment in different scenarios.
2.4 Checking Device Logs
2.5 NE KMC Service Management

Transport Platform
2.1 NE User Management

2.1.1 Querying the NE User Information
Prerequisites
You are an NMS or NE user with Administrator User Group rights or higher.
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User
Management from the Function Tree.
Step 2 Click Query to check the current NE user information.
Figure 2-1 NE user management table
Table 2-1 Default user list of devices (1800 V100R005C10 and earlier versions)
User Name Password User Group
szhw nesoft Super administrator
root password Administrator
lct password Administrator
LCD LCD Administrator
The default user name and the default password in BIOS state are szhw and nesoft.
Table 2-2 Default user list of devices (1800 V100R005C20 and later versions)
User Name Password Group
szhw Changeme_123 Super administrator
root Changeme_123 Administrator
lct Changeme_123 Administrator
LCD Changeme_123 Administrator

Transport Platform
The default user name and the default password in BIOS state are szhw and Changeme_123.
You can use the default account to access the OSN 850 and OSN 810 boards through local
Ethernet ports. The default account is szhw and the password is Changeme_123. The default
account is a super administrator. The rules for managing the board accounts and passwords
are the same as the rules for managing NE accounts and passwords. Nevertheless, the account
and password can only be managed in the command line interface rather than on the NMS.
User passwords are encrypted and stored using either MD5, SHA256 or PBKDF2. For details
about how to change user passwords, see 2.1.11 Managing Encryption Types of NE User
Passwords.After the encryption mode is changed, the encryption and storage mode for a new
user or a changed password is as follows: If the encryption mode is MD5, the MD5, SHA256,
and PBKDF2 information is stored. If the encryption mode is SHA256, the SHA256 and
PBKDF2 information is stored. If the encryption mode is PBKDF2, only the PBKDF2
information is saved. The PBKDF2 encryption mode is recommended. After the
configuration, the user password needs to be changed for the password encryption mode to
take effect.
It is recommended that the encryption type be set to PBKDF2. After setting the encryption
type, change the user password for the encryption type to take effect.
The passwords of the accounts that are used to access the OSN 850 and OSN 810 boards
through local Ethernet ports can be encrypted on the boards only in PBKDF2 mode.
On the F3SCC board, the user password can not be encrypted and saved in MD5 mode.
----End
2.1.2 Creating an NE User

Prerequisites
You are an NMS or NE user with Administrator User Group rights or higher.
Procedure
Step 2 In the NE User Management Table pane, click Add and the Add NE User dialog box is
displayed. After setting the user attributes, click OK.

Transport Platform
Table 2-3 User attribute parameters

Parameter Valid Value Default Description
Value
NE user - - Configures the user name registered on

the NE.
NOTE
The NE name cannot contain Chinese
characters.

Transport Platform

Value
User level Monitor level Monitor Monitor-level users have the lowest rights.
Operation level They are authorized to issue query
level commands and modify their own
attributes.
Maintenance
level Operation-level users are authorized to
query the system information and perform
System level some configuration operations.
Debug level Maintenance-level users are authorized to
perform all maintenance operations.
System-level users are authorized to
perform all query and configuration
operations.
Debug-level users are authorized to
perform all operations in the debugging
process, including security management.
NE user flag LCT NE user LCT NE Sets the NE user flag.

EMS NE user user LCT NE user: manages NEs on local craft
CMD NE user terminal (LCT) U2000.
General NE EMS NE user: manages NEs on the
user element management system (EMS)
U2000.
CMD NE user: manages NEs on CMD
terminals.
General NE user: manages NEs on all
NMSs.
Detailed - - Describes the configured NE users.

description
New - - Sets a new user password.

password
Confirm - - The password to be entered must be the

password same as the new password.
Immediate Yes Yes Specifies whether the new user password

password No can be modified. It is valid only for an NE
change user lower than the administrator level.
Valid Yes Yes This parameter displays whether a

Permanently No registered NE user is permanently valid.
Valid From Presented in Specified by If the value of the Valid Permanently

YYYYMMD the user. parameter is Yes, the field cannot be
DHHMMSS. modified. If the value of the Valid
Permanently parameter is No, the field
can be set manually.

Transport Platform

Value
Valid Until Presented in Specified by If the value of the Valid Permanently

YYYYMMD the user. parameter is Yes, the field cannot be
DHHMMSS. modified. If the value of the Valid
Permanently parameter is No, the field
can be set manually.
Password Yes Yes This parameter displays whether the

Permanently No password is permanently valid.
Valid
Password 25 to 999 days 90 days If the value of the Password

Valid Days Permanently Valid parameter is Yes, the
field cannot be modified. If the value of
the Password Permanently Valid
parameter is No, the field can be set
manually.
User Encryption - Specifies the security policy for an NE

security None user.
policy Encryption: indicates that this user can
deliver only encryption related
commands.
None: indicates that this user can deliver
all commands.
NOTE
On the F3SCC board, this parameter doesn't be
supported.
----End
2.1.3 Deleting an NE User

Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l The NE user to be deleted exists.
l The NE user to be deleted has a lower user level than the user that is logged in.
l The user to be deleted is not in logged-in state.
Procedure
Step 1 In NE User Management Table, select a user to be deleted, and click Delete.
Step 2 A dialog box is displayed asking you whether to delete the NE user. After you confirm that
the user is to be deleted, click OK.

Transport Platform
----End
2.1.4 Modifying NE User Attributes
Prerequisites
l The NE user has been created.
l Common users with rights lower than Administrator User Group can modify only their
own attributes.
Procedure
Step 1 In the NE User Management Table pane, select the NE user for attribute modification. Click
Modify. The Modify NE User dialog box is displayed.
Step 2 Modify the user attributes and click OK to save the modifications.

Transport Platform
Table 2-4 User attributes

Parameter Value Range Default Values Description
NE User - - Specifies the name

of a registered NE
user.
NOTE
The name of an NE
cannot contain any
Chinese characters.
User Level l Monitor Monitor Accounts at the

l Operation Monitor Level have
the most limited
l Maintenance rights and can only
l System use query
l Debug commands and
modify their own
attributes.
Accounts at the
Operation Level
can query device
information and
have limited rights
for configuration
operations.
Accounts at the
Maintenance Level
have the rights for
all maintenance
operations.
Accounts at the
System Level have
the rights for
security
management and all
query and
configuration
operations.
Accounts at the
Debug Level have
the rights for all
configuration
operations,
including security
management.

Transport Platform
NE User Flag l LCT LCT Specifies the flag of

l EMS a registered NE user.
l CMD l An LCT NE
User can manage
l General an NE on the
LCT,U2000-
Local Craft
Terminal.
l An EMS NE
User can manage
an NE on the
U2000.
l A CMD NE
User can manage
an NE on the
CMD, the
management
system using
command lines.
l A General NE
User does not
differentiate the
NE types.
Detailed Description - - Describes the NE

user information that
has been set.
Login Allowed l Yes Yes Describes whether

l No the NE user is
enabled.
Valid Permanently l Yes Yes Displays whether a

l No registered NE user is
permanently valid.
Valid From YYYYMMDDHH YYYYMMDDHH Specifies that the

MMSS indicates the MMSS indicates the default time for
creation time. creation time. creating a user
cannot be modified.

Transport Platform
Valid Until Time when a - l If Permanently

registered NE user Valid or not is
logged in to the NE set to Yes, the
for the last time field cannot be
modified.
l If Permanently
Valid or not is
set to No, the
field can be
specified by a
user.
Password l Yes Yes Displays whether

Permanently Valid l No the password is
permanently valid.
Password Valid 25 to 999 days 90 days If Password

Days Permanently Valid
is set to Yes, the
field cannot be
modified. If
Password
Permanently Valid
is set to No, the field
can be specified by a
user.
----End
2.1.5 Changing an NE User Password

Prerequisites
l The NE user has been created
l The NE user to be modified has a lower user level than the user that is logged in.
Procedure
Step 1 In the NE User Management Table pane, select the NE user for password modification.
Click Set Password. The Set Password of NE User dialog box is displayed.
Step 2 In the displayed Set Password of NE User dialog box, click "..."In the displayed dialog box,
enter a new password.
Step 3 After modifying the user password, click OK to save the modifications.

Transport Platform
----End
2.1.6 Changing the Password for an Online NE User

Prerequisites
l You are an NMS user with Monitor User Group rights or higher.
l The NE user is online.
Procedure
Step 1 In the NE Explorer, select the desired NE user. Choose Security > NE Login Management
from the Function Tree. Click Set Password of NE User. A dialog box is displayed asking
you whether to change the current password.

Transport Platform
Step 2 In the displayed Set Password of NE User dialog box, click "...".In the displayed dialog box,
enter the old password and new password, and click OK.
NOTICE
When you change the password of a user, the user will be locked and forced to log out upon
five consecutive old password attempts.
----End
2.1.7 Modifying User Additional Parameters
Prerequisites
l You are an NMS user with Maintainer User Group rights or higher and belong to the
Security Manager Group.
l The logged-in NE user must have system level rights or higher.
l The NE user to be modified has a lower user level than the user that is logged in.
Procedure

Transport Platform
Step 2 Click Query. Then select the desired user. Click View Additional User Info. The Additional
User Info List dialog box is displayed.
Figure 2-2 Additional User Info List
Step 3 Modify required additional user information. Click OK or Apply to save the modifications.
Table 2-5 Additional user parameters

Parameter Description
NE Displays the current NE name.
User Displays the registered NE name.
Records of All Logins Specifies whether a registered NE can be logged in at any

time.
Allowable Login Start Specifies the start date when a registered NE user is allowed
Date to log in to the NE.
Allowable Login Start time Specifies the start time when a registered NE user is allowed
to log in to the NE.
Allowable Login End Date Specifies the end date when a registered NE user is allowed

Transport Platform
Valid Till (time) Specifies the end time when a registered NE user is allowed
Time to Lock User for No Specifies the number of days before a user is locked for no
Activities (Day) activities. The value can ranges from 25 to 999, and the
default value 0 indicates that the password is permanently
valid.
Maximum Password Specifies the maximum number of days for which users'
Validity (Day) password is valid.
Password Change Time Displays last password change time.
Last Login Time Displays last login time.
----End
2.1.8 Querying NE User Groups
Prerequisites
l You are an NMS user with Maintainer User Group rights or higher.
Procedure
Step 1 In the NE Explorer, select an NE and choose Security > NE User Group Management from
the Function Tree.
Step 2 Click Query to query NE user groups.
Table 2-6 Relationship between NE user groups and user levels
NE User Group User Level
Super administrator Debugging
Administrator System

Transport Platform
NE User Group User Level
Maintainer Maintenance
Operator Operation
Monitor Monitoring
----End
2.1.9 Querying NE Security Parameters

Prerequisites
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE
Security Parameters from the Function Tree.
Step 2 Click Query to query the settings of NE security parameters.
Table 2-7 NE security parameters

Parameter Value Range Description
NE Example: NE1 Displays the current NE name.
Warning Screen Enabled, Disabled Specifies whether to enable warning

Switch screen.
Warning Screen This parameter can be Specifies NE login prompt messages.

Information any characters, digits, or
a combination of
characters and digits.
The maximum length of
the parameter is 750
characters.
Allowable Used Times 3 Specifies the allowable access time of

for Outdated Password an outdated password. This parameter
is set to 3 and cannot be modified.

Transport Platform
Parameter Value Range Description
Password Max. Valid 90 Specifies the longest period for you to

Period (day) use a password. This parameter
ranges from 25 to 999. The default
value is 0, indicating that it never
expires.
Password Min. Valid 1 Specifies the shortest period for you

Period (day) to use a password. The default value
is 1.
Password Uniqueness 5 Specifies password uniqueness. If the

value is n, the modified password
must be different from the passwords
used in the latest n times. Value 0
indicates that the password
uniqueness is not required. The
default value is 5.
Lock Testing Time 180 Monitors the total time of NE

(Minute) lockout. This parameter is set 180 and
cannot be modified.
Lock Testing Time For example: 5 Specifies allowable illegal access

(Minute) Allowable times. The default value is 5.
Illegal Access Times
Lockout Time For example: 900 Specifies the total time of NE

(Second) lockout.
----End
2.1.10 Setting Blacklisted User Passwords

Prerequisites
l NE users have been created.
Procedure
Step 1 Select the desired NE in the Main Topology. In the NE Explorer, choose Security > NE User
Management from the Function Tree. The Password Blacklist Management tab is
displayed.
Step 2 Click Set Password Blacklist on the lower right corner. The Set Password Blacklist window
is displayed.
Figure 2-3 Password Blacklist Management tab

Transport Platform
Step 3 Click Add or Delete to add or delete blacklisted passwords, and then click Apply to apply the
settings to the NE.
Table 2-8 Parameters for setting blacklisted passwords

No. Indicates the number of a blacklisted password. A maximum

of 20 blacklisted passwords are allowed.
Password Blacklist Indicates a blacklisted password. The blacklisted password

can be 1 to 16 case-insensitive characters.
----End

Transport Platform
2.1.11 Managing Encryption Types of NE User Passwords
Prerequisites
l An NE user is created.
Procedure
Step 1 Click the NE in the NE Explorer and choose Security > NE User Password Encryption
Step 2 Click Query. The NE user password encryption type is displayed.
Figure 2-4 Managing NE user password encryption types
Step 3 Change the encryption type and click Apply.
Table 2-9 Parameters for managing NE user password encryption types

Parameter Value Description
NE - Displays the NE name.
Encryption MD5. SHA256, and PBKDF2 is a secure encryption algorithm and is

Type PBKDF2 recommended. If the encryption type is set to MD5 or
SHA256, an alarm is reported when you log in,
modify the password, or add a user, indicating that the
password encryption type is risky. In this case, you
can change the encryption type to PBKDF2, and then
the alarm clears.
----End
2.2 Managing NE User Logins

2.2.1 Managing Online NE Users
Prerequisites

Transport Platform
l To ensure the security of NE operations, the NMS maintainers or administrators can use
the U2000 server to view all the online NE users within the management rights and the
way in which the users log in to the NEs.
l When you want to log in to an NE as a user who has a higher level of rights, you can
force a lower-level NE user to log out of the NE. In this way, you can avoid an NE being
configured by multiple NE users at the same time, or prevent unauthorized logins by
other NE users.
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > Online
User Management.
Figure 2-5 List of Online User
Step 2 Click Query to query the latest information about NE logins.
Step 3 Select the NE entry. Click Forced Logout to force the desired NE user to log out of the NE.
----End
2.2.2 Switching a Logged-In NE User

Prerequisites
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE Login
Management.

Transport Platform
Figure 2-6 NE Login Management Table
Step 2 Click Query to query the current NE user.
Step 3 In the NE Login Management Table, select the NE and click Switch NE User. In the
Switch Current NE User dialog box, enter the user name and password in User and
Password.
Step 4 Click OK.
During a new deployment, after the NE user root creates an NE, this user can create another
NE user. By switching a logged-in NE user, you can log in to the NE with a new user.
NOTE
During offline switching of an NE user, the system does not check the user name and password on the
NE side. As a result, logging to the NE may always fail, making the NE unreachable.
----End

Transport Platform
2.2.3 Setting the NE Login Message

You can customize the message that pops up when a user logs in to an NE. For example, you
can customize a message that displays the required user rights for operating an NE to prompt
an unauthorized user not to log in to the NE.
Prerequisites
Procedure
Step 1 Select the desired NE in the NE Explorer. Choose Security > NE Security Parameters from
the Function Tree. The NE Security Parameter List is displayed.
Step 2 Click Query to query the settings of NE security parameters.
Step 3 Select an NE, double-click Warning Screen Switching and choose Enabled or Disabled.
Step 4 Double-click Warning Screen Information and enter the message.
Step 5 Click Apply. A message is displayed indicating that the operation is successful. Click Close.
NOTE
You can enter a message in the Warning Screen Information field only when Warning Screen
Switching is set to Enabled.
----End
2.3 Access Control

Equipment is controlled using various access physical ports. These ports are enabled or
disabled to meet the security requirements of equipment in different scenarios.
2.3.1 Ethernet Access Control
Prerequisites
You are an NMS user with Administrator User Group rights or higher.
Procedure
Step 1 In the NE Explorer, select an NE and choose Communication > Access Control from the
Function Tree.
Step 2 In the Ethernet Access Control area, select or deselect Enable Ethernet Access and click
Apply.

Transport Platform
NOTICE
If you select Enable Ethernet Access, the external network port of an NE can be used for
Ethernet communication.
If you deselect Enable Ethernet Access, the external network port of an NE cannot be used
for Ethernet communication.
If Ethernet communication exists on the external network port of an NE and Enable Ethernet
Access is not selected, the NE may be unreachable to the NMS.
If you select Enable Ethernet Access, the equipment can interconnect with other OSPF-
compliant equipment through the external network port of which the OSPF function is
enabled by default. MD5 authentication is supported by the external network port by default.
On the NMS, you can disable the management Ethernet port of a non-GNE to prevent
unauthorized local access. The management Ethernet port supports the security Ethernet
survival function. Specifically, if Enable Ethernet Access is not selected and no NMS user
logs in to the NE for 30 consecutive minutes, the local management Ethernet port will be
automatically enabled to ensure local access. When an NMS user logs in to the NE later, the
local management Ethernet will be automatically disabled.
----End
2.3.2 Serial Port Access Control

Prerequisites
You must be an NM user with " Administrator " authority or higher.
Procedure
Step 1 On the Main Topology, select an NE. Then, in the NE Explorer, choose Communication >
Access Control from the navigation tree.
Step 2 In the displayed Serial Port Access Control interface, set the Enable Serial Port Access and
click Apply.

Transport Platform
Figure 2-7 Serial port access control
NOTE
Only F1SCC equipment surportting the Serial Port Access Control function, F3SCC equipment does not
support.
----End
Parameter description
l The Enable Serial Port Access parameter specifies whether the serial port is used for
equipment management. If Enable Serial Port Access is selected, equipment can be
managed using serial ports.
l If Access Command Line is selected, equipment can be accessed using commands for
management.
l If Access NM is selected, equipment can be managed through the NMS.
l The Baud Rate parameter specifies the access rate of a serial port.
2.3.3 USB Access Control
Prerequisites
You must be an NM user with " Operator User Group " authority or higher.
Procedure
Step 1 Select an NE. Then, in the NE Explorer, choose Communication > Access Control from the
function tree.
Step 2 In the displayed right window, choose the USB Access Control interface, select the desired
main control board and enable USB Port Access and click Apply.

Transport Platform
NOTE
Only the F3SCC02 1800I/II equipment supports the USB Access Control function.
----End
2.4 Checking Device Logs

2.4.1 Browsing Device Logs
By browsing security and operation logs periodically, you can check and track the operation
security information of devices.
Context
Security logs are saved in the U2000 database, where you can check the information about
security operations.
When the security logs are sent forward the syslog server, they are not saved in U2000
database, so they can be checked only on the syslog server.
Prerequisites
Security Logs
1. In the NE Explorer, select an NE and choose Security > NE Security Log from the
Function Tree.
2. Query logs using one of the following methods:

Query logs using the U2000: Click Query and set filter criteria to obtain required
logs.
Query logs from the NE: Choose Query from the NE and click Query. Querying
from the NE takes a relatively long period of time. After the query results are
returned, click Query and set filter criteria to obtain required logs.
3. Click Save as to save NE security logs.
Operation Logs
1. In the NE Explorer, select an NE and choose Security > NE Operation Log from the
Function Tree.

Transport Platform
2. Query logs.
In the window that is displayed, click Query at the lower right corner. Then all
operation logs are displayed.
Click Filter at the lower right corner to filter information based on user names and
operation types.
3. Click Save as to save NE operation logs to files.
2.4.2 Device Syslog Logs
Context
Operation Prerequisites
Syslog Certificates Management You are an NMS user with Operator User
Group rights or higher.
Configuring the Syslog Server for an NE You are an NMS user with "Maintenance
Loading an NE Syslog Certificate Group" authority or higher.
An NE Syslog certificate has been
successfully imported to the U2000.
Configuring the Syslog Server for an NE

1. In the NE Explorer, select an NE and choose Security > NE Log Forwarding from the
Function Tree.
2. Configure the syslog server. Click the Syslog Server tab. The list of syslog servers is
displayed. Click New.
The Add Syslog Server dialog box is displayed. Set the IP Address, Send Mode, and
Port based on the network settings.

Transport Platform
3. Configure the Syslog GNE. Click the Syslog GNE tab. The list of syslog GNEs is
displayed. Click New.
From the displayed Object Select dialog box, select a proper NE as a syslog GNE. (Logs
transferred to the Syslog server include security logs and operation logs).
Syslog Certificates Management

The section describes how to query the valid time when the certificate starts to take effect and
expires and other relevant information.
1. In the NE Explorer, select the NE and choose Security > NE Log Forwarding from the
navigation tree.

Transport Platform
2. Choose Certificate Management tab, and click Query to obtain the certificate name,
the valid time when the certificate starts to take effect and expires, and the authority that
issues the certificate.
3. Select the certificate and click Delete at the lower right corner of the window to delete
the SYSLOG certificate on the NE.
Loading an NE Syslog Certificate

After an NE Syslog certificate is imported to the U2000, the certificate needs to be loaded.
1. Choose Administration > NE Software Management > Board Software Upgrade.
NOTE
By default, the DC accounts of NEs are blank, after enter the Board Software Upgrade, the
navigator tree cannot automatically filter the NE list of the subnet. You need to configure the DC
account of the NE in the DC Login User Management (Choose Administration > NE Security
Management > NE Login Management) first, then enter the Board Software Upgrade again,
the navigator tree will filter the specific NEs.
2. Right-click a desired NE in the navigation tree and choose Login NE from the shortcut
menu.

Transport Platform
NOTE
You can also choose Set Login Account from the shortcut menu and set Login User and Password
in the dialog box that is displayed.
3. Right-click the NE and choose Query Board from the shortcut menu. Then board
information about the NE is displayed.
NOTE
It may take a period of time for the board information to display, which is normal.
4. Click to expand the board list.
5. Select the check box before the desired main control board and click to add the
board to the operation list.
6. In the Upgrade Version field, click .The Board software setting window is
displayed

Transport Platform
7. Set the software load type to Certificate and click Add Software. The Choose File
window is displayed.
NOTE
You can click Add Software to add multiple files at the same time.
8. In the Choose File dialog box, select the desired Syslog certificates.
9. In the Board software setting dialog box, click OK. The upgrade software selection is
complete.
10. Select a board in Operation List, and click Start.
11. When the loading is complete, click Activate. The Warning dialog box is displayed.
Confirm whether to activate the software.
12. Click Yes to start activating the software.
13. After the activation, the Operation Result dialog box is displayed indicating that the
activation succeeds. Click Close.
2.5 NE KMC Service Management
Prerequisites
You are an NMS user with the Administrators permission or higher.
Enabling KMC
On the main menu, choose Administration > NE Security Management > NE
Communication Service Management. Click the NE KMC Service Management tab, and
set Control Switch to Enabled or Disabled to enable or disable KMC( KMC in this
document refers to Key Management Center).

Transport Platform
If you enable KMC, you must set Encrypt Data Key Encrypt Type.
Changing a KMC Key
Click the NE KMC Service Management tab. Then, click under Encrypt Data Key.
The dialog box for changing a KMC key is displayed. Then, manually change the key.
You are advised to change the KMC key in the following situations:
l The key is leaked.
l The key has not been changed for a long period of time.
NOTE
The key should meet the following complexity requirements:

1. The key must contain 8 to 32 characters.
2. The key must be a combination of at least three of the following:
l Lower-case letters
l Upper-case letters
l Digits
l Spaces or special characters including `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
Encrypt Data Key Encryption Type

Currently, two data key encryption methods are available: Default and User Password.
l If you select the Default mode, the system uses the default key to encrypt the Encrypt
Data Key.
l If you select the User Password mode, the system uses the Encrypt Data Key Encrypt
Key to encrypt the Encrypt Data Key.

Transport Platform
NOTE
1. You need to select an appropriate data key encryption mode according to feasibility and usability as
required.
2. If you select the User Password mode, you need to remember the value of Encrypt Data Key
Encrypt Key; otherwise, database import or export may fail.
3. The complexity requirements of Encrypt Data Key Encrypt Key must be the same as those of
Encrypt Data Key.
4. After you downgrade a version supporting KMC to a version that does not support KMC, you need
to delete the keystore files from ofs1/sm/ and ofs2/sm/.

Transport Platform
Manual 3 Security Configuration at the Network Layer
3 Security Configuration at the Network

Layer
About This Chapter
3.1 Network Security Management

3.2 Protocols and Controls
3.3 Network Access Authentication
3.4 Network Service Security

Transport Platform
3.1 Network Security Management

3.1.1 Access Control List
Access control list (ACL) can be used for basic traffic filtering. ACL can be configured for all
the NEs to filter IP packets that have been received. Devices support basic and advanced ACL
rules.
Prerequisites
Setting Basic ACL Rules

For ordinary NEs that do not have high security requirements, you can set the basic ACL
rules. The basic ACL rules examine the source IP addresses of the received packets. The basic
ACL rules do not use many system resources.
1. In the NE Explorer, select an NE and choose Security > ACL from the Function Tree.
2. Click the Basic ACL tab. The basic ACL rule list is displayed.
3. Click Query to query the basic ACL rules from the NE.
4. Click New.
An undefined basic ACL rule is added to the basic ACL rule list. Set the parameters
according to the network requirements.
5. Click Apply to apply the new configuration data to the NE.
6. A dialog box is displayed, indicating that the operation is successful.
7. You can repeat the preceding steps set more basic ACL rules for this NE.
Setting Advanced ACL Rules

For NEs that have very high security requirements, you can set advanced ACL rules. The
advanced ACL rules examine the source and sink IP addresses, the source and sink port IDs,
and the protocol types of the received IP packets. The implementation of advanced ACL rules
uses many system resources. The advanced ACL rules have higher priority than the basic
ACL rules.
1. In the NE Explorer, select an NE and choose Security > ACL from the Function Tree.
2. Click the Advanced ACL tab. The advanced ACL rule list is displayed.
3. Click Query to query the advanced ACL rules from the NE.
4. Click New.

Transport Platform
An undefined advanced ACL rule is added to the advanced ACL rule list. Set the
parameters according to the network requirements.
5. Click Apply to apply the new configuration data to the NE. A message appears
indicating the operation is successful.
6. You can repeat the preceding steps to set more advanced ACL rules to this NE.
Parameter list for ACL rules is shown as following.
Table 3-1 Setting ACL parameters as follows:

Parameter Value Range Operation
Operation Permit/ Deny Indicates the ACL operation type. The values are as
Type follows:
Deny: If a received message does not comply with
the ACL rule, the message is discarded.
Permit: If a received message complies with the
ACL rule, the message is discarded.
Source IP Source IP The Source IP Address parameter and the Source

Address Address Wildcard parameter together determine the
addresses that comply with an ACL rule.
Source 0 Adopt 0 for strictly matched bits, and 1 for

Wildcard 0xFFFFFFFF unconcerned bits.
Sink IP Sink IP Address The Sink IP Address parameter and the Wildcard
Address parameter together determine the addresses that
comply with an ACL rule.
Sink 0 Adopt 0 for strictly matched bits, and 1 for

Wildcard 0xFFFFFFFF unconcerned bits.
Protocol TCP/UDP/ Specifies the type of protocol. When filtering

Type ICMP/IP packets at the UDP/TCP port, you need to set the
protocol type to UDP or TCP; when filtering
packets in the ICMP protocol type and code type,
you need to set the protocol type as ICMP. When
this parameter is meaningless to the protocol type,
set the parameter as IP.
Source Port The valid value This parameter is valid only when the protocol type
range is from 0 is TCP/UDP.
to 65535 or
0xFFFFFFFF.
0xFFFFFFFF
indicates that the
parameter is not
concerned about
this item.

Transport Platform
Parameter Value Range Operation
Sink Port The valid value This parameter is valid only when the protocol type
range is from 0 is TCP/UDP.
to 65535 or
0xFFFFFFFF.
0xFFFFFFFF
indicates that the
parameter is not
concerned about
this item.
ICMP ICMP Protocol Specifies that this item is valid only when the
Protocol Type protocol type is TCP/UDP. If the parameter value is
Type 255, this parameter is meaningless to this item. (If
this parameter is set to 255, then ICMP Code Type
should also be 255.)
ICMP Code ICMP Code This parameter is valid only when the protocol type
Type Type is ICMP. If the parameter value is 255, it specifies
that this parameter meaningless to this item. (If the
protocol type is 255, then the code should also be
255.)
Verification Function for ACL Rule Setting

Incorrect operations may cause unreachable NEs. To avoid this problem, a simple verification
function is added. According to the analysis on problem occurrence, most problems are
caused by disabling the access from all addresses. With the verification function, when the
access from all addresses is being disabled, an ACL rule must exist and the rule number of
this rule must be smaller than that of the rule to be set. It should be noted that advanced ACL
rules have precedence over common ACL rules.
3.1.2 Access Management
Prerequisites
NMS Access none
Configuring LCT Access to NEs You are an NMS user with Administrator
User Group rights or higher.
SNMP Access l You are an NMS user with Administrator

User Group rights or higher.
l The logged-in NE user must have system
level rights or higher.
SSH Access You must an NMS user with Administrator

User Group rights.

Transport Platform
NMS Access
The NMS is connected to devices through Ethernet NM interfaces and OAM serial ports,
remote login, manage and maintain the devices. The NMS communicates with the devices
through TCP/IP protocols. The NMS and gateway devices can be connected to the DCN or a
network cable. Users can also select the proper connection ways as required. For non-GNEs,
users can disable device access through Ethernet NM interfaces and OAM serial ports. For the
operation method, see2.3.1 Ethernet Access Control ,2.3.2 Serial Port Access Control.
Configuring LCT Access to NEs

1. In the NE Explorer, select the NE from the Object Tree and then choose Security > LCT
Access Control from the Function Tree.
2. Click Access Allowed to enable the LCT access function. To disable the LCT access
function, click Disable Access.
3. Click Query to query the current status of the LCT access.
NOTICE
l If no NMS user has logged in to an NE it allows a user to log in from an LCT
regardless of whether the LCT access is enabled.
l If an LCT user requests to log in to an NE to which an NMS user has logged in, the
NE determines whether to permit the login of the LCT user according to the setting of
LCT Access Control Switch.
l An NMS user can log in to an NE to which an LCT user has logged in. After the
NMS user logs in to the NE successfully, the logged-in LCT user is not affected.
l When both an LCT user and an NMS user have logged in to an NE, the logged LCT
user is not affected if LCT Access Control Switch is set to Disabled Access.
SNMP Access
1. In the NE Explorer, select an NE and choose Communication > SNMP
Communication Parameters.
2. Click Create. The Create SNMP Communication Parameters dialog box is displayed.
Set parameters, such as NMS IP Address, Read/Write Permissions, Port, Read/Write
Community Name, and Trap Version. If the IP address has been set to 0.0.0.0, any IP
address can access the NE.

Transport Platform
3. After the parameter configuration is complete, click OK.

To improve the SNMP anti-attack capability, it is recommended that you set an advanced
ACL rule that allows only authorized addresses to access the equipment by using SNMP
(UDP port 161). For how to set the advanced ACL rule, see section"5.2.2 Configuring
an ACL to Prevent Unauthorized Access".
SNMP V1/V2/V3 is supported. When SNMP V3 is used, the default users are szhwSHA,
szhwMD5, and szhwSHAA128, and the default password is Nesoft@!. The password
can be modified. For the authentication protocol and encryption algorithm used by each
default user account, see Table 3-2. It is recommended that customers change the initial
password in a timely manner and periodically change it. The default account using DES
encryption is exposed to security risks. The user is advised to use the default account
being encrypted by the AES128 algorithm. The password must be a combination of the
following types of characters: uppercase letters, lowercase letters, digits, and special
characters. The user is advised to use a password that contains at least eight characters
and any three types of the following: lowercase letters, uppercase letters, digits, and
special characters. Do not use such cyclic password as Nesoft@!Nesoft@!. The default
VACM groups are szhwGroup and guestGroup and the view name are szhwView and
guestView. The default user group is szhwGroup, and users in this group can access all
OIDs supported by the system. The users in the guestGroup group can change their own
passwords, but cannot access the VACM and USM tables. Therefore, you are advised to
configure the VACM to control the access permission.
Table 3-2 Default SNMPv3 accounts

Account Authentication Encryption Algorithm
Protocol
szhwMD5 HMAC-MD5-96 DES
szhwSHA HMAC-SHA-96 DES
szhwSHAA128 HMAC-SHA-96 AES128
he default Trap community name is Public. Users can change the Trap community name.
The security user name of SNMP v3 traps is empty by default. SNMPv3 trap is
functional only if the security user name is specified.

Transport Platform
The Read Community Name, Write Community Name, and Trap community name
must meet the following complexity requirements:
The name must be a character string with a minimum length of six bytes. Valid
length ranges from six to sixteen bytes.
The name must combine at least two types of the following characters:
n Lowercase letters
n Uppercase letters
n Digits
n Special characters, including space and `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
If such complex community names are unnecessary for you, you can choose
Communication > SNMP Communication Parameters to disable the community
name complexity verification function.
NOTE
If the community name complexity verification function is disabled, users can use a low-
complexity community name. However, a low-complexity community name is easy to be
deciphered, posing security risks on the system.
Table 3-3 SNMP communications parameters
NMS IP Address For example: 10.70.35.6 Specifies the IP address of the

NMS server that manages NEs
over SNMP.
Read/Write Read Only, Read/Write Specifies permissions for NMS

Permissions server to manage alarm and
performance data over SNMP.
Report SDH No Report, Report Specifies the report trap for SDH
Performance Trap performance data.
Report IP No Report, Report Specifies the report trap for data

Performance Trap performance data.
Report Alarm Trap No Report, Report Specifies the report trap for alarm
data.
Trap Port 1 to 65535 Specifies the ID of the port

through which the trap is reported.
Read Community String Specifies the name of the read

Name community.
Write Community String Specifies the name of the write

Name community.
Report Trap SNMPV3,SNMPV1,SN Specifies the SNMP protocol

Version MPV2C version that manages the traps
Report Trap String Specifies the trap community

Community Name name.

Transport Platform
Report Trap User String Specifies the trap user name.

Name
SSH Access
l Set the NE communication service mode.
a. Choose Administration > NE Security Management > NE Communication
Service Management from the main menu.
Figure 3-1 NE communication service management
b. Click the Communication Service Management tab.

c. Select the NE to be configured from the NE list and click . The Query dialog
box is displayed and query results are shown on the right of the interface.
d. Click Query to check the current communication service mode of the NE.
e. Enable STelnet(STelnet in this document refers to SSH-based Telnet.) .
f. Click Apply.
Figure 3-2 Communication Service Management
l Query the SSH server.

b. =Click the SSH Server tab.
c. Step 3 Select the target NE from the NE list and click .The Query dialog box
is displayed and query results are shown on the right of the interface.
d. Click Query to check the information of current SSH server of the NE.

Transport Platform
Figure 3-3 SSH server
l Set the key for the SSH server.

b. Click the NE Key Management tab.
c. Select the target NE from the NE list and click . The Query dialog box is
displayed and query results are shown on the right of the interface.
d. Click Query to check the key management information.
Figure 3-4 NE key management
e. Click New Key Pair. The New Key Pair dialog box is displayed.
f. In the New Key Pair dialog box, set Key Type to S-RSA (NE As the Server) and
Overwrite Mode to Yes. During the key creation, a dialog box is displayed
indicating that you need to wait for 10 minutes to view the key creation status and
then upload the key after it is created.
g. Click OK. In the key pair create dialog box, click Close. After 10 minutes, Click
Query New Key Pair.
h. Click Export Public Keys. In the displayed dialog box, select S-RSA and set File
Name. Click OK.
i. In the Result dialog box, click Close.

Transport Platform
Figure 3-5 New key pair
l Import public key information to the NE.

b. Click the Client Key Management tab.
c. Select the target NE from the NE list and click . The Query dialog box is
d. Click Query check the public key information.
Figure 3-6 Client key management
e. Click Create. The New Client Key dialog box is displayed.

f. Set Public Key Name, Remarks, and Public Key Info. Public Key Info must be
greater than 1024 bits.

Transport Platform
Figure 3-7 New client key
NOTE
Users can copy the public key information in the file exported in step 3 to the text box, or
click Import to import public key information to the NMS.
g. Click OK. In the Result dialog box, click Close.
h. The public key information generated by the NE is uploaded to the authorized_keys
file in the .ssh directory of the logged-in user.
l Associate an SSH user and the SSH client key.
b. Click the SSH User Management tab.
c. Select the target NE from the NE list and click .The Query dialog box is
d. Click Query to check the NE user authentication information.
Figure 3-8 SSH user management
e. Set the authentication mode and client public key name.

Transport Platform
f. Click Apply. In the Result dialog box, click Close.
Figure 3-9 Modifying the SSH user authentication information
3.2 Protocols and Controls
3.2.1 SSL/TLS Protocol

The SSL/TLS protocol is a protocol used to encrypt/decode data for providing all security
features except serviceability in a short-term. The SSL 3.0/TLS 1.0/TLS 1.2/TLS 1.1 protocol
applied in equipment supports RFC 2246. Users can connect to an NE in SSL mode. Because
SSLv3 is vulnerable to attacks, it is recommended that you disable it for the equipment and
use TLS1.0 or a later version to set up connectivity. For how to disable SSLv3 and TLS1.0 by
using the NMS, see as following.
1. In the Main Menu.Choose Administration> NE Security Management> NE
Communication Services Management.
2. In the dialog box that displayed,chooseSSL Version Management,users can enable or

disable SSLv3 and TLS1.0.
Prerequisites
Modifying Connection Modes Between the l You are an NMS user with
NMS and GNE Administrator User Group rights or
higher.
l The IP GNE has been created.

Transport Platform
Modifying Connection Modes Supported by You are an NMS user with Administrator
Common NEs User Group rights or higher.
Downloading SSL certificates to NE by l You are an NMS user with Maintainer

NMS User Group rights or higher.
l The SSL certificates have been imported
to U2000.
Modifying Connection Modes Between the NMS and GNE

1. Select the NE from the Object Tree in the NE Explorer. Choose Communication >
Communication Parameters from the Function Tree. Set Connection Mode to
Security SSL.
2. Choose Administration > DCN Management from the Main Menu. Click the GNE
tab. Right-click the GNE to be modified and choose Modify GNE from the shortcut
menu.
3. In the Modify GNE dialog box that displayed, set Connection Mode to Security SSL.
Modifying Connection Modes Supported by Common NEs

1. Select the NE from the Object Tree in the NE Explorer. Choose Communication >
Communication Parameters from the Function Tree.
2. Set Connection Mode to Security SSL.

Transport Platform
NOTE
For a common NE, its GNE uses to communicate with the NMS, so that it can communicate
normally with its NMS. For example, if an NE's GNE uses Security SSL mode to communicate
with the NMS, then its corresponding connection mode should be set to Security SSL. SSL
connection modes support bidirectional authentication for both the client and server.
l If NEs are managed through a GNE, the GNE and the NMS are connected in SSL mode. If
the GNE and non-GNEs are connected using the management network ports, it is
recommended that you set all non-GNEs that are in the same LAN with the GNE to GNEs
and manage NEs in secure SSL mode.
l If an NE is connected to an external network that is not secure, it is recommended that you
set the NE to a GNE and manage the NE in secure SSL mode.
l If an NE is connected to an external network that is not secure, it is recommended that you
set ACLs for the NE for packet filtering.
Downloading SSL certificates to NE by NMS

1. Log in to the U2000 client.
2. Choose Administration > NE Software Management > Board Software Upgrade.
NOTE
By default, the DC accounts of NEs are blank, after enter the Board Software Upgrade, the
navigator tree cannot automatically filter the NE list of the subnet. You need to configure the DC
account of the NE in the DC Login User Management (Choose Administration > NE Security
Management > NE Login Management) first, then enter the Board Software Upgrade again,
the navigator tree will filter the specific NEs.
3. Right-click a desired NE in the navigation tree and choose Login NE from the shortcut
menu.
NOTE
You can also choose Set Login Account from the shortcut menu and set Login User and Password
in the dialog box that is displayed.
4. Right-click the NE and choose Query Board from the shortcut menu. Then board
information about the NE is displayed.

Transport Platform
NOTE
It may take a period of time for the board information to display, which is normal.
5. Click to expand the board list.
6. Select the check box before the desired main control board and click to add the
board to the operation list.
7. In the Upgrade Version field, click The Board software setting window is
displayed.
8. Set the software load type to Certificate and click Add Software. The Choose File
window is displayed.
NOTE
You can click Add Software to add multiple files at the same time.
9. In the Choose File dialog box, select the CA.CRT, CERTNE.CRT, CERTNE.KEY,
and SSLCFG.KEY certificates. SSLCFG.KEY is a communication key. For how to
load SSLCFG.KEY, see Operation and Maintenance > Administrator Guide > Network

Transport Platform
Management System Maintenance Suite (MSuite) in the iManager U2000 Product

Documentation.
10. In the Board software setting dialog box, click OK. The upgrade software selection is
complete.
11. Select a board in Operation List, and click Start.
12. When the loading is complete, click Activate. The Warning dialog box is displayed.
Confirm whether to activate the software.
13. Click Yes to start activating the software.
14. After the activation, the Operation Result dialog box is displayed indicating that the
activation succeeds. Click Close.
NOTE
Apply for an SSL certificate and its encryption password, and import the SSL certificate to the
NMS or replace the existing certificate on the NMS through a management system maintenance
tool before loading the SSL certificate.
Because of compatibility, the default certificate of the equipment supports the SHA1 signature
algorithm, which brings security risks. Therefore, you need to replace the user certificate.
3.2.2 SFTP Client Protocol
Prerequisites
1. Choose Administration > NE Security > Service Management > NE Communication
Services Management from the Main Menu.
Figure 3-10 Configuring the SFTP control switch
2. Double-click the Control Switch of SFTP(SFTP in this document refers to SSH-

based FTP.) client, and choose Enabled.
3. Select the NE Key Management tab, click New Key Pair and enter values for
Passphrase, Key length, Key type, and Overwrite Mode. Click OK. During creation
of the key, a dialog box is displayed indicating that you need to wait for 10 minutes to
view the creation status of the key and then upload the key when it is created.

Transport Platform
4. Wait for 10 minutes and then check the key status. If the key is created, upload the key.
To upload the key, right-click the NE and choose Set Passphrase from the shortcut
menu. In the displayed dialog box, set the new passphrase and confirm it (the
passphrase must meet complexity requirements). Click OK, and a message "Do you
want to upload public key information immediately?" is displayed.
NOTE
The passphrase must meet the following complexity requirements:

1. The name must be a character string with a minimum length of six bytes. Valid length ranges
from six to sixteen bytes.
2. The name must combine at least two types of the following characters:
l Lowercase letters
l Uppercase letters
l Digits
l Special characters, including space and `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
5. Click Yes so that the new public key information is uploaded to the NMS. At the same
time, values of the Key Creation Time and Public Key Fingerprint and Yes of
Overwrite Mode are displayed.
6. Click Export Public Keys. In the displayed Export Public Keys dialog box, set Start
Row, End Row, and File Name, and click OK.
7. Copy the public key file to the SFTP server.
8. After deploying the public key file for the GNE, you can back up and upload NE
software by means of SFTP.
9. Click the SFTP Public Key Fingerprint Authentication Settings tab page. On the tab,
set Authentication to Enabled.
Figure 3-11 Enabling/Disabling SFTP public key fingerprint authentication

Transport Platform
10. Click the SFTP Public Key Fingerprint Management tab page. On the tab, click New.
In the displayed New SFTP Public Key Fingerprint dialog box, enter the Server IP
Address, Server Port, Algorithm, and Public Key Fingerprint, and click OK.
Figure 3-12 Configuring an SFTP public key fingerprint
3.2.3 NTP Protocol
Prerequisites
1. In the NE Explorer. Choose Configuration > NE Time Synchronization from the
Function Tree.
2. Enable NE Time Synchronization and configure the NTP server address, and click
Apply.

Transport Platform
Security suggestion: If you do not need to use the NTP service, it is recommended that
you disable the NTP port. If the NTP port is enabled, you need to create a key password,
which is an integer ranging from 1 to 1024 and meets its complexity requirements.
Figure 3-13 NTP password complexity requirements
NTP uses MD5 to verify C/S identities. If authentication is adopted, the keys configured
at both ends must be the same and reliable.
Note that security risks arise if you do not use MD5 for interconnection.
Table 3-4 Identify check
Server Client Authentication (Pass/

Fail)
Enabled Enabled Pass
Enabled Disabled Pass
Disabled Disabled Pass
Disabled Enabled Fail

Transport Platform
It is recommended that you enable authentication on both the server and client.
3. After the NTP service is enabled, the NE will enable the server and client. For
consideration of security, the NTP server can be separately enabled or disabled.
a. On the U2000 main menu, choose Administration > NE Security Management >
NE Communication Services Management. The window shown in the following
figure is displayed.
b. In Control Switch, select Enabled or Disabled to enable or disable the NTP server.
Enabled is selected by default.
3.3 Network Access Authentication

The OptiX OSN 1800 supports local authentication and RADIUS authentication. In local
authentication mode, user accounts and passwords are stored in local equipment, and local
equipment performs authentication. In RADIUS authentication mode, user accounts and
passwords are stored on a RADIUS server and the RADIUS server performs authentication.
The user accounts and passwords used in RADIUS authentication mode are secure and easy
to maintain.
Remote Authentication Dial In User Service (RADIUS) is a server/client protocol that
provides centralized management of authentication, configuration information between
network access equipment and a RADIUS server.
This section describes how to configure RADIUS authentication for OptiX OSN 1800.
3.3.1 Configuring the User Permission VSA Attribute on the

RADIUS Server
The user permission VSA attribute must be set for RADIUS server users. Vendor-Id of this
attribute is 2011, Vendor type is 101, and Vendor length is 4 bytes. The user permission
attribute can be set to:
0: Login not allowed
1: Monitor Level

Transport Platform
2: Operation Level
3: Maintenance Level
4: Administrator level
5: Super administrator level
NOTE
If the user permission value is not set for RADIUS server users or is beyond the preceding value range,
equipment automatically set the user level to XXXX level. It is recommended that you set the value to 0
for new devices.
3.3.2 Enabling a RADIUS Client or a RADIUS Proxy Server

After the RADIUS function of an NE is enabled, the NE can function as a RADIUS client or
proxy server. If the function of RADIUS client or proxy server for an NE serving RADIUS
client or a proxy server is not enabled, then the relevant RADIUS functions of the NE can fail.
Prerequisites
l Communication between the NE and the NMS is normal.
Procedure
Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE
RADIUS Function Configuration from the Function Tree
Step 2 Click Query to query the information about RADIUS function configuration from the NE.
Step 3 Set RADIUS Client and Proxy Server to Open.
Figure 3-14 Configuring RADIUS switch
Step 4 Click Apply to deliver the configuration data to the NE.
----End
3.3.3 Creating a RADIUS Server

Before enabling the RADIUS, you need to create the RADIUS server.
Prerequisites
l The RADIUS client function of the NE is enabled.
Procedure
Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE
RADIUS Configuration from the Function Tree.

Transport Platform
Figure 3-15 RADIUS server configuration
NOTICE
The login timeout interval configured on the NMS is 15s (which is 10s on the Web LCT).
Ensure that the result of Interval of Packet Transmission multiplied by Packet
Retransmission Attempts must exceed the login timeout interval; otherwise, the equipment
will be unavailable because of login timeout.
Step 2 Click the RADIUS Server Configuration tab. The RADIUS Server Informationdialog box
is displayed.
Step 3 Click Query to query the information about RADIUS server configuration from the NE.
Step 4 Click New.
Step 5 The New RADIUS Server Information dialog box is displayed.
Step 6 Configure information about the RADIUS server. Click OK to save the configuration.

Transport Platform
NOTE
l When a new RADIUS server is added, an IP address that uniquely identifies the RADIUS server
must be entered.
l When a new proxy server is added, an IP address or NE name that uniquely identifies the proxy
server must be entered.
l Before adding a new RADIUS proxy server, you need to configure the NE as RADIUS proxy server.
l If a RADIUS proxy server is added, a shared key (which contains 8 to 128 characters or is blank)
can be configured on the NAS so that the key can be shared between the NAS and RADIUS proxy
server. It is recommended that the shared key contain at least 16 characters. In addition, the shared
key must be the same as that configured on the RADIUS proxy server.
l Configure security related to account management on the RADIUS server. For example, enable the
user lock and set user timeout.
----End
3.3.4 Configuring a Key from an RADIUS Proxy to a NAS
Prerequisites
l You are an NMS user with Administrator Group rights or higher.
l The NE is enabled as a RADIUS client and RADIUS proxy.
Procedure
Step 1 In the NE Explorer, select an NE. Choose Security > NE RADIUS Configuration from the
Function Tree.
Step 2 Click RADIUS Server Authentication Key Configuration.
Step 3 Click Query.
Step 4 Click New. The New Authentication Key dialog box is displayed.
Figure 3-16 New Authentication Key
Step 5 Set the authentication key and click OK.
Step 6 Right-click a key configuration and choose Delete from the shortcut menu if necessary.

Transport Platform
NOTE
l If an NE is enabled as a RADIUS proxy server, a shared key (which contains 8 to 128 characters)
can be configured on the RADIUS proxy server so that the key can be shared between the RADIUS
proxy server and NAS. It is recommended that the shared key contain at least 16 characters. In
addition, the shared key configured on the RADIUS proxy server must be the same as that
configured on the NAS. Please refer to the following figure "Radius Key Length Setting".
l If a shared key is configured between the NAS and a RADIUS proxy server, after the NAS is
downgraded, the shared key on it becomes empty, and the NMS cannot log in to the NAS. In this
case, you must delete the shared key on the RADIUS proxy server for communication with the NAS.
Figure 3-17 Radius Key Length Setting
----End
3.3.5 Configuring Forced Authentication on a RADIUS Proxy

Forced authentication is disabled on a RADIUS proxy by default. If an NAS key targeting for
an address is configured on the RADIUS proxy, the authentication requests from this address
is forwarded; if no NAS key targeting for an address is configured, the authentication requests
from the address is discarded. In this case, packet attacks from strange IP addresses are
avoided.
Forced authentication on a RADIUS proxy is globally configured, which means that the
enabled/disabled state of this function influences authentication and accounting packet
forwarding on the RADIUS proxy.
If all the devices on a network are new, enable forced authentication. As the following shows:
Risks:

Transport Platform
To prevent a shared key from being easily deciphered or leaked, ensure that the following
requirements are met:
A shared key must contain 8 to 128 characters. It is recommended that a share key contain 16
characters.
A shared key must contain at least two types of the following characters: lowercase letters,
uppercase letters, digits, and special characters.
Shared keys must be updated every 90 days at least.
It is advisable to configure a unique shared key between each client and a server.
3.3.6 Configuring RADIUS Server Parameters

The RADIUS server can be used for authentication only when the Radius server parameters
are configured.
Prerequisites
l The RADIUS server has been created.
Procedure
Step 1 In the NE Explorer, select an NE and choose Security > NE Radius Configuration from the
navigation tree, as shown in Figure 3-15 RADIUS server configuration.
Step 2 Click Query to query the information about RADIUS parameter configuration from the NE.
Step 3 Click New to display the New.The New NE RADIUS Server Configuration dialog box.

Transport Platform
Figure 3-18 New RADIUS server
Step 4 Configure the RADIUS parameters and click OK to save the configurations.
Precautions:
l To prevent a shared key from easily deciphered or leaked, meet the following
requirements:
a. Eight characters or longer, 16 characters recommended
b. A combination of two or more types of such characters as lowercase letters,
uppercase letters, digits, and special characters
c. Updates every 90 days at least
d. It is recommended that you configure different shared keys for the clients to
connect a server.
e. During the query for Radius configuration information, the shared key in plaintext
will be sent to the NMS but is displayed as * on the NMS. To prevent the shared
key from being leaked, you are advised to query and configure the related
information through an SSL secure channel.
For compatibility purposes, empty keys are allowed when you add a RADIUS
proxy server, which brings risks. It is recommended that you change it to a shared
key.
----End

Transport Platform
3.4 Network Service Security
3.4.1 Security Threats

As illustrated in the preceding section, data services face the following security threats:
l Heavy traffic attack, occupation of network bandwidth resources, weakening of
processing capability and forwarding efficiency of devices, and typical problems such as
broadcast storms
l Unauthorized user access
l User data interception
The following table lists preventive measures for the preceding problems.
Table 3-5 Security threats facing data services and corresponding preventive measures
Threat Preventive Description Affected Services
Measure
Heavy traffic attack Control the service Various measures Ethernet services
flow. are used to limit the
service flow.
Detect and prevent Physical loops in the

loops. network are
detected, to prevent
broadcast storms.
Discard error Abnormal data

packets. packets are detected
and discarded.
Unauthorized user Control Layer 2 Layer 2 service Ethernet services

access service access. access rules are
configured.
User data Isolate user services. Layer 2 service Ethernet services

interception access rules are
configured. Logical
or physical measures
are provided to
isolate user services,
to ensure that
services of different
users cannot be
communicated.
3.4.2 Ethernet Services

Transport Platform
Ethernet services include two types: private line services and private network services.
l Private line services: Services are forwarded using VLAN tags, and isolated based on
Layer 2 logic. Meanwhile, service flow is controlled using the QoS scheme, and invalid
packet are filtered using the ACL. In this way, data confidentiality is ensured.
l Private network services: Refers to Layer 2 switch services that are forwarded based on
MAC addresses or MAC+VLAN. Private network services apply to various scenarios,
MAC addresses are difficult to control, and the MAC address learning and forwarding
mechanism is prone to be affected by user data packets. Therefore, private network
services are exposed to security attacks.
NOTE
Ethernet converged services are also forwarded using VLAN tags, and they have the same security
mechanism as private line services.
Prerequisites
Service Operation Prerequisites
Flow control EOT boards You must be an NM user

with "operator" authority or
Loop avoidance EOT boards higher.
Layer 2 service access EOT boards l You must be an NM user

control with "operator" authority
or higher.
l Private Ethernet network
services have been
created and service
mounting has been
configured.
EOT boards l You must be an NM user

with "administrator"
authority or higher.
l Private Ethernet network
services have been
created.
Flow control
When the flow of broadcast packets, multicast packets, or unicast packets with unknown
destination addresses is excessive, service bandwidth is overloaded, or network congestion
may occur due to burst traffic. By means of flow control, these problems can be prevented to
ensure stable and secure network operation.
l Broadcast packet suppression
By means of broadcast storm suppression, broadcast flow can be limited, and broadcast
packets that exceed the suppression threshold will be discarded.
After port-based broadcast storm suppression is enabled, broadcast packets will be
discarded. By default, the broadcast packet suppression threshold is 30(%).
The broadcast packet suppression threshold can be set to limit the broadcast flow passing
through the sub-interface. When the broadcast flow exceeds the value set by the user,

Transport Platform
broadcast packets will be discarded. In this way, the percentage of broadcast flow will be
decreased to be within a reasonable range, and broadcast storms will be effectively
suppressed.
EOT boards
1. In the NE Explorer, click the NE, select the board to be configured, and choose
Configuration > Ethernet Interface Management > Ethernet Interface from the
navigation tree.
2. Click the External Port on the right interface.
3. Click the Advanced Attributes tab, select the port to be modified, and set the Broadcast
Packet Suppression or Broadcast Packet Suppression Threshold attribute.
Figure 3-19 Configuring broadcast packet suppression for EOT boards
4. Click Apply to save the configuration.

Unknown multicast packet discarding
Unknown multicast packets can be discarded or forwarded.
If discard is set, private network services will discard the received unknown
multicast packets.
If forward is set, private network services will forward the received unknown
multicast packets.
Limitation on the number of learned MAC addresses
The number of learned MAC addresses is limited to control the access user number.
Port flow monitoring
By means of port flow monitoring, alarms indicating threshold crossing will be
reported if the rate of receiving packets at a port exceeds the port flow monitoring
threshold, reminding users to take preventive measures.
Limitation on traffic using the QoS scheme
Figure 3-20 shows the QoS networking model when the OptiX OSN 1800 is used
as a TDM device.
Figure 3-20 QoS networking model when the OptiX OSN 1800 is used as a TDM device
The QoS scheme of the TDM device uses the DiffServ model. Specifically, functions
such as CAR and traffic shaping are configured at the ingress or egress of the SDH
network, to limit the service flow, prevent burst traffic or heavy traffic attack, and protect
important services against network congestion.

Transport Platform
Loop avoidance
If a loop exists in a Layer 2 switch network, packets will be continuously duplicated and
circled in the loop, causing a broadcast storm. In this case, all valid bandwidth will be
occupied, and the network will become unavailable.
l Self-loop detection at service ports

By means of transceiving protocol packets, self-loops at service ports can be detected.
EOT boards
Configuration > Ethernet Interface Management > Ethernet Interface from the
navigation tree.
2. Click the External Port on the right interface.
3. Click the Advanced Attributes tab, select the port to be modified, and set the Loop
Detection or Loop Port Shutdown attribute.
Figure 3-21 Detecting self-loops at ports on EOT boards
4. Click Apply to save the configuration.

Blocking of self-looped ports
After functions of self-loop detection and blocking of self-looped ports are enabled
at service ports, the function of transceiving services at a port will be disabled if the
port is self-looped. In this way, broadcast storms can be prevented.
Discarding of error packets

Error packets include packets whose fields are missing, disordered, repeated, overlong, or
overshort. They may be caused by malicious users, bit errors in transmission lines, or
abnormal processing of device hardware. Error packet processing brings extra workload on
the device, and occupies the bandwidth of normal services. The device must identify error
packets and discard them.
The following type of error packets can be discarded:

l Ethernet frames whose source MAC address is the same as destination MAC address
l Ethernet frames whose source and destination MAC addresses are both 0
l Ethernet frames shorter than 46 bytes
l Ethernet frames longer than the maximum transmission unit (MTU)
l Overlong Ethernet frames (whose data section has more than 65535 bytes)
l Ethernet frames with FCS (or CRC) errors

Transport Platform
Layer 2 service access control

By means of Layer 2 service access control, unauthorized user data can be filtered.
l Static MAC address entries
For L2VPN private network services, static MAC address entries can be added, deleted,
or queried. If the function of MAC address learning is disabled, static MAC addresses
need to be added for normal service forwarding. Otherwise, MAC addresses carried by
services do not match those in the static MAC address table, and packets will be treated
as invalid and be discarded.
EOT boards
Configuration > Ethernet Service > Ethernet LAN Service from the navigation tree.
2. Select the private Ethernet network services to be configured, and click the VLAN
Unicast tab.
Figure 3-22 Static MAC address table for EOT boards
NOTE
If the IVL learning mode is selected for private Ethernet network services, the VLAN filtering
table must be created.
3. Click New, and the dialog box of creating VLAN unicast will be displayed. Then set
static MAC address parameters.
NOTE
If the SVL learning mode is selected for private Ethernet network services, VLAN ID cannot be
specified.
4. Click OK to save the configuration.
MAC address blacklist
In private network L2VPN services, MAC addresses can be added to, deleted from,
or queried on the blacklist. Unauthorized services can be filtered by adding invalid
MAC addresses into the blacklist.
EOT boards
Configuration > Ethernet Service > Ethernet LAN Service from the navigation tree.
2. Select the private Ethernet network services to be configured, and click the Disable
MAC Address tab.
Figure 3-23 MAC address blacklist for EOT boards
3. Click New, and the dialog box of disabling MAC addresses will be displayed. Then set
MAC address blacklist parameters.

Transport Platform
NOTE
If the SVL learning mode is selected for private Ethernet network services, VLAN ID cannot be
specified.
4. Click OK to save the configuration.
Service isolation
The following provides logical and physical isolation measures, which are used to prevent
malicious users from intercepting data and to reduce the impact of broadcast flow.
l Layer 2 logical isolation
VLAN is a basic function of network data devices. One VLAN forms a logical subnet (a
logical broadcast field), and different VLANs are assigned to different users, so Layer 2
user services cannot be communicated. In this way, logical isolation is achieved for
Layer 2 services. Meanwhile, VLAN division helps limit the broadcast flow to various
broadcast fields and narrow down the broadcast range.
The OptiX OSN 1800 supports private Ethernet line services. VLAN tags can be
identified, forwarded, and changed.
Figure 3-24 Example of VLAN services: QinQ services
l Isolation of physical channels

Different user data (such as STM-N timeslots) can be carried on different physical
channels, and users do not share physical channels with each other. Therefore, physical-
layer user services cannot be communicated, ensuring high network security.

Transport Platform
Manual 4 Security Maintenance
4 Security Maintenance
About This Chapter
Security maintenance is a means to audit the device in terms of security to discover security
risks in time and effectively implement security hardening, aiming to ensure that the device
works properly and securely.
4.1 Suggestions on Port Maintenance
4.2 NE Account Maintenance
4.3 Log Audit
4.4 Weak Password Policy Detection
4.5 Security Patch Upgrade
Security loopholes of equipment can be mended online using hot patches.
4.6 Software Package Integrity Verification

Transport Platform
4.1 Suggestions on Port Maintenance

Ports are classified into logical ports and physical ports. Logical ports are standard
communication protocol ports, such as STELNET port 22. Physical ports are management
access ports and service ports provided by the device.
It is recommended that unused ports be disabled during routine O&M to avoid unauthorized
access traffic. These TCP/UDP ports should be closed when not in use:
4.1.1 TCP Ports
NMS Access Port

Security suggestion: Access through TCP port 1400 is insecure because packets are
transmitted through this port as plaintext, which brings risks. Therefore, you are advised to
disable this port.
The NMS access port number is TCP 1400. It is a port for communication with the NMS,
therefore allowing the NMS to manage the NE. This port is enabled by default.
To enable the NMS access port, set Connection Mode to Common or Secure SSL
+Common and then click Apply. To disable the NMS access port, set Connection Mode to
Secure SSL and click Apply.
Figure 4-1 NMS Access Port

Transport Platform
NMS Secure Access Port

Security suggestion: This port provides secure access to the NMS. It is advisable to enable it.
The NMS secure access port number is 5432. It enables an NE to securely access the NMS,
therefore allowing the NMS to manage the NE. This port uses the SSL/TLS security protocol
and is enabled by default.
To enable the NMS secure access port, set Connection Mode to Secure SSL and then click
Apply. To disable the NMS secure access port, set Connection Mode to Common and click
Apply.
Figure 4-2 NMS Secure Access Port
Automatically Extended ECC Port

Security suggestion: If the network is not a trusted network or if you do not need to use the
automatically extended ECC function, it is advisable to disable the automatic extended ECC
port. If extended ECC is used, enable authentication for extended ECC.
Automatically extended ECC supports TCP-AO. After you set an authentication key on an
NE, existent extended ECC is disconnected and new ECC connections are established
between the NEs that share the same key.
Take either of the following strategies to avoid an NE unreachable to the NMS when the
existent extended ECC is disconnected:
l Query the routes of the NE and calculate the distance between the NE and its gateway
NE (GNE). Set a key for the NE farther to the GNE first.
l Delay validating a key so that keys will take effect after the keys are set for all the NEs.
Then, query whether the keys take effect.

Transport Platform
For an authentication-configured secure network, ensure that keys are configured on new
devices before the new devices are enabled on the network; otherwise, they cannot use
extended ECC for network access.
The automatically extended ECC port number is 1600. It is the default communication port
when the HWECC protocol is running between NEs and HWECC channels are set up over
Ethernet. This port is enabled by default.
Set Extended ECC Mode to Auto mode. To enable the automatically extended ECC port,
click Apply; to disable the automatically extended ECC port, click Stop.
Figure 4-3 Automatically Extended ECC Port
Manually Extended ECC Port

Security suggestion: It is advisable to disable the manually extended ECC if you do not need
to use it. If manually extended ECC is used, enable authentication for extended ECC.
Manually extended ECC links support TCP-AO authentication. Its configurations and
strategies are the same as those of automatically extended ECC.
The manually extended ECC port number may be any from 1601 to 1699. It is a
communication port manually specified when the HWECC protocol is running between NEs
and HWECC channels are set up over Ethernet.
Set ECC Extended Mode to Specified mode. In Set Server, enter the port number, and click
Apply. In Set Client, enter the peer IP address and the port number, and then click Apply.
Note that the port IDs of the server and client must be different.

Transport Platform
Figure 4-4 Manually Extended ECC Port
STelnet Port
Security suggestion: STelnet access is a secure access mode. If you do not need to use STelnet
access, it is advisable to disable the STelnet port.
The STelnet port number is 22. This port is used for setting up the STelnet channel and is
disabled by default.
On the Communication Service Management tab page, to enable the STelnet port, set
Control Switch to Enabled for the Service Type STelnet; to disable the STelnet port, set
Control Switch to Disabled for the Service Type STelnet.
Figure 4-5 STelnet Port
4.1.2 UDP Ports

1. NTP Port
The NTP port number is 123. It is a communication port used by an NE for time
synchronization between the NE and the NTP server. This port is disabled by default.
If Synchronous Mode is set to Standard NTP, the NTP port is enabled; otherwise, the
NTP port is disabled.

Transport Platform
Figure 4-6 NTP port
2. Port for Communicating with the RADIUS Client/Proxy Authentication Server

The communication port number is 1812. This port forwards authentication packets
between the NAS and the RADIUS server. This port is disabled by default.
To enable the RADIUS client and proxy server, set RADIUS Client and Proxy Server
to Open.
Figure 4-7 Port for Communicating with the RADIUS Client/Proxy Authentication
Server
3. Port for Communicating with the RADIUS Proxy Accounting Server

The communication port number is 1813. This port forwards accounting packets between
the NAS and the RADIUS server. This port is disabled by default.
NOTE
When RADIUS is enabled/disabled, ports 1812 and 1813 are enabled/disabled accordingly. In
addition, transport devices do not need accounting. Simple accounting is used between an NE and
an RADIUS server and accounting packets are exchanged. You can trace and record user logins by
browsing the online and offline records on the RADIUS server that supports accounting.
To enable the RADIUS client and proxy server, set RADIUS Client and Proxy Server
to Open.
Figure 4-8 Port for Communicating with the RADIUS Proxy Accounting Server
4. SNMP Port

Transport Platform
The SNMP port number is 161. This port is an SNMP protocol communication port,
allowing the SNMP NMS to access the NE by the SNMP protocol. This port is disabled
by default. To enable the SNMP port, set related SNMP communication parameters.
Figure 4-9 SNMP Port
If the NE has no SNMP communication parameter settings, the SNMP port is disabled.
To disable the SNMP port, select the SNMP parameter setting and click Delete.
5. Extended HWECC NE Address Discovery

Security suggestion: Disable this function if extended HWECC is disabled.
Extended HWECC NE address discovery uses port 1500 to discover the communication
address of a peer NE upon setup of HWECC channels on an Ethernet. This port is
enabled by default. Set Extended ECC Mode to Auto mode. To enable the
automatically extended ECC port, click Apply; to disable the automatically extended
ECC port, click Stop.

Transport Platform
6. Management-Plane NE Search
Port 1500 is used to search for NE IP addresses in broadcast and unicast manner when
management-plane NE search is enabled. It is recommended that you disable this
function.
Set NE search within a network segment on management plane to Disable.
7. Multicast NE Search
Port 8002 is used to search for NE IP addresses in multicast manner when multicast NE
search is enabled. It is recommended that you disable this function.
Set NE search across network segments on management plane to Disable.
8. IP GNE
Port 1400 is used to forward inter-NE management packets when IP networking is used.
Disable the UDP 1400 port if all-HWECC or all-OSI networking is adopted.

Transport Platform
4.2 NE Account Maintenance

NE accounts are user names and passwords used for NE management. NE accounts must be
updated in time to prevent unauthorized access and guarantee device security. The following
issues must be considered during account maintenance:
l Periodically updating passwords

l Changing the default account and password of the NE in time
l Deleting abandoned and unused accounts in time
4.3 Log Audit

Log audit is a means to discover security risks during network O&M and identify hidden
security troubles. The device provides two types of logs, security logs and operation logs, for
this purpose. Security logs record operations related to NE accounts, such as account deletion,
to reveal unauthorized user access. Operation logs record all user configuration operations to
help effectively discover unauthorized configuration operations.
Security logs must be periodically audited to strengthen the protection against unauthorized
account access or login attempts. You can add an access control list (ACL) or deploy a
firewall to shield unauthorized login attempts, and can clear abandoned or unused accounts to
prevent unauthorized account access.
Operation logs must also be periodically audited to discover unauthorized configuration

operations performed by unauthorized users on NEs in time. You can delete accounts to
reduce security risks in time.
4.4 Weak Password Policy Detection

Weak password policy detection is enabled. The password complexity must meet the
following requirements:
l The password must contain three types of characters among lowercase letters, capital
letters, digits, and special signs.
l The password must be different from the latest five passwords.
l The password must not be the same as the user name or reverse user name.
l The new password must have at least two characters different from the old password.

Transport Platform
4.5 Security Patch Upgrade

Security loopholes of equipment can be mended online using hot patches.
4.6 Software Package Integrity Verification

Click the Digital Signature Authentication Mode at support.huawei.com, then download the
OpenPGP Signature Verification Guide and VerificationTool to verify the software package
integrity.

Transport Platform
Manual 5 Security Hardening
5 Security Hardening
About This Chapter
5.1 Device Layer Security Hardening

5.2 Network Layer Security Hardening

Transport Platform
5.1 Device Layer Security Hardening
5.1.1 Account Management Hardening

Account management hardening involves account maintenance hardening and management
mode hardening.
Account Maintenance Hardening

l After NEs are handed over to customer's O&M department, the administrator should
immediately delete the factory-default accounts and regularly change the passwords of
new accounts. For the list of factory-default accounts, see 2.1.1 Querying the NE User
Information.
l The user needs to configure one or more administrator accounts. The passwords of
administrator accounts must be kept carefully. The administrator accounts can be used to
perform only management operations (such as adding or deleting accounts, and resetting
passwords) on the equipment. After the operations are completed, they must log out of
the equipment immediately.
l The user needs to configure a monitor account for monitoring equipment running status.
The accounts higher than the monitor level cannot be used for long-term online
monitoring.
l Super administrator accounts (expert-level) need to be created only when specific
requirements are raised, for example, fault locating and emergency service recovery. The
super administrator accounts must be deleted immediately after the related operations are
completed.
l The expired or useless accounts must be deleted immediately.
l Account levels should be allocated to new accounts based on the minimum permission
rule.
l User passwords must be regularly (two months are recommended) changed. Each
password must contain more than three types of characters.
l The default password of a new account is permanently valid and risks are present if the
same password is used for a long period of time. Therefore, a validity period needs to be
configured for passwords. A three-month validity period is recommended.
l It is recommended that user accounts and passwords be stored on the equipment in
PBKDF2 mode.
Centralized Account Management on an RADIUS Server

The device provides local authentication and RADIUS authentication. If the device is
deployed in local authentication mode, accounts and passwords must be periodically updated.
This, however, brings a huge maintenance workload. Therefore, the RADIUS authentication
mode is recommended for higher maintenance efficiency.
An RADIUS server can be deployed on the live network, with all devices on the network
using the same accounts or passwords. These accounts are configured on the RADIUS server
only. This effectively lowers the maintenance workload, because you need only to
periodically examine the accounts or passwords on the RADIUS server during O&M.

Transport Platform
5.1.2 Security Log Hardening

The device can store a limited number of security logs. If security logs are not audited, useful
logs may be overwritten, causing a failure to discover security risks in time and bringing
hidden troubles during network O&M.
The device provides the syslog function. The logs of the device can be dumped to an external
syslog server. This helps solve the issue about an insufficient security log storage space.
You can configure the syslog server on each device. For details about the methods for
configuring the syslog server and the gateway server, see section "2.4.2 Device Syslog Logs."
After the configuration is successfully, the devices will upload security logs to the syslog
server in time.
The following example describes how to configure the syslog server on NE 1.
Figure 5-1 Network topology
You can set the syslog server on NE1 to the NE ID (0x00092012) of the GNE, and then
configure the IP address (128.100.1.1) of the syslog server on a gateway NE (GNE). Here, a
forwarding server must be configured, because Huawei proprietary Embedded control channel
(ECC) protocol instead of IP is used on the management plane of the network where NE 1 is
located.
If IP is used on the network, the IP address of the syslog server can be directly configured on
each NE and then the forwarding server is not necessary.
If a connection to the syslog server is not set up in TSL mode, log data packets are plaintext
data and may be captured on the network and equipment may be analyzed according based on
the log. It is recommended that syslog is transmitted over a connection in TLS mode.
5.1.3 Security Hardening for Database Uploading and

Downloading
Integrity protection for database uploading and downloading uses the HMAC_SHA256
algorithm to perform an integrity check on each file during transmission and generate file
summaries. The file summaries generated before and after the uploading or downloading are

Transport Platform
compared for consistency, ensuring the file integrity. The file summary information is added
to the end of the list file dbf.pkg for transmission. For compatibility with earlier versions, this
function is disabled by default before delivery.
Enabling Integrity Protection for Database Uploading and Downloading

1. On the main menu, choose Administration > NE Security Management > NE
Communication Services Management and click the NE Database Security
Management tab.
2. In Integrity Verification, select Open. Then click the button on the right of Integrity
Protection Password and enter a password.
3. Click OK and then Apply.
Disabling Integrity Protection for Database Uploading and Downloading

Management tab.
2. In Integrity Verification, select Close and click Apply.
Querying the Integrity Protection Status of Database Uploading and

Downloading
Management tab.
2. Click Query to query the integrity protection status of database uploading and
downloading.
5.1.4 CF Card Data Hardening

This is an enhanced security function for CF card protection. The function protects the
database data in a CF card based on checksum and random numbers using the salting method.
If the data is damaged, the verification will fail and the data cannot be restored. In addition,
the data cannot be uploaded, downloaded, or deleted.
NOTE
1. To ensure the version compatibility, a command for enabling/disabling this function is added. This
function is disabled by default.
2. This function can be achieved only by using commands.
3. For OptiX OSN 1800 I/II Compact, just F1SCC surport this function.
Enabling the Security Protection Function

1. You can run the pe-set-secprotect:enable command to enable the function.
2. After the function is enabled, the generated key file does not contain database data.
Therefore, you need to run pe backup commands, for example pe-backup-data:11,db.
The complete commands are as follows:
:pe-set-secprotect:enable
:pe-backup-data:11,db

Transport Platform
After the commands are run, the protection information of the database file is generated
in the key file. If the protection information is not generated and the function is enabled,
running the pe backup commands will fail because of a file verification failure.
Disabling the Security Protection Function

You can run the pe-set-secprotect:disable command to disable the function.
Querying the Status of the Security Protection Function

You can run the pe-get-secprotectstate command to check whether the function is enabled.
Command output enable indicates that the function is enabled while disable indicates that the
function is disabled.
5.1.5 Integrity Protection for Data in a USB Flash Drive

When a USB flash drive stores sensitive information such as the database and software
package and supports hot swapping, the related information has security risks such as leakage
and tampering.
NOTE
Only the F3SCC02 1800I/II equipment supports this function.
Function structure
OptiX OSN 1800 equipment provides the USB hardening function to encrypt the data copied
into the USB flash drive and ensure data integrity. As the following figure shows.
Function description
OptiX OSN 1800 equipment with the encryption function can provide encryption and
integrity protection for the registered encryption file stack in the USB flash drive and the read
process of application-layer data (including the database and software package) on the USB
flash drive.
1. Encryption implementation: The data copied into the USB flash drive can be strictly
encrypted by AES-256, ensuring that the data is stored in ciphertext format in the USB
flash drive and cannot be directly read or viewed.
2. Integrity protection implementation: The USB disk tool of the NMS provides an
authentication certificate and the data encryption function,and also provides various
encryption modes such as SHA256,PDKDF2, and ALL to generate authentication files.

Transport Platform
The checksum (generated by the SHA256 algorithm) is saved for the data in the USB
flash drive. When OptiX OSN 1800 equipment reads data from the USB flash drive, the
checksum matching process starts. The data that fails in the checksum matching process
cannot be restored to the NE. In this manner, the data in the USB flash drive is
effectively protected from tampering, damage, and replacement by unknown data,
ensuring data reliability and equipment security.
5.1.6 Reverse Software Loading Authorization for Decoupling

Boards
If the flash driver version on a decoupling board is later than the driver version of the NE
software, you need to check whether the software authentication information of the
decoupling board is consistent with that on the NMS before starting the flash driver software
on the decoupling board, and then perform follow-up operations using either of the following
security modes.
Prerequisites
You are an NMS user with the Administrators permission or higher.
Decoupling Board Security Management

On the main topology of the NMS, choose Administration > NE Security > NE
Communication Services Management.
1. In the NE Database Security Management area at the lower part, click the Decoupled
Board Security Management tab.
2. Click Query to query Decoupled Board Security information of the NE.
3. Perform operations using either of the following board decoupling security modes.

Transport Platform
Common Mode
The startup process in this mode is the same as that in earlier versions. If the board is not
authorized, security logs should be recorded.
1. In the Security Mode column, select Common.
2. Click Apply, and then click Close when the message Operation Succeeded is
displayed.
Startup and Then Authorization Mode

In this mode, you can start the software of the decoupling board and then perform
authorization on the NMS. If the software is not authorized, security logs will be recorded and
an alarm will be reported to the NMS. After receiving the alarm, the NMS determines whether
to perform authorization or not. After the NMS authorizes the software, the alarm disappears.
In the startup and then authorization mode, you can query the list of unauthorized board
software and authorize the software as follows:
1. In the Security Mode column, select Start first.
displayed.
3. Click Query. The list of unauthorized board software is displayed. Select the boards to
be authorized and click Authorize.

Transport Platform
Authorization and Then Startup Mode

In this mode, you need to authorize the software of decoupling boards, and then start the
board software. If the software is not authorized, security logs will be recorded and an alarm
will be reported to the NMS. After receiving the alarm, the NMS determines whether to
perform authorization or not. After the NMS authorizes the software, the alarm disappears,
and the board undergoes a reset.
In the authorization and then startup mode, you can query the list of unauthorized board
software and authorize the software as follows:
1. In the Security Mode column, select Authorize first.
displayed.
3. Click Query. The list of unauthorized board software is displayed. Select the boards to
be authorized and click Authorize.
5.2 Network Layer Security Hardening

5.2.1 Managing DCN Network Security Hardening
To manage DCN networks includes management of internal DCN networks and external
DCN networks. For details, see the network security management chapter in the security
white paper.

Transport Platform
DCN networks should be trusted. They must be physical networks or logically independent
networks (VPNs) that are constructed by the customer or hired from a reliable vendor. The
customer should take certain measures, for example, deploying firewalls, to ensure DCN
network security.
The equipment also provide a certain networking mechanism and hardening measures to
improve DCN network security. The customer can select a measure based on DCN network
security and trust level to enhance DCN network security.
Table 5-1 Policies for DCN network security hardening

ID Measure and Description
Policy
01 Use TLS to connect The NMS connects to NEs in SSL/TLS mode. The
the NMS and common connection mode should be disabled. You
managed are advised to use the TLS1.2 protocol and disable
equipment. SSL2.0/3.0 and TLS1.0.
02 Use RADIUS The RADIUS server is recommended. The DCN

authentication. network between the RADIUS server and NEs should
be located in the trusted area.
03 Use SFTP for The SFTP protocol must be used for software loading
software loading and file transfer, and the FTP protocol must be
and file transfer. disabled.
04 Use SSH rather than Connect to the managed NEs using SSH, and disable
Telnet. Telnet. If the SSH protocol is used, the key
authentication mode is recommended.
05 Use the SNMPv3 If the SNMP protocol is used, SNMPv3 is

protocol. recommended.
06 Deploy the Syslog You are advised to use the Syslog server to back up
server. logs, and use the SSL authentication mode when
deploying the Syslog server.
07 Enable the OSPF The HMAC-SHA256 authentication mode is

protocol recommended. Do not use the plaintext authentication
authentication. mode.
08 Configure a static The DHCP protocol must be disabled, and a static IP

IP address for the address must be configured for the Wi-Fi interface.
Wi-Fi interface.
09 Deploy certificates If the Syslog protocol is used, the certificates of the

issued by different TLS connection between the NMS and equipment
CAs on must be issued and authenticated by different CAs.
applications.
10 Use fingerprint If the SFTP protocol is used, fingerprint

authentication for authentication must be configured for the SFTP
the SFTP server. server.

Transport Platform
ID Measure and Description

Policy
11 Enable NTP If the NTP protocol is used, protocol authentication

protocol must be enabled. If the NTP server is not required, it
authentication. must be disabled.
12 Use extended ECC If the extended ECC function is used, extended ECC
authentication. authentication must be enabled.
13 Disable DCN ports The DCN ports and management network ports on the
that are not used. equipment must be disabled if they are not used.
14 Disable services and To prevent the equipment from being attacked, the
protocols that are service ports and protocols that are not used on the
not used. equipment must be disabled. After service
rectification and network adjustment, the service ports
and protocols that are not required any more must
also be disabled. For details about the service ports
and protocols, see the port matrix.
15 Enable ACL rules. To restrict access to equipment, ACL rules must be

configured on NEs or gateway NEs as required.
16 Configure traffic The traffic control function must be configured for

control for management ports of the equipment as required.
management ports.
17 Change the default The default NE IDs and management port IP

NE IDs and addresses are used only for plug-and-play on DCN
management port IP networks during deployment. Therefore, they must be
addresses. changed to planned IDs and IP addresses.
NOTE
l For DCN networks, the all-GNE networking mode is recommended if possible, and the following security
hardening measures should be taken:
1. Disable the UDP1400 service port. (For details, see Suggestions on Port Maintenance).
2. Disable the extended ECC service. (For details, see Suggestions on Port Maintenance).
l If a GNE is used to manage non-GNEs, take the following security hardening measure:
Configure an encryption channel between the GNE and non-GNEs. (For details, see Using Encrypted
Channels to Prevent Sensitive Data from Theft).
5.2.2 Configuring an ACL to Prevent Unauthorized Access
Configuring a Basic ACL to Control Unauthorized IP Access

The basic ACL covers only the IP addresses that are allowed to access the device. IP
addresses beyond the basic ACL will be unable to access the device. The ACL rules that
define the IP addresses allowed to access the device can be configured on all gateway NEs.
The following figure shows an example about how to configure the basic ACL so that only IP
addresses in the network segment 100.100.1.0 can access the NE.

Transport Platform
Configuring an Advanced ACL to Control Unauthorized Port Access

The advanced ACL can filter out all application layer protocols that are forbidden to access
the device. The ports of application protocols, however, are discrete. For this reason, you can
configure blacklisted users one by one on the Advanced ACL page. The blacklist can be
configured on the gateway NE.
The following figure shows an example about how to prohibit Telnet access to the device.
5.2.3 Using SSL to Prevent Unauthorized Access to Sensitive Data
Trusted transmission channels such as SSL, SFTP, or SSH channels are recommended when
the NMS or other management terminals need to travel an untrusted network (for example, a
third-party leased network).
Select secure SSL connection when creating gateway NEs on the NMS according to section
3.2.1. If you log in to a device using an NMS in common mode or common and security
mode, you log in to the device in common mode, and the plain text transmission between the
NMS and device is risky. In this scenario, you are advised to select the secure SSL connection
mode. In this mode, a secure encrypted channel is established between the NMS and gateway
NE using the SSL3.0/TLS1.0/TLS1.1/TLS1.2 protocol.
When you use the NMS to manage non-GNEs, encrypted data transmission is not supported
between the GNE and non-GNEs. If a trusted channel links the GNE with non-GNEs, you can
manage the non-GNEs through the GNE. If the channel is not trusted, it is recommended that
you use the secure SSL connection or encrypted channels to manage NEs in an all-GNE
manner.
Default SSL certificates are shipped with Huawei equipment. Only private keys in PKCS#1
format are supported. You can replace a default SSL certificate with your own one. You can
delete your own SSL certificate from a device. If you load and activate your own SSL
certificate on a device, the default SSL certificate is deactivated. You can activate and use it
again if you delete all your own SSL certificates from the device.
5.2.4 Using Encrypted Channels to Prevent Sensitive Data from

Theft
When you manage non-GNEs on the NMS, data transmitted between a GNE and non-GNEs
is not encrypted by default. You can configure an encrypted channel between a GNE and non-
GNEs that communicate on an untrusted channel by performing the following steps:

Transport Platform
1. Set non-GNEs' NE IDs and an authentication key on a GNE.

2. Set the GNE' NE ID and the authentication key on the non-GNEs.
3. To pass authentication, ensure that the authentication keys configured on the GNE and
non-GNEs are the same. After the authentication succeeds, the equipment uses Diffie-
Hellman (DH) to periodically negotiate communication keys, with which, all the data at
the application layer will be transmitted on an encrypted channel.
4. When you send data from a management terminal, such as the NMS, Navigator, and DC,
to a non-GNE on an encrypted channel, the data is encrypted on the GNE and then
received and decrypted by the non-GNE. Likewise, the data sent from a non-GNE is
encrypted on the non-GNE, decrypted on the GNE, and then received by a management
terminal.
Intermediate NEs, links, and third-party equipment only transparently transmit data and is
unable to decrypt it so the data cannot be thieved.
Encrypted channels consume a large number of CPU resources on a GNE so the encrypted
channels must be limited or even canceled when the CPU resources on a GNE are
insufficient. Configure a proper number of encrypted channels, with 200 maximum.
Figure 5-2 Deleting an encrypted channel
Pay attention to the following risks after you configure encrypted channels and the NE enters
the encrypted communication state:
1. If necessary, change the authentication keys of encrypted channels at both ends to the
same value on the NMS. Otherwise, communication keys fail to be negotiated when one
NE is reset so the NE cannot enter the encrypted communication state while the other
NE stays in the encrypted communication state. As a result, the NEs become unreachable
to the NMS.
2. When the encrypted channel at one end is deleted, NEs become unreachable to the NMS.
If necessary, delete the encrypted channels on non-GNEs and then delete the
corresponding encrypted channels on the GNE.
3. If an NE is degraded to a version that does not support encrypted channels, delete the
configurations of the encrypted channels, as described in point 2.

Transport Platform
5.2.5 Using SFTP to Load Software
The device supports two modes to download software packages on an all-IP network. One is
to use the File Transfer Protocol (FTP) client, and the other is to use the SFTP client. The
device serves as the client, and the NMS serves as the server. To guarantee security during
software package download, you can selectively disable the FTP client service and use only
the SFTP client to download software packages.
The following figure shows how to enable or disable the FTP/SFTP client.
5.2.6 Using Secure SNMPv3 to Manage NEs
SNMPv1/v2/v3 is supported. It is advisable to use secure SNMPv3 to manage NEs. When

using SNMPv3, it is advisable to use the authentication and encryption security level
(AuthPriv). The authentication protocol can be HMAC-MD5-96 or HMAC -SHA-96. Data
transmission supports the DES or AES128 encryption algorithm. It is advisable to use HMAC
-SHA-96 for authentication and use AES128 for encryption. SNMPv3 supports the view-
based access control model (VACM). It is advisable to specify acmSecurityToGroupTable,
vacmAccessTable, and vacmViewTreeFamilyTable. Configure the read, write, and
notification views for each SNMPv3 user. It is advisable not to allow common users to access
usmUserTable.
SNMPv3 users are managed according to RFC3414. To improve management security, the
equipment provides an MML interface to manage SNMPv3 users. For details, see the relative
user guide.
5.2.7 Data Service Security Hardening
Configuring Broadcast Traffic Suppression

You can enable the broadcast traffic suppression function and configure related thresholds to
control the traffic of broadcast packets inbound to the equipment, so that broadcast traffic is
not excessively high and unicast services can be properly forwarded.
Configuring Service Loop Detection (for Packet Service Boards)

After creating E-LAN services, you can perform a service loop detection test to disconnect the
related services and avoid service loops.
Configuring Measures for Controlling the Number of Access Users

After E-LAN services are created on an NE, different users may share the same V-LAN
service. To prevent service interworking between users, you can take the following service
isolation measures:
On EOT boards, configure the Hub/Spoke attribute of VB ports to avoid the service
communication among Spoke ports.

Transport Platform
Configuring Service Isolation

After E-LAN services are created on an NE, different users may share the same V-LAN
service. To prevent service interworking between users, you can take the following service
isolation measures:
l EOS boards: You can configure the hub/spoke attribute of each VB port, ensuring that
services cannot interwork between spoke ports.
5.2.8 Configuring Extended ECC Authentication to Prevent

Unauthorized Access
When external network ports are used to configure extended ECC networks, transmission of
encrypted data between NEs on the networks is not supported by default. If the local area
network (LAN) of a customer contains untrusted channels, the extended ECC authentication
can be configured between the NEs. The configuration method is as follows:
In NE Security Management, select Extended ECC Authentication Management, set an
authentication algorithm and a key, and click Apply and Enable Authentication.
Pay attention to the following when configuring the extended ECC authentication:
1. The extended ECC keys for two NEs must be consistent; otherwise, the communication
key fails to be negotiated, and links cannot be set up. Consequently, the NSs become
unreachable by the NMS.
2. To prevent the NEs from being unreachable by the NMS, the configuration takes effect
only after a certain period of time, which is fixed at 60 seconds on the NMS. You need to
ensure that the authentication information of the NEs on the extended ECC networks are
correctly configured during this period.
3. If you need to delete the authentication information, select None for the authentication
key algorithm, and re-activate the application. In addition, ensure that conditions 1 and 2
are present.

Transport Platform
Manual 6 Appendixes
6 Appendixes
About This Chapter
6.1 References

Transport Platform
Manual 6 Appendixes
6.1 References
1. OptiX OSN 1800 I/II Compact V100R006C20 Security White Paper
2. OptiX OSN 1800 I/II Compact V100R006C20 Communication Matrix

Transport Platform
Manual 7 Acronyms and Abbreviations
7 Acronyms and Abbreviations
About This Chapter
Table 7-1 Acronyms and Abbreviations

Acronyms and Full Name
Abbreviations
OSN Optical Switch Node
TDM Time Division Multiplexing
MAC Medium Access Control
QOS Quality of Service
VLAN Virtual local area network
VPN Virtual Private Network
DCN Data Communication Network
ECC Embedded Control Channel
OSPF Open Shortest Path First Protocol
TCP/IP Transmission Control Protocol/ Internet Protocol
UDP User Datagram Protocol
ICMP Internet Control Messages Protocol
ACL Access Control List
QX Private Manage Protocol of HUAWEI
NMS Network Management System
MD5 Message Digest Algorithm
FTP File Transfer Protocol

Transport Platform
Acronyms and Full Name

Abbreviations
SSL Security Socket Layer
SNMP Simple Network Management Protocol
LCT The local maintenance terminal of a transport network, which

is based on https Protocol
RADIUS Remote Authentication Dial In User Service
LSP Label Switched Path
BGP Border Gateway Protocol
7.1 Maintenance Tools

7.2 Other Maintenance Methods
Huawei equipment supports standard command lines, including but not limited to the
commands that are used during production, assembly, and return for repair. The commands
are confidential and will not be provided in this document. If you do need to use these
commands, please apply to Huawei for them.

Transport Platform
7.1 Maintenance Tools

7.1.1 EMS and NMS Tool
Table 7-2 EMS and NMS tool
Tool Communi Communication Remarks
Name cation Port Protocol
U2000 1400/5432 Communication New graphic network management

channels are tool: performs service provisioning,
established using TCP. monitoring, O&M, and security
The QX protocol is management.
used for
communication
between the
application layer and
globally released NEs.
U2000_W 1400/5432 Communication The U2000 LCT is used for local NE

EB_LCT channels are access during network operating and
established using TCP. maintenance phases. It supports
The QX protocol is simple maintenance operations, such
used for as alarm and performance monitoring
communication and service monitoring.
between the
application layer and
NEs.

Transport Platform
7.1.2 Software Upgrade Tool
Table 7-3 Software upgrade tool

DC 1400/5432 Communication The DC is a tool used during software

channels are upgrade. You can use it to load
established using software packages and patches, or
TCP. A Huawei upload the database. This tool
proprietary protocol automatically loads software packages
is used for to an NE and activates the software
communication packages after you create a software
between the loading task, so that the NE software is
application layer and automatically upgraded.
NEs. This tool can also be used to load,
activate, and validate patches, and back
up or recover the NE database.
This tool can be either independently
used or integrated in the U2000. In
most cases, it is integrated in the
U2000.
7.1.3 Fault Collection Tool
Table 7-4 Fault collection tool
Tool Communication Communication Remarks

Name PortCommunication Protocol
Port
Smartki 1400/5432 Establishes Fault data collection

t communication tool: obtains fault data
NSE27 channels using the from NEs when
00 TCP protocol. In the software or hardware
OptiX application layer, NEs faults occur on them.
DataCol use the proprietary Fault data to be
lector protocol of Huawei. collected is customized
by products. The
following data can be
collected:
l Black box data
l Alarms and
performance events
l Board running status

Transport Platform
7.1.4 Network Health Check Tool
Table 7-5 Network health check tool

Smartkit 1400/5432 Establishes Network preventive maintenance

NSE2700 communication tool: periodically inspects NEs to
OptiX channels using the TCP timely identify improper
Inspector protocol. In the configurations or potential
application layer, NEs software problems on NEs.
use the proprietary Contents of patrol check vary
protocol of Huawei. according to product versions. The
patrol check contents are as
follows:
l Abnormal reset records
l Board running status
l Alarms and performance
events
7.2 Other Maintenance Methods

Huawei equipment supports standard command lines, including but not limited to the
commands that are used during production, assembly, and return for repair. The commands
are confidential and will not be provided in this document. If you do need to use these
commands, please apply to Huawei for them.


SM r6c20 18c

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SM r6c20 18c

Uploaded by

Copyright:

Available Formats

OptiX OSN 1800I/II Compact Multi-Service Edge

Optical Transport Platform

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 02 (2016-10-30) Huawei Proprietary and Confidential i

2 Security Configuration at the Device Management Layer.................................................... 3

3 Security Configuration at the Network Layer....................................................................... 34

Issue 02 (2016-10-30) Huawei Proprietary and Confidential ii

3.2 Protocols and Controls..................................................................................................................................................45

Issue 02 (2016-10-30) Huawei Proprietary and Confidential iii

7 Acronyms and Abbreviations................................................................................................... 92

Issue 02 (2016-10-30) Huawei Proprietary and Confidential iv

About This Chapter

1.1 Purposes for Security Configuration Maintenance & Hardening

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 1

1.1 Purposes for Security Configuration Maintenance &

1.2 Definition of Layer-based Security Configuration,

At the Device Management Layer

At the Network Layer

About Security Hardening

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 2

2 Security Configuration at the Device

About This Chapter

2.1 NE User Management

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 3

2.1 NE User Management

Figure 2-1 NE user management table

szhw nesoft Super administrator

root password Administrator

lct password Administrator

LCD LCD Administrator

szhw Changeme_123 Super administrator

root Changeme_123 Administrator

lct Changeme_123 Administrator

LCD Changeme_123 Administrator

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 4

2.1.2 Creating an NE User

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 5

Table 2-3 User attribute parameters

NE user - - Configures the user name registered on

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 6

Parameter Valid Value Default Description

NE user flag LCT NE user LCT NE Sets the NE user flag.

Detailed - - Describes the configured NE users.

New - - Sets a new user password.

Confirm - - The password to be entered must be the

Immediate Yes Yes Specifies whether the new user password

Valid Yes Yes This parameter displays whether a

Valid From Presented in Specified by If the value of the Valid Permanently

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 7

Parameter Valid Value Default Description

Valid Until Presented in Specified by If the value of the Valid Permanently

Password Yes Yes This parameter displays whether the

Password 25 to 999 days 90 days If the value of the Password

User Encryption - Specifies the security policy for an NE

2.1.3 Deleting an NE User

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 8

2.1.4 Modifying NE User Attributes

Issue 02 (2016-10-30) Huawei Proprietary and Confidential 9

Table 2-4 User attributes

NE User - - Specifies the name

User Level l Monitor Monitor Accounts at the