Professional Documents
Culture Documents
from Loop
Management DCN Security Solution • Anti-Virus Software
Security GUI
• Blocking All except White-Listed Services
level 3 WorkStation
required between GUI and NMS servers
• Spoofing Attack Prevention
Main Backup • IPS (Intrusion Prevention System)
Firewall 3 Site Site Firewall 33 • Stateful Firewall
(LOOP ISS-2150) (LOOP ISS-2150)
Main Backup
Firewall 3 Site Site Firewall 33
(LOOP ISS-2150) (LOOP ISS-2150)
Host-to-Host IPSec VPN Tunnel
Security Account/password
level 2 NMS 2 OR Certificate authentication
NMS 1
Firewall 2 Firewall 22
Firewall 2 Firewall 22
(LOOP ISS-2150) (LOOP ISS-2150)
Gateway 1 Gateway 2
NE1 NE3
Security NE3
NE1 DCN NE2
level 1 NE2
LOOP ISS-2150 Firewall
Layer 2
Standard 802.1d/802.1w Spanning Tree protocol Firewall
Ethernet 802.1q VLAN encapsulation protocol Packet Filtering/DPI (IPv4 / IPv6)
MAC filtering Intrusion Prevention System (IPS)
Transparent bridge firewall DNS Protocols, DNS proxy, DNS Spoofing
Stateful Firewall Inspection
Network Address Translation (NAT)
Multi-Wan
Layer 3 TLS encrypted inspection
Dynamic routing (OSPF, RIP)
Web filtering
Border Gateway Protocol
Bidirectional Forwarding Detection (BFD)
Policy Based Routing
VPN System/Other
Integration with LDAD directories
IPSec VPN
Support for Public Key Infrastructure (PKI)
Protocol for Generic Routing (GRE)
Authentication, Authorization, Accounting (AAA)- FreeRADIUS
Tunneling Protoce version 3 for Layer 2 (L2TPv3)
802.1x support
Secure Remote Access SSL VPN
Dynamic Host Configuration protocol(DHCP) server, client, relay
Advanced Standard Encryption and Triple-Data Encryption Standard Algorithm Encryption
SNMPv3
QoS Gateway with Service Selection (Service Selection Gateway —Service Selection)
Configuration of quality Of Service (QoS) Memory and CPU capacity for operation under high processing load conditions
Weighted Fair Queuing (WFQ) Support configuration in high availability without data loss, hot-hot and hot-standby
Differentiated Service (DiffServ)
Classes Based on Traffice Policies (CBTP)
Class of Service (CoS)
Extreme temperatures ranging
Network interface GbE RJ45 Ports 10/100/1000Mbps * 4
USB Ports 2
Console Port 1
Internal Storage Solid State Flash 64G
VLAN (802.1q) 4094
Throughput 1Gbps
◇ Intel® Elkhart Lake SoC Atom 6414RE Packets Per Second 250Kpps
◇ Op. Temp.: -40°~75°C Concurrent Sessions 3,000,000
◇ Dual 48Vdc power
Connections Per Second 35,000
◇ Fanless
Firewall Latency 200us
Our fanless designed, Firewall can Firewall Policies
greatly operate in the extreme conditions (Maximum) 10,000
found in substation environments of IPsec VPN Throughput 500Mbps
restricted airflow. IPsec Packets Per
Second 50kpps
Management DCN Firewall on NE (eg. G7800)
• 1. IPSec VPN tunnel between NE and Firewall @NMS centers
• 2. FIPS 140-3 Encryption Algorithm Certification
• 3. IEC 62443-4-1 Cyber Security Certification
• 4. ACL (protocol, src-ip, src-port, dst-ip, dst-port) Access Control List
• 5. Blocking all Connections except SSH/SNMPv3/SFTP required to manage NE
• 6. DoS (Denial of Service) Attacks
• 1. *land attack (Sending a packet to a machine with the source host/port the same as the destination host/port.)
• 2. *Ping of death (Sending IP packets that exceed the maximum legal length (65535 octets)
• 3. *TCP SYNC flooding Prevention (The SYN flood attack sends TCP connections requests faster than a machine can process them. 3 connections per
second allowed by Default)
• 4. *Echo Storm Protection An abnormally large number of ping packets have been seen in a short period of time.
• 5. *Smurf (When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source address. The source address will be flooded with simultaneous replies. )
• 6. *TearDrop (Teardrop is an attack exploiting a weakness in the reassembly of IP packet fragments. The attacker creates a sequence of IP fragments with overlapping offset fields. Some
systems will crash or reboot when they are trying to reassemble the malformed fragments.)
• 7. *Tiny fragment (The first fragment contains only eight octets of data (the minimum fragment size). In the case of TCP, this is sufficient to
contain the source and destination port numbers, but it will force the TCP flags field into the second fragment. Filters that attempt to drop connection
requests (TCP datagrams having SYN=1 and ACK=0) will be unable to test these flags in the first octet, and will typically ignore them in subsequent
fragments. )
• 8. *Zero length IP option When the firewall tries to parse a "benign" option (such as the Timestamp or Security options) and does not check to see if it is of zero length. If
NMS Cyber Security Functions
• NMS GUI will have NO access to NE directly.
• Encrypted Communication among NMS Components
• NE & FW VPN Connection Manager
• Generate the VPN Connection Script pairs
(on FireWall 1& NE and FireWall2 & NE)
• Implement the VPN Conn. Script pair into Firewall &NE
• Topology to show NE with VPN connection enabled/disabled icon
• A table to list all the NE VPN connection status (enabled/disabled/down)
• Certificate Manager including
• DCN VPN Certificate Management
• Data MACsec Certifiate Management
• Data LSPsec Certificate Management
• Data IPsec Certificate Management
• Certificate Expiration Warning
Cyber Security for Data
Dennis
Overview
GUI
Workstations
Authentication, IPsec
Gateway 2
Gateway 1 Data Plane
MACsec per Link
LSPsec/WANsec
IPsec
NE2
Transport Network
NE1 IPsec for DCN
NE3
MACsec/LSPsec for Data
IPsec for Data
MACsec Use Case
Switch-to-switch
Static CAK mode
MACsec on Link
WAN
LAN LAN
LAN LAN
Encrypts all data except for the source and destination MAC addresses of
an Ethernet packet
MACsec flow
Step1 : CA domain setup - Authentication:
Manual configure PSK (CAK/CKN pair) or dynamically get them
through EAP-TLS authentication protocol on all devices with
Certificate.
Step2 - MKA:
SA peer discovery
Step3 - MKA :
Invoke key server selection.
Key server is responsible to generate, distribute SAK and selects
the Cipher Suite to be used to protect communication within a CA.
Step4 – Launch SC:
Once SAK is formed, peer uses SAK to encrypt the data on a
protected link.
GE WISsec Packet
JP2
P6
P5
10G
Switch Packetizer 84*VT XC
JP2
P4
P3
10G
10G with
TDMoP
Trunk
1G+
JM
10G
P2
P1
100G
100G
4
TP-OAM
CC2 #1 10G Packet 1G
1G
Mux
1G+ EVO
End-to-End L2.5 Service Sec (LSPsec/WANsec @L2.5)
G7800
CC2 GFEO/GFET/POE
SFP 1G P10
SFP 1G
5P4510 P9
8 * 1G FPGA SFP 1G P8
SFP with 1G
SFP P7
Encryption/ 1G P6
MPLS SFP
Decryption
6 * 10G Switch SFP
1G P5
SFP+ 10G Serdes
SFP 1G P4
with TP-OAM SFP 1G P3
2 * 100G 1G
SFP+ SFP P2
1G
SFP P1
Encrypt
DMAC SMAC 802.1Q 802.1AE SecTag ETYPE Payload ICV CRC DMAC SMAC 802.1Q ETYPE Payload CRC
Encrypt
DMAC SMAC 802.1AD
802.1Q DMAC SMAC 802.1Q 802.1AE SecTag ETYPE Payload ICV CRC
MPLS-TP
G7800
CC2 GFEO/GFET/POE
SFP 1G P10
SFP 1G
5P4510 P9
8 * 1G SFP 1G P8
SFP 1G
SFP P7
L3 ESP/AH SFP 1G P6
6 * 10G Routing FPGA
SFP
1G P5
SFP+ 10G Serdes
over SFP 1G P4
1G
MPLS-TP SPD SFP P3
2 * 100G 1G
SFP+ SFP P2
1G
SFP P1
Encrypt
DMAC SMAC 802.1Q New ESP IP HDR ESP
Payload Trailer CRC DMAC SMAC 802.1Q IP HDR Payload CRC
IP HDR
Encrypt
DMAC SMAC MPLS-TP
802.1Q New ESP IP HDR ESP CRC
Payload Trailer
IP HDR
19
Thanks