Security Solution

from Loop
 Management DCN Security Solution • Anti-Virus Software

Security GUI
• Blocking All except White-Listed Services
level 3 WorkStation
required between GUI and NMS servers
• Spoofing Attack Prevention
Main Backup • IPS (Intrusion Prevention System)
Firewall 3 Site Site Firewall 33 • Stateful Firewall
(LOOP ISS-2150) (LOOP ISS-2150)

• Blocking ALL except White-Listed Services

Security required between NMS and NEs
level 2 NMS 2
NMS 1 • Spoofing Attack Prevention
• IPS (Intrusion Prevention System)
Firewall 2 Firewall 22 • Stateful Firewall
(LOOP ISS-2150) (LOOP ISS-2150) • VPN Tunnel between Firewall & NE

Gateway 1 Gateway 2 • VPN Tunnel Between Firewall & NE

• FIPS 140-3 Certified Encryption Algorithm
Security NE3 • IEC 62443-4-1 Cyber Security Certified
NE1 DCN
level 1 NE2 • Anti-DOS
• NE-level ACL per Source IP(s)
• Blocking all except White-Listed Services
 Management DCN Security Solution
Security GUI
level 3 WorkStation

Main Backup
Firewall 3 Site Site Firewall 33
(LOOP ISS-2150) (LOOP ISS-2150)
Host-to-Host IPSec VPN Tunnel
Security Account/password
level 2 NMS 2 OR Certificate authentication
NMS 1
Firewall 2 Firewall 22
Firewall 2 Firewall 22
(LOOP ISS-2150) (LOOP ISS-2150)

Gateway 1 Gateway 2
NE1 NE3
Security NE3
NE1 DCN NE2
level 1 NE2
 LOOP ISS-2150 Firewall
Layer 2
Standard 802.1d/802.1w Spanning Tree protocol
Ethernet 802.1q VLAN encapsulation protocol
MAC filtering
Transparent bridge firewall
Layer 3
Dynamic routing (OSPF, RIP)
Border Gateway Protocol
Bidirectional Forwarding Detection (BFD)
Policy Based Routing
VPN
IPSec VPN
Protocol for Generic Routing (GRE)
Tunneling Protoce version 3 for Layer 2 (L2TPv3)
Secure Remote Access SSL VPN
QoS
Configuration of quality Of Service (QoS)
Weighted Fair Queuing (WFQ)
Differentiated Service (DiffServ)
Classes Based on Traffice Policies (CBTP)
Class of Service (CoS)
Firewall
Packet Filtering/DPI (IPv4 / IPv6)
Intrusion Prevention System (IPS)
DNS Protocols, DNS proxy, DNS Spoofing
Stateful Firewall Inspection
Network Address Translation (NAT)
Multi-Wan
TLS encrypted inspection
Web filtering
System/Other
Integration with LDAD directories
Support for Public Key Infrastructure (PKI)
Authentication, Authorization, Accounting (AAA)- FreeRADIUS
802.1x support
Dynamic Host Configuration protocol(DHCP) server, client, relay
Advanced Standard Encryption and Triple-Data Encryption Standard Algorithm Encryption
SNMPv3
Gateway with Service Selection (Service Selection Gateway —Service Selection)
Memory and CPU capacity for operation under high processing load conditions
Support configuration in high availability without data loss, hot-hot and hot-standby
 Extreme temperatures ranging
Network interface GbE RJ45 Ports 10/100/1000Mbps * 4
USB Ports 2
Console Port 1
Internal Storage Solid State Flash 64G
VLAN (802.1q) 4094
Throughput 1Gbps
◇ Intel® Elkhart Lake SoC Atom 6414RE Packets Per Second 250Kpps
◇ Op. Temp.: -40°~75°C Concurrent Sessions 3,000,000
◇ Dual 48Vdc power
Connections Per Second 35,000
◇ Fanless
Firewall Latency 200us
Our fanless designed, Firewall can Firewall Policies
greatly operate in the extreme conditions (Maximum) 10,000
found in substation environments of IPsec VPN Throughput 500Mbps
restricted airflow. IPsec Packets Per
Second 50kpps
 Management DCN Firewall on NE (eg. G7800)
• 1. IPSec VPN tunnel between NE and Firewall @NMS centers
• 2. FIPS 140-3 Encryption Algorithm Certification
• 3. IEC 62443-4-1 Cyber Security Certification
• 4. ACL (protocol, src-ip, src-port, dst-ip, dst-port) Access Control List
• 5. Blocking all Connections except SSH/SNMPv3/SFTP required to manage NE
• 6. DoS (Denial of Service) Attacks
• 1. *land attack (Sending a packet to a machine with the source host/port the same as the destination host/port.)
• 2. *Ping of death (Sending IP packets that exceed the maximum legal length (65535 octets)
• 3. *TCP SYNC flooding Prevention (The SYN flood attack sends TCP connections requests faster than a machine can process them. 3 connections per
second allowed by Default)
• 4. *Echo Storm Protection An abnormally large number of ping packets have been seen in a short period of time.
• 5. *Smurf (When a perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source address. The source address will be flooded with simultaneous replies. )
• 6. *TearDrop (Teardrop is an attack exploiting a weakness in the reassembly of IP packet fragments. The attacker creates a sequence of IP fragments with overlapping offset fields. Some
systems will crash or reboot when they are trying to reassemble the malformed fragments.)
• 7. *Tiny fragment (The first fragment contains only eight octets of data (the minimum fragment size). In the case of TCP, this is sufficient to
contain the source and destination port numbers, but it will force the TCP flags field into the second fragment. Filters that attempt to drop connection
requests (TCP datagrams having SYN=1 and ACK=0) will be unable to test these flags in the first octet, and will typically ignore them in subsequent
fragments. )
• 8. *Zero length IP option When the firewall tries to parse a "benign" option (such as the Timestamp or Security options) and does not check to see if it is of zero length. If
 NMS Cyber Security Functions
• NMS GUI will have NO access to NE directly.
• Encrypted Communication among NMS Components
• NE & FW VPN Connection Manager
• Generate the VPN Connection Script pairs
(on FireWall 1& NE and FireWall2 & NE)
• Implement the VPN Conn. Script pair into Firewall &NE
• Topology to show NE with VPN connection enabled/disabled icon
• A table to list all the NE VPN connection status (enabled/disabled/down)
• Certificate Manager including
• DCN VPN Certificate Management
• Data MACsec Certifiate Management
• Data LSPsec Certificate Management
• Data IPsec Certificate Management
• Certificate Expiration Warning
Cyber Security for Data

Dennis
 Overview
GUI
Workstations

Main Site Backup

Site Firewall 33
NMS
Firewall 3
Management Plane
Network Layer: IPsec, Firewall
Servers
Application Layer: SNMPv3,
NMS 1 NMS 2 SSH
Firewall 2
Control Plane
Firewall 22

Authentication, IPsec
Gateway 2
Gateway 1 Data Plane
MACsec per Link
LSPsec/WANsec
IPsec
NE2
Transport Network
NE1 IPsec for DCN
NE3
MACsec/LSPsec for Data
IPsec for Data
 MACsec Use Case

 Switch-to-host (Dynamic CAK mode)

 The peer nodes receive MACsec key attributes from the RADIUS server
during authentication and use these attributes to dynamically generate
key.

 Switch-to-switch
 Static CAK mode
 MACsec on Link

WAN

LAN LAN

Per Hop Link

Encryption over
the WAN

LAN LAN

MACsec secure Ethernet link

The MACsec encryption process is applied per

link, as the Ethernet frame enters the MAC layer,
the MACsec encryption is applied as well.
MACsec Packets

 Encrypts all data except for the source and destination MAC addresses of
an Ethernet packet
MACsec flow
 Step1 : CA domain setup - Authentication:
 Manual configure PSK (CAK/CKN pair) or dynamically get them
through EAP-TLS authentication protocol on all devices with
Certificate.
 Step2 - MKA:
 SA peer discovery
 Step3 - MKA :
 Invoke key server selection.
 Key server is responsible to generate, distribute SAK and selects
the Cipher Suite to be used to protect communication within a CA.
 Step4 – Launch SC:
 Once SAK is formed, peer uses SAK to encrypt the data on a
protected link.
GE WISsec Packet

 Proprietary encryption header that replaces the Ethernet

preamble and start of frame delimiter (SFD) fields in each frame.
 Reference “21. pcs_encrypt_fs_01_05_15.pdf” page 11
 Interworking between MACsec and GE WISsec
CES PW
1G+ EVO
Local A/D (=24*30 DS0 ch.)
P16
P15
1G
5P4510 DS0 GE WISsec
(IEEE MACsec) P14
P13
1G
1G
1G CES
6*8M PCM XC
P12 1G DS0
P11
P10
1G SAToP XC
8M
1G 1G+
P9 1G CES/ 1G+
P8 (128*E1)
10G MPLS SAToP
P7 10G 1G VT

JP2
P6
P5
10G
Switch Packetizer 84*VT XC
JP2
P4
P3
10G
10G with
TDMoP
Trunk
1G+
JM
10G
P2
P1
100G
100G
4
TP-OAM
CC2 #1 10G Packet 1G
1G
Mux

C37.94 Card 36 ports

MPLS/CE 4 1G C37.94
Network QT1 Card
VTU
1G+
30* T1(sync) BypassWIS
OC3
P16 1G 32TE1 Card Network
P15
P14
1G 5P4510 TDM
P13
1G
1G 1G Packetizer 5*32 T1(async)
P12 1G
P11 1G
P10 1G 1G
P9 1G 10G
P8 10G Packet 1G
P7 MPLS
10G Mux
JP2 P6
P5
10G
10G
Switch
CC2 #2 1G+ JP2
P4
P3
10G
10G
with 1G
JM
P2 TP-OAM 84*VT
100G VT
1G+
P1 100G CES/ XC
4 CES
DS0 SAToP 1G+
SAToP
XC 8M
(128*E1) 16
CES PW 6*8M PCM DS0
4 Local A/D XC
(=24*30 DS0 ch.)

1G+ EVO
 End-to-End L2.5 Service Sec (LSPsec/WANsec @L2.5)
G7800

CC2 GFEO/GFET/POE
SFP 1G P10
SFP 1G
5P4510 P9
8 * 1G FPGA SFP 1G P8
SFP with 1G
SFP P7
Encryption/ 1G P6
MPLS SFP
Decryption
6 * 10G Switch SFP
1G P5
SFP+ 10G Serdes
SFP 1G P4
with TP-OAM SFP 1G P3
2 * 100G 1G
SFP+ SFP P2
1G
SFP P1

Encrypt
DMAC SMAC 802.1Q 802.1AE SecTag ETYPE Payload ICV CRC DMAC SMAC 802.1Q ETYPE Payload CRC
Encrypt
DMAC SMAC 802.1AD
802.1Q DMAC SMAC 802.1Q 802.1AE SecTag ETYPE Payload ICV CRC
MPLS-TP

MACsec Process Initiated at G7800 Line Card

 End-to-End L3 Service Sec (IPSec)

G7800

CC2 GFEO/GFET/POE
SFP 1G P10
SFP 1G
5P4510 P9
8 * 1G SFP 1G P8
SFP 1G
SFP P7
L3 ESP/AH SFP 1G P6
6 * 10G Routing FPGA
SFP
1G P5
SFP+ 10G Serdes
over SFP 1G P4
1G
MPLS-TP SPD SFP P3
2 * 100G 1G
SFP+ SFP P2
1G
SFP P1

Encrypt
DMAC SMAC 802.1Q New ESP IP HDR ESP
Payload Trailer CRC DMAC SMAC 802.1Q IP HDR Payload CRC
IP HDR
Encrypt
DMAC SMAC MPLS-TP
802.1Q New ESP IP HDR ESP CRC
Payload Trailer
IP HDR

IPsec Process Initiated at G7800 Line Card

 Cyber Security Roadmap
# Plug-in Card/Functions Availability Date
1 DCN Management Cyber Security 2023/Dec/15
2 FIPS 140-3 Encryption Algorithm Certification 2023/Dec/15

3 GFEO (Giga/Fast Ethernet Optical) Ph2 with LSPsec/MacSec 2024/Jun/30

GFET (Giga/Fast Ethernet Twist-Pair) with LSPsec/MacSec
4 CC2 with L3 Routing for IT over OT 2024/Jun/30
5 GFEO with IPsec 2024/Dec/30
GFET with IPsec
POE with IPsec
6 IEC 62443-4-1 Cyber Security Certification 2024/Dec/30

19
Thanks