Strong Security on the Eclipse Packet Node platform is designed to provide ... Security supports Secure Management over
overview
STRONG SECURITY ON ECLIPSE PACKET NODE
KEY FEATURES
Even though microwave communications have some built-in security-like features such as scrambling, narrow beamwidth, proprietary airframe, coding and other factors, it is not very hard for them to be broken by those with the proper expertise. Some vendors even openly offer commercial microwave interception systems for “legitimate” monitoring. This and the growing sophistication and willingness of those attempting to break into wireless networks makes a high level of security for microwave more important than ever.
introduction Strong Security on the Eclipse Packet Node platform is designed to provide peace of mind for those operators who need that extra level of security. Strong Security supports Secure Management over unsecured networks with support for standardized protocols based on FIPS-140-2 requirements. Payload Encryption is supported by a module designed to be compliant with FIPS-197. Integrated RADIUS and centralized AAA domain capability are supported by Strong Security for remote authentication, authorization and accounting for an additional level of security for wireless networks.
SECURE MANAGEMENT Management of the Eclipse Packet Node platform can be secured over unsecured networks. Strong Security supports secure management interfaces based on secure management protocols that have been validated against FIPS-140-2 requirements. Secure Management is very flexible and provides the security customers need for microwave transmission management. Using a craft interface tool for configuration and maintenance, the Eclipse Packet Node radio can be securely managed via TLS v1.2 tunneling. For centralized monitoring from a network operations center (NOC), Eclipse Packet Node can be securely accessed by way of any network management system (NMS) that supports SNMP v3 (Figure 1).
• Support for Secure Management over unsecured networks through use of secure protocols (e.g., SNMP v3, SSL, TLS v1.2) based on FIPS-140-2 validated algorithms • Payload Encryption (e.g., AES-128, AES-256, 3DES, DES) of communications and OAM traffic compliant with FIPS-197 • RADIUS capability and centralized AAA domain support for User Authentication to track all authorized and unauthorized user activity and points of entry • Six categories of access privileges to create any type of highly customized user profiles that are most appropriate for your network • Capability to disable all unsecured physical ports for each radio link to prevent unauthorized connections and system break-ins
overview strong securit y on eclipse packet node
PAYLOAD ENCRYPTION To provide Strong Security, data and management payloads on Eclipse Packet Node radios can be encrypted. Payload Encryption through Strong Security prevents wireless communications from being eavesdropped on (Figure 2). Any eavesdropping equipment, or sniffers, along the transmission path between links or in the transmitter’s vicinity will only receive a garbled transmission.
If communications to the RADIUS server are interrupted for any reason, Strong Security supports a fallback position. RADIUS credentials can be cached for a userdefined period. When the RADIUS server is unavailable, the cached credentials may be used to log in. For extended periods where the RADIUS server cannot be reached, the user-based security model allows logging in with the local SNMP user database.
With AES encryption and 128-, 192- or 256-bit symmetric keys, a randomly generated encryption combination protects each Eclipse Packet Node wireless link pair. These combinations are created and negotiated between links using the industry-standard Diffie-Hellman Key agreement method, which supports groups with modulo of at least 2048 bits. Given this level of support, no particular encryption combination will be repeated within 4000 years. Therefore, Payload Encryption is fully compatible with the AES encryption standard and complies with FIPS-197, which provides the definition for AES encryption.
Secure Management Traffic
Secure Access via TLS / SNMPv3
Unsecured Network (WAN, LAN, etc.)
INTEGRATED RADIUS CAPABILITY For an even higher level of protection, Strong Security on Eclipse Packet Node configures RADIUS capability into existing customer IT infrastructure. With integrated RADIUS capability, access control based on more sophisticated permission attributes can be provided. Eclipse Packet Node RADIUS capability enables authentication, authorization and accounting of remote user accounts, and integration also allows customers to manage user accounts within existing IT infrastructure from a central location—the same way PC user accounts are managed. With integrated RADIUS capability and the Security Event Logger feature on Eclipse Packet Node, all management activity attempts on Eclipse are tracked, including actions that affect traffic, logins and logouts, any changes to user accounts and other security events. It does this by recording user logins and IP addresses.
Secure Management Traffic
Secure Access via TLS / SNMPv3
Unsecured Network (WAN, LAN, etc.)
NMS Terminal or Craft Interface Tool
OEM Equipment
Figure 1. Strong Security on the Eclipse Packet Node platform supports Secure Management via TLS v1.2 tunneling with a craft interface tool or SNMP v3 through a compatible NMS terminal.
Payload Traffic Management Traffic NO SNIFFING
Secure Unencrypted
Unencrypted Payload Traffic
Unsecured Management Traffic
Unencrypted Payload Traffic
Unsecured Management Traffic
Figure 2. With Payload Encryption on Eclipse Packet Node, both payload and management traffic are encrypted to a high level of security against eavesdropping (i.e. sniffing).
www.aviatnetworks.com Aviat, Aviat Networks, and the Aviat logo are trademarks or registered trademarks of Aviat Networks, Inc.
© Aviat Networks, Inc. (2010) All Rights Reserved. Data subject to change without notice. _o_StrongSecurity_EcliPktNd_UNIV_11Nov10
