ADTRAN ADVA FSP 3000R7 Configuration Manual
  1. Manuals
  2. Brands
  3. ADTRAN Manuals
  4. Network Hardware
  5. ADVA FSP 3000R7
  6. Configuration manual

ADTRAN ADVA FSP 3000R7 Configuration Manual

Fibre service platform secure system
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Secure System
Configuration Guide
Fiber Service Platform 3000R7
Product Release: 22.2
Document Issue: A
Document Number: 80000073674

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ADVA FSP 3000R7 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ADTRAN ADVA FSP 3000R7

Summary of Contents for ADTRAN ADVA FSP 3000R7

  • Page 1 Secure System Configuration Guide Fiber Service Platform 3000R7 Product Release: 22.2 Document Issue: A Document Number: 80000073674...
  • Page 2 You will notify Adtran immediately of any unauthorized use of your account or any other breach of security. Adtran will not be liable for any losses you incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Adtran due to someone else using your account at any time, without the permission of the account hold.
  • Page 3 Such projections and forward-looking statements are subject to risks which cannot be foreseen and which are beyond the control of Adtran. Adtran is therefore not in a position to make any representation as to the accuracy of economic projections and forward-looking statements or their impact on the financial situation of Adtran or the market in the shares of Adtran.
  • Page 4 You agree that, in the event you are notified by Adtran, a third party or a governmental agency about a license requirement for Controlled Items or particular transactions, you will not export or re-export the Controlled Items or pursue the transactions, directly or indirectly, until the required licenses are obtained, and work with Adtran, the third party or the governmental agency to procure the required licenses.

  • Page 5: Table Of Contents

    ADVA Privacy Statement All terms related to our privacy information are available at: https://www.adva.com/en/about- us/legal/privacy-statement All terms related to our privacy information for Customer Portal users are available at: https://advaoptical- communities.force.com/customerportal/CustomerPortalTCs Contents Preface Safety Symbol and Message Conventions Documentation FSP 3000R7 Documentation Suite Accessing Documentation Documentation Feedback Obtaining Technical Assistance...
  • Page 6 ADVA Disabling HTTP redirection to HTTPS Disabling TL1 Disabling SNMPv1/SNMPv2c Disabling GNMI Configuring a Security Banner Disabling Older Versions of TLS Configuring Remote SysLog Configuring Audit Events Configuring Packet Filtering Configuring Whitelist Configuring DoS Protection Configuring the ICMP Filter Disabling Serial Port Access Regenerating the SSH Host Key Regenerating the SSL Certificate Configuring the PKI Certificate...
  • Page 7 ADVA Recommended SSH Message Authentication Code Algorithms SSL Ciphers Supported SSL Ciphers Recommended SSL Ciphers Root Rights Fiber Service Platform 3000R7 R22.2 Secure System Configuration Guide - Issue: A...

  • Page 8: Preface

    ADVA Preface Preface Safety Symbol and Message Conventions Documentation Obtaining Technical Assistance The pictures or graphics shown in this document are for reference only. They are based on the latest hardware revision available at the time of publication. The equipment you received might look different than pictures or graphics shown in this document.
  • Page 9 ADVA Preface Icon Meaning Description Laser Radiation Warns you about the risk of possible laser radiation Warning – Hazard if the system is not used as designed or altered in Level 3B any way. Laser Radiation Warns you that the equipment contains Class 1 Warning —...

  • Page 10: Documentation

    ADVA Preface Icon Meaning Description Notice Indicates the risk of equipment damage, malfunction, process interruption, or negative impacts on surroundings. Documentation Advises of the importance of carefully reading all instructions before proceeding or provides links to additional information to read. Failure to do so may result in personal injury or damage to equipment.

  • Page 11: Accessing Documentation

    FSP 3000R7 TL1 Commands and Syntax Guide FSP 3000R7 TL1 Maintenance and Troubleshooting Manual FSP 3000R7 TL1 Module Parameters Guide Accessing Documentation Documentation Portal https://docs.adtran.com/ Documentation Feedback We want our documentation to be as helpful as possible. Feedback is always welcome. Email admin@advadocs.com...

  • Page 12: Technical Services

    ADVA Preface Technical Services Technical services are available to customers who need technical assistance with an ADVA product that is under warranty or covered by a maintenance contract. Online https://www.adva.com/en/about-us/contact Email support@adva.com Call ADVA Europe, Middle East and Africa Martinsried/Munich, Germany +49 (0)89 89 06 65 0 North America Norcross, GA, USA...

  • Page 13: Introduction

    ADVA Introduction Chapter 1 Introduction Secure System Configuration Guide is valid as long as the customers configure products according to the secure configuration guidance. All the security test cases (positive and negative) have to be executed on a product provisioned according to the secure configuration guidance.

  • Page 14: Physical Security

    ADVA Introduction The scope of protection by the FSP3000R7 is to safeguard data that originates from the shelf or that the device itself will use, including administrative and audit data. The network environment provides physical security that is appropriate to the integrity of the FSP 3000R7 and its data.

  • Page 15: Security Maintenance

    ADVA Introduction 3. Calculate the checksum of the downloaded item on your local system. If the checksum(s) match: No evidence of modification to the software, no communication errors. If the checksum(s) don't match: Evidence of modification to the software, communication errors.

  • Page 16: Secure Configuration

    ADVA Secure Configuration Chapter 2 Secure Configuration This section describes steps for improving the security of a network element. It contains these topics: Updating Software Changing the Password at First Login Enabling Password Restrictions Configuring New User Accounts Configuring Mutual Authentication Disabling Bootloader Access Enabling Remote Authentication Disabling Insecure Protocols...

  • Page 17: Updating Software

    ADVA Secure Configuration Disabling Requests for User Privilege Upgrade Configuring TLS Ciphers Configuring SSH Ciphers Checking Open Ports Configuring Control Plane Interfaces Running Self-Test Due to a bug in the HSTS implementation of Firefox, it is recommended to use Chrome. Normally the webserver should send an HSTS header, that this web page wants to be retrieved always via HTTPS.

  • Page 18: Changing The Password At First Login

    ADVA Secure Configuration – The certificate that corresponds to client_key.pem. This certificate will client_cert.crt be included in the SIG file. output: – the signature file. The name must be the same as CON fil, but with an SIG F7022011.SIG extension name instead of CON. The customer file server will then have one additional file: F7022011.SIG.

  • Page 19: Enabling Password Restrictions

    ADVA Secure Configuration Enabling Password Restrictions To enable password restrictions, first enable Enhanced Security mode and change the ADMIN password. 1. Select Node > Security > Access. 2. In the Password Management area, Security Mode field, select Enhanced. 3. In the Security Mode window, click Apply. The system automatically logs you out. 4.
  • Page 20 ADVA Secure Configuration SNMP auth protocol SNMP privacy type privilege level (operator/monitor and so forth) Recommended settings: Parameter Value Password minimum of 15 characters: mixed case, special characters, digits Authentication Protocol  SHA-512 TL1 Timeout Period [min] maximum 15 Login Fail Count maximum 3 Max Password Age [day] maximum 60 Min Password Age [day]...
  • Page 21 ADVA Secure Configuration User Description Type Only has read access rights and can change only his or her own password. monitor Has monitor capabilities with some exceptions. The main task of a crypto crypto user is to configure security-related settings on encryption modules. This user can change the Crypto-Officer password and the authentication password, set bypass mode, and allow a firmware update.

  • Page 22: Configuring Mutual Authentication

    ADVA Secure Configuration authNoPriv MD5/SHA/SHA-256/SHA-512 authPriv MD5/SHA/SHA-256/SHA-512 Yes (AES-128) Continue with these steps to complete these fields: 1. Authentication Protocol, select SHA-512. 2. Privacy Key Type, select User Specified. Privacy Key Type Description User Specified Configure a new privacy key for the SNMPv3 user. User Password Use the user's existing password as the key for the SNMPv3 user.

  • Page 23: Disabling Bootloader Access

    ADVA Secure Configuration Disabling Bootloader Access 1. Select Node > Security > Access. 2. In the Access Management area, the NCU Boot Loader Access field, select Disable. 3. Click Apply. If you disable bootloader access, you will increase security but lose the possibility to restore a lost password.

  • Page 24: Disabling Telnet

    ADVA Secure Configuration Disabling TL1 Disabling SNMPv1/SNMPv2c Disabling GNMI Disabling Telnet Telnet is disabled by default and it is not recommended to use it. If you enable it by accident, disable it using these steps: 1. Select Security > Access. 2.

  • Page 25: Disabling Snmpv1/Snmpv2C

    ADVA Secure Configuration Disabling SNMPv1/SNMPv2c 1. Select Node > General > Controls. 2. In the Interfaces area, SNMPv1 field, select Disable. 3. In the Interfaces area, SNMPv2c field, select Disable. 4. Click Apply. Disabling GNMI This option is disabled by default and it is not recommended to use it. If you enable it by accident, disable it using these steps: 1.

  • Page 26: Configuring Remote Syslog

    ADVA Secure Configuration Configuring Remote SysLog 1. Select Node > General > Controls. 2. In the Remote Event Recipients (SysLog) area, click Add. 3. In the Add Remote Event Recipients (SysLog) window, IPv4/v6 Address field, enter the applicable IP address. 4. Click Add. To add a port user label to the SysLog information: 1.

  • Page 27: Configuring Whitelist

    ADVA Secure Configuration Configuring Whitelist 1. Select Node > Security > Packet. 2. In the Node Management Approved IP Addresses area, click Add. 3. In the Add Approved IP Address window, IP Operation field, select IPv4 or IPv6. 4. If operation is IPv4: a. Enter the IP Mask. b.

  • Page 28: Disabling Serial Port Access

    ADVA Secure Configuration f. In the Drop Addr. Mask Requests field, select Enable. 3. Click Apply. Disabling Serial Port Access 1. Select Configure > Shelf 1. 2. Select Slot A NCU-II/NCU-3. 3. In the Serial Port area, click the relevant port. 4.

  • Page 29: Configuring The Pki Certificate

    ADVA Secure Configuration 4. Set the Key Length to 4096. 5. Set the SSL Valid Period to 2, 6. Set the SSL Certificate IP fields. 7. Click Apply & Generate Certificate. Configuring the PKI Certificate Please confirm that any non-blank URL points to a trustworthy server. Please make sure that the PKI solution you use is free of vulnerabilities.

  • Page 30: Configuring The Ntp Server

    ADVA Secure Configuration a. Select the Identifier and select the proper Key Profile. b. In the Key And Certificate Renewal area, select the proper Certificate Authority. c. In the Certificate Request Configuration area, enter the information following your network plan. d.

  • Page 31: Configuring Last Successful Login Display

    ADVA Secure Configuration Configuring Last Successful Login Display 1. Select Node > Security > Access. 2. In the Password Management area, Show Last Success Login field, select Enable. 3. Click Apply. Configuring Last Failed Login Display 1. Select Node > Security > Access. 2.

  • Page 32: Configuring Tls Ciphers

    ADVA Secure Configuration Configuring TLS Ciphers 1. Select Node > Security Applications > SSL/TLS. 2. In the TLS Ciphers area, TLS Ciphers Profile field, select Default. 3. Click Apply. The default value allows only BSI recommended cipers. Configuring SSH Ciphers 1. Select Node > Security Applications > SSH. 2.
  • Page 33 ADVA Secure Configuration TL1 (Human Mode) 2024, 8778 TL1 (NMS Mode) 2025, 8778 TL1 (Encrypted Mode) 6252, 6253, 8778 TL1 (Human Encrypted Mode) 6252, 8778 PCEP 4189 GNMI 50051 DHCP Server DHCP Client SNMP Agent If you disable any of the above applications/services (or the TCP/UDP ports not mentioned above), the NE will: for TCP: reject any incoming TCP SYN packets, for example reply with a TCP...

  • Page 34: Configuring Control Plane Interfaces

    ADVA Secure Configuration Configuring Control Plane Interfaces 1. Select Node > General > Controls. 2. In the Control Network area, the Control Plane field, select Disable. 3. Click Apply. Running Self-Test 1. Select Node > General > Controls. 2. In the Functionality area, the Selftest Fail Control field, select Non-Operational. 3.

  • Page 35: Debugging And Diagnostic Tools

    ADVA Debugging and Diagnostic Tools Chapter 3 Debugging and Diagnostic Tools This section contains a list of available debugging tools: gdb-add-index gdbreplay gdbserver gcore anacron audisp-remote auditctl auditd ausearch aureport audisp-syslog badblocks bashbug blkid blkdiscard blkzone bootlogd bzip2recover captest chacl catchsegv Fiber Service Platform 3000R7 R22.2 Secure System Configuration Guide - Issue: A...
  • Page 36 ADVA Debugging and Diagnostic Tools chcpu debugfs devlink dump-remind e2freefrag e2image e2initrd_helper e2scrub e2scrub_all e2undo e4crypt e4defrag findfs filefrag findmnt fsck.minix fstrim fsfreeze fstab-decode genl getpcaps getfacl getfattr ipmaddr iptunnel lnstat logsave lsblk lslocks nameif mii-tool mkfs.minix mklost+found mountpoint partx pcretest pppdump Fiber Service Platform 3000R7 R22.2 Secure System Configuration Guide - Issue: A...
  • Page 37 ADVA Debugging and Diagnostic Tools pppstats pprof-symbolize pslog pzst rarp radvdump resize2fs restore-tar routel routef rpcinfo runuser rtmon rtacct rtpr savelog scriptreplay setfattr sfdisk smartctl sulogin tcpdchk try-from tracepath tracepath6 uuidd uuidparse Fiber Service Platform 3000R7 R22.2 Secure System Configuration Guide - Issue: A...

  • Page 38: Ssh And Ssl

    ADVA SSH and SSL Chapter 4 SSH and SSL This section contains these topics: SSH Algorithms SSL Ciphers SSH Algorithms This section contains a list of supported and recommended ssh algorithms: Supported Host Key Algorithms ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa Recommended SSH Host Key Algorithms...

  • Page 39: Supported Ssh Key Exchange Algorithms

    ADVA SSH and SSL Supported SSH Key Exchange Algorithms curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 Recommended SSH Key Exchange Algorithms ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 Supported SSH Encryption Algorithms aes128-ctr aes192-ctr aes256-ctr aes256-gcm@openssh.com chacha20-poly1305@openssh.com AEAD_AES_256_GCM Recommended SSH Encryption Algorithms aes128-ctr aes192-ctr...

  • Page 40: Supported Ssh Message Authentication Code Algorithms

    ADVA SSH and SSL Supported SSH Message Authentication Code Algorithms hmac-sha1 hmac-sha2-256 hmac-sha2-512 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com Recommended SSH Message Authentication Code Algorithms hmac-sha2-256 hmac-sha2-512 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com SSL Ciphers This section contains a list of supported and recommended ssl ciphers: Supported SSL Ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CCM...
  • Page 41 ADVA SSH and SSL TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CCM TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CCM TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CCM TLS_RSA_WITH_AES_128_CCM_8 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CCM TLS_RSA_WITH_AES_256_CCM_8 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 Recommended SSL Ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CCM Fiber Service Platform 3000R7 R22.2 Secure System Configuration Guide - Issue: A...
  • Page 42 ADVA SSH and SSL TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CCM TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 Fiber Service Platform 3000R7 R22.2 Secure System Configuration Guide - Issue: A...
  • Page 43 ADVA Root Rights Chapter 5 Root Rights After upgrading to the R22.1.1, all existing admin-account users get a sudo option enabled. Admin-account users with a sudo option enabled can create and edit all other admin accounts.Admin-account users with a sudo option disabled can only create and edit other admin accounts with disabled sudo option.

Table of Contents

Save PDF