350 - Ceragon - IP-10G EMS Security - Presentation v1.2

8/18/2019 350 - Ceragon - IP-10G EMS Security - Presentation v1.2

1/17

Proprietary and Confidential

FibeAir IP-10 G-Series

EMS Security Configuration

®


2/17


Agenda

2

• SS

• !!PS

• SF!P

• "sers # Groups

• Pass$ord


3/17


Security Configuration"pdate first F!P connection


4/17


SS % Secured S&ell

• S'1 and SS'( are supported)

• SS protocol can be used as a secured alternati'e to *!elnet*)• SS protocol is al$ays be operational) Ad+in user can c&oose $&et&er to

disable

• *!elnet* protocol, $&ic& $ill be *enabled* by default) Ser'er aut&entication$ill be based on IP-10s *public .ey*)

• /ey ec&ange algorit&+ is SA)• Supported Encryptions2 aes1(3-cbc, 4des-cbc, blo$fis&-cbc, cast1(3-cbc,arcfour1(3, arcfour(56, arcfour, aes17(-cbc, aes(56-cbc, aes1(3-ctr,

aes17(-ctr, aes(56-ctr)

• MAC 8Message Aut&entication Code92 SA-1-76 8MAC lengt& : 76 bits, .eylengt& : 160 bit9) Supported MAC2 &+ac-+d5, &+ac-s&a1, &+ac-

ripe+d160, &+ac-s&a1-76, &+ac+d5-76;

• !&e ser'er $ill aut&enticate t&e user based on


5/17


!!PS

In order to +anage t&e syste+ using !!PS protocol, user s&ould

follo$ t&e follo$ing steps2

• 1) Create t&e I?" certificate based on I?";s public .ey)

• () ?o$nload t&e I?" certificate)

• 4) "sing CA certificate 8@ptional steps9

i) ?o$nload t&e I?" CA;s certificate)

ii) Enable EB CA certificate)

• ) Set EB Protocol para+eter to !!PS


6/17


!!PS % Public /ey "pload

!&e public .ey s&ould be uploaded by t&e user for generating t&e I?"s

digital certificate2

• !&e upload $ill be done by using F!PDSF!P 8s

• !&e public .ey file $ill be in PEM for+at)

• Clic.


7/17Proprietary and Confidential

!!PS % Certificate ?o$nload 819

?o$nload I?" ser'er certificate andDor I?" CA certificate 8optional9 2

• ?o$nload is done by using F!PDSF!P)

• PEM and ?E certificate for+ats are supported)

• For do$nloading t&e I?" ser'er certificate andDor I?";s CA certificate to t&e syste+, t&efollo$ing steps +ust be fulfilled for eac& file type2

?eter+ine certificate file na+e 8ser'er digital certificate9 or

?eter+ine certificate file for+at 8



!!PS % Certificate ?o$nload 8(9

After setting t&e abo'e configurations, a



!!PS - Acti'ation

EB interface protocol can be configured to be !!P 8default9 or !!PS

8cannot be bot& at t&e sa+e ti+e9)

While switching to HTTPS mode, the following must be fulfilled:

• EB ser'er certificate file eist)

• Certificate public .ey is co+patible to I?"s pri'ate .ey)• If one of t&e abo'e tests fails, t&e operation $ill return an appropriate error

indication)

• @pen EB Bro$ser and type t&e " =&ttps2IP of target I?"H=)

Note:!&is para+eter is >@! copied $&en



SF!P 8Secure F!P9

SF!P can be used for t&e follo$ing operations2

• Configuration uploadDdo$nload,

• "pload t&e unit info)

• "pload public .ey)

• ?o$nload certificate files)

• S do$nload



"SES,

G@"PS#

PASS@?



Adding "sers

!o add D edit users # groups clic. on t&e

ite+ as s&o$n in t&e captured i+aged 8left9

Clic. Add User to add ne$ users



Adding "sers


14/17


Adding "sers

>e$ users $ill be reJuired to c&ange t&eir

pass$ord $&en t&ey log in for t&e first ti+e


15/17


C&anging Pass$ord

A 'alid pass$ord s&ould be a +i of upper and lo$er case letters, digits, and ot&er

c&aracters)

Kou can use an 3 c&aracter long pass$ord $it& c&aracters fro+ at least 4 of t&ese

classes) An upper case letter t&at begins t&e pass$ord and a digit t&at ends it do not

count to$ards t&e nu+ber of c&aracter classes used)


16/17


C&anging Pass$ord

Good ea+ple2

L00p!c" % using capital letters, s+all letters and digits 8Leros instead of


17/171

Thank You !

[email protected]

Documents

350 - Ceragon - IP-10G EMS Security - Presentation v1.2