2019年4月1日星期一

Security mechanisms in FOT PON solutions

by www.fiber-mart.com
 Designed with carrier-class reliability, the FOT GEPON/GPON solution can fully guarantee the security of subscribers’ services.
 
Supports L2 to L7 packet filtering function.
Performs the illegal frame filtering based on source MAC address, destination MAC address, source IP address, destination IP address, port No., Ethernet type, protocol type, VLAN and VLAN range, so as to prevent illegal attempts to access the Internet.
Supports protection against DOS attack to enhance the anti-attack capability.
Supports ACL (Access Control List)-based permission / denial controls.
Supports protection against ICMP (Internet Control Message Protocol) / IP message attack.
Supports protection against ARP (Address Resolution Protocol) attack.
Supports the user operation authority management.
Both GUI and CLI network management systems can provide operator accounts with different operating rights, so as to ensure operating security of the network management system.
Supports automatic reporting of ONU SN and MAC address to the network management system.
Supports authenticating ONU based on multiple modes.
The authenticating ONU can be based on physical address, logic identifier, logic identifier+password, logic identifier+physical address, logic identifier +password+physical address.
Supports broadcast storm control.
Supports frame filtering and rate limiting.
 
Supports access security control through DHCP Option-82 and PPPOE+.
The FOT GEPON/GPON solution can insert physical information into protocol messages of DHCP request dial or PPPoE dial. When used in combination with a verifying system, it can effectively and dynamically control subscriber access to specific network resources, so as to greatly facilitate troubleshooting and attack positioning.
Supports the DHCP snooping function.
The ONU snoops subscriber information such as MAC address, IP address, lease time and VLAN ID, so as to trace and locate DHCP subscriber’s IP address and port by establishing and maintaining a DHCP snooping binding table. In addition, it directly discards illegal messages (ARP spoofing messages and the messages that modify IP address randomly). These illegal messages are not compliant with the binding table entries. Therefore, it guarantees DHCP environment integrity and consistency.
 
Supports limit on the maximum number of MAC addresses learned, to prevent MAC attack.
Supports limit on the number of MAC addresses that access a single FE interface of an ONU.
Supports limit on the number of multicast groups that a single FE interface of an ONU can join.
Supports the ONU port binding function.
Achieves the dynamic binding of FE interface and MAC address, so as to guarantee validity of subscribers accessing the network.
Supports AES-128 encryption and decryption algorithm to guarantee the security of subscribers’ data.

没有评论:

发表评论