FibeAir IP-10 G-Series

EMS Security Configuration

Proprietary and Confidential

Agenda
SSH
HTTPS
SFTP
Users & Groups
Password

Proprietary and Confidential

Security Configuration
Update first FTP connection

Proprietary and Confidential

SSH Secured Shell

SHHv1 and SSHv2 are supported.
SSH protocol can be used as a secured alternative to "Telnet".
SSH protocol is always be operational. Admin user can choose whether to

disable
"Telnet" protocol, which will be "enabled" by default. Server authentication
will be based on IP-10s "public key".
Key exchange algorithm is RSA.
Supported Encryptions: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc,
arcfour128, arcfour256, arcfour, aes192-cbc, aes256-cbc, aes128-ctr,
aes192-ctr, aes256-ctr.
MAC (Message Authentication Code): SHA-1-96 (MAC length = 96 bits, key
length = 160 bit). Supported MAC: hmac-md5, hmac-sha1, hmacripemd160, hmac-sha1-96, hmacmd5-96'
The server will authenticate the user based on user name and password.
Number of failed authentication attempts is not limited.
Server timeout for authentication: 10 min. This value cannot be configured.

Proprietary and Confidential

HTTPS
In order to manage the system using HTTPS protocol, user should
follow the following steps:

1. Create the IDU certificate based on IDU's public key.

2. Download the IDU certificate.
3. Using CA certificate (Optional steps)
i. Download the IDU CA's certificate.
ii. Enable WEB CA certificate.

4. Set WEB Protocol parameter to HTTPS

Proprietary and Confidential

HTTPS Public Key Upload

The public key should be uploaded by the user for generating the IDUs
digital certificate:

The upload will be done by using FTP/SFTP (s

The public key file will be in PEM format.
Click Upload Public Key
The status of the upload operation can be monitored. The returned status
values are: ready (default), in-progress, success, failed. In any case of
failure, an appropriate error message will appear.

Proprietary and Confidential

HTTPS Certificate Download (1)

Download IDU server certificate and/or IDU CA certificate (optional) :

Download is done by using FTP/SFTP.

PEM and DER certificate formats are supported.
For downloading the IDU server certificate and/or IDU's CA certificate to the system, the
following steps must be fulfilled for each file type:

Determine certificate file name (Admin privilege).

Determine the certificate file type (Admin privilege): Target Certificate (for WEB
server digital certificate) or Target CA certificate (for WEB CA digital certificate).
Determine certificate file format (Admin privilege): Format could be PEM (for PEM
formatted file), or DER (for DER formatted file).
Determine whether to include the
CA certificate into the WEB configuration
definitions. This is an optional configuration
and is recommended for adapting the
WEB interface to all the WEB browsers
applications (Admin privilege).
Proprietary and Confidential

HTTPS Certificate Download (2)

After setting the above configurations, a Download Certificate command
should be issued.

The status of the download operation can be monitored. The returned status
values are: ready, in-progress, success, failed.

It is recommended to refresh the WEB page when certificate download

operation is terminated.

To apply the new certificate, the WEB server should be restarted (Admin
privilege). WEB server will be automatically restarted when it is configured to
HTTPS.

Proprietary and Confidential

HTTPS - Activation
WEB interface protocol can be configured to be HTTP (default) or HTTPS
(cannot be both at the same time).
While switching to HTTPS mode, the following must be fulfilled:
WEB server certificate file exist.
Certificate public key is compatible to IDUs private key.
If one of the above tests fails, the operation will return an appropriate error
indication.
Open WEB Browser and type the URL https:\\<IP of target IDU>.
Note:
This parameter is NOT copied when copy to mate operation is initiated,
for security reasons (unsecured unit should not be able to override security
parameters of secured unit).

Proprietary and Confidential

SFTP (Secure FTP)

SFTP can be used for the following operations:

Configuration upload/download,
Upload the unit info.
Upload public key.
Download certificate files.
SW download

Proprietary and Confidential

USERS,
GROUPS
&
PASSWORD
Proprietary and Confidential

Adding Users

To add / edit users & groups click on the

item as shown in the captured imaged (left)

Click Add User to add new users

Proprietary and Confidential

Adding Users

Proprietary and Confidential

Adding Users

New users will be required to change their

password when they log in for the first time

Proprietary and Confidential

Changing Password
A valid password should be a mix of upper and lower case letters, digits, and other
characters.
You can use an 8 character long password with characters from at least 3 of these 4
classes. An upper case letter that begins the password and a digit that ends it do not
count towards the number of character classes used.

Proprietary and Confidential

Changing Password
Good example:
L00pBack using capital letters, small letters and digits (zeros instead of O)

Bad example:
Loopback missing digits or other characters
Loopbacks using more than 8 characters

Proprietary and Confidential

Thank You !
training@ceragon.com

17