Intrusion attempt handling | Nortel Networks NTRN10AN, 3500 specification

2-134Operation, administration, and maintenance (OAM) features

For remote login, for example, a remote login from telnet port 10001, the intrusion detection feature will not block the intermediate nodes, instead the IP address from the telnet connection from which the request was initiated will be blocked.

For more information about intrusion detection feature, please see Intrusion attempt handling on page 2-134.

Intrusion attempt handling

Intrusion attempts on the OPTera Metro 3500 network elements are alarmed and displayed when incoming access is attempted but fails due to incorrect user-ID or password. This alarm alerts administrators of intrusion after a provisionable number of failed login attempts.

Every time users log in to a shelf they must give a user ID and a password. If the information they enter corresponds to a valid userid and password they are allowed access to the shelf. If the user ID or password is wrong, they are allowed to re-enter the user information to try again and a counter is advanced incrementally by one. The provisionable range of invalid logins is between 2 and 9 before the port is locked out. The default value is 5 login attempts.

Users are locked out based on their originating address. Once the counter reaches the maximum number of invalid attempts the port is locked out for the required amount of time. An alarm is then raised to inform the system administrator that an intrusion attempt has occurred. Security logs will record the originating address and connection type of invalid access attempt to the NP or SP. Figure 2-42 Logical flow of intrusion attempt handling shows how the mechanism works.

Intrusion attempt handling is disabled by default.

OPTera Metro 3500 Multiservice Platform NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004

Image 172

Nortel Networks NTRN10AN, 3500 manual Intrusion attempt handling

Contents

OPTera Metro 3500 Multiservice Platform Copyright  2000-2004 Nortel Networks, All Rights Reserved Contents Iv Contents Contents Hardware feature descriptions Contents Page Standards Supported software Hardware naming conventions Supported hardwareAudience OPTera Metro 3500 NTP library NTRN16AA For non-service-affecting problems North America Global software upgrade support North AmericaTechnical support and information International Overview Network element overview Loam Loam Release 12.1 features In-service reconfigurations Dwdm DS1 ServicesDS3 8Overview Overview Performance monitoring Security and administration Bandwidth management Blsr Miscellaneous 14Overview Overview Release 12.1 Hardware Compatibility Matrix Platforms with STX VTX-series Circuit packs OC-3x4 Yes 18Overview Supported configurations Upsr Linear Spur OC-48 OC-3 Requires dual slot circuit OC-12 Pack 22Overview VTX-48e Linear pt-to-pt or OC-12 ADM chain OC-3 24Overview Interworking Supported upgrade paths Operation, administration, and maintenance OAM features New or enhanced OAM features in OPTera Metro 3500 Release OPTera Metro 3500 OAM features Gigabit Ethernet Drop and Continue Gigabit Ethernet drop and continue application P2P Alarm provisioning Engineering rules Alarm flow control Bandwidth management Environmental alarmsExternal controls Tributary, DWDM, BLSR, UPSR, and 1+1 linear point-to-point In-service traffic rollover Connection editing Switching matrix Blsr networks 2-fiberOPTera Metro STS or 5376 VT User-initiated Blsr switching commands Protection ’Infinite wait-to-restore’ parameter Automatically initiated Blsr switching requests Blsr Line Protection Oscillation Control Blsr single span fiber cut scenario Blsr single span Fiber cut example Step Action Node status ’Bridged and Switched’ 16Operation, administration, and maintenance OAM features Blsr ring switch example UEQ 18Operation, administration, and maintenance OAM features Node 1 and 2 state change detail Idle State 20Operation, administration, and maintenance OAM features EX1242p 22Operation, administration, and maintenance OAM features State Protection traffic 24Operation, administration, and maintenance OAM features Blsr nodal / multi-span failure scenario involves squelching 26Operation, administration, and maintenance OAM features A-B OC-48 Blsr node failure exampleC-B OC-192 Blsr node failure example Blsr configuration attributes Blsr configurationsSTS paths and squelch map for a four-node 2-Fiber Blsr ring Blsr configuration distribution Blsr configuration and connection auditBlsr configuration audit Blsr connection audit Traffic flow over OC-48 BlsrSTS Blsr with VT assignment VT Blsr with full VT access Traffic flow over OC-192 Blsr Network Element a DS1 add/drop Risk of traffic loss Provisioning rulesOC-48/OC-192 Blsr provisioning rules Rule # Description OC-48/OC-192 Blsr provisioning rules 36Operation, administration, and maintenance OAM features EX1294p 38Operation, administration, and maintenance OAM features West optics East optics IPTR-2 IPTR-3IPTR-4 IPTR-1 RPR over a Blsr and subtending Upsr example Upsr #1 Upsr #2 OAM supported on Blsr Changing the Blsr configuration / connection audit period Channelized DS3 service DS3VTx12 mapperCommon Language Location Identifier Connection ID Consolidated load Dense wavelength division multiplexing Dwdm OPTera Metro 3500 bands Band OMX module Network sites OPTera Metro 3500 and OMX interconnect Hubbed-ring configuration Dwdm configurationsPhysical connections in a hubbed-ring configuration 3500 Meshed-ring configuration Logical connections in a hubbed-ring configuration3500 3500 3500 Logical connections in a meshed-ring configuration Physical connections in a meshed-ring configuration3500 Dwdm point-to-point configuration Linear point-to-pointPhysical Connections 3500 3500 Logical Connections Facility attributes LoopbacksTerminal loopback Facility loopback Electrical Loopback types Optical loopbackOptical facility loopbacks Facility loopback OOSAIS Optical terminal loopbacks Operation, administration, and maintenance OAM features Extended network processor NPx Network surveillance2x100BT-P2P loopback conditioning Telemetry byte-oriented serial Tbos Single-ended Tbos Path trace Remote alarm LED indicatorTbos report format TID address resolution protocol Tarp Section trace Connectors OPTera Packet Edge System Resilient Packet Ring Ethernet Resilient packet ring RPR object Resilient packet ring shelf level 64Operation, administration, and maintenance OAM features Auto save notification RPR configuration alertTraps NNI Filters increased to 2x100BT-P2P circuit pack PPP over Sonet PPP and Hdlc 2x100BT-P2P circuit pack model Hdlc STS1/3C PPP/BCP Bridge Control Protocol Network protection using UPSR, 1+1 linear and Blsr2x100BT-P2P logical datapath overview Oamp support Ethernet Operational Measurements Operation, administration, and maintenance OAM features Bandwidth Reservation Protocol BRP Distributed multilink trunkingTDIs on a mapped UNI Optical Ethernet Private Line OE-PL and Storage applications 2xGigE/FC-P2P circuit pack Alarm management SDH Equipment alarms 76Operation, administration, and maintenance OAM features Small Form Factor Pluggables SFP alarms Ingress LAN port alarms Ingress LAN port alarms Alarm Description Severity For Fibre Channel facilities, this alarm For Fibre Channel facilities , this alarm LAN Ingress Alarms Egress WAN port and service alarmsLAN WAN LAN GFP Vcat SUBRATE=DISABLE 82Operation, administration, and maintenance OAM features Client Service Mismatch Lanwan Bandwidth managementContiguous concatenation Facility attributes Virtual concatenationEngineering rules Ethernet facility 86Operation, administration, and maintenance OAM features Fibre Channel facility MTU 88Operation, administration, and maintenance OAM features WAN facility STS12C, STS24C Provunits WAN GFP Supported on 2xGigE/FC-P2P Supported on 2xGigE/FC-P2P circuit Pack Outframesdiscds Alignerr 94Operation, administration, and maintenance OAM features Performance Monitoring Fibre Channel Extended ReachSES INFRAMESERR/INFRAME Inoctetserr UAS Storage over Sonet GFP and Flow Control Enable Distance Extension See Note Generic Framing Procedure GFP Generic Framing Procedure and Virtual Concatenation support60950 91430 182860 GFP Encapsulation GFP FCS Virtual Concatenation Vcat Efficiency Rate Performance monitoring Optical interoperability of OPTera MetroSonet line, section, and path parameters Hard-coded default threshold values facility type User defined default threshold values facility typeThreshold values User defined threshold values facility Line Path ES-PFE ES-PSES-P SES-PFE SEFS-PFESAS-P SEFS-P FC-P FC-PFE Operation, administration, and maintenance OAM features Retrieving performance monitoring counts Physical PMs NTN408DA NTN445CBNTN445DA NTN445JA Resetting registers and invalid data flag Storage and retrieval of physical PMs Performance monitoring threshold crossing alerts TCA TCA summary alarmsTCAs Alarms Preside Software Upgrade Management support Site Manager support Preside Applications Platform and Multiservice MOA support Site Manager main window Protection switching Protection hierarchy 120Operation, administration, and maintenance OAM features Protection PM in a linear 1+1 configuration Protection PM in a Blsr configuration Security and administration Local account user authentication Local ‘challenge-response’ user authentication Centralized Security Administration CSA Risk of unauthorized access Operation, administration, and maintenance OAM features ’Access-Request’ Time s Server ’Access-Reject’ ’Access-Accept’ Secure storage of authentication data SecurID support Saving and restoring provisioning data Local TL1 of provisioning dataSpan of control Individual shelf processor Security levels Application of TL1 commands from a TL1 script fileLevel System identifier SID Remote login Multiple login sessions NPx login sessions SPx login sessionsEnhanced Intrusion Detection Intrusion attempt handling Password restrictions Password managementLogical flow of intrusion attempt handling Password Reuse Enhanced password restrictionsPassword Aging Customer managed networks Temporary Accounts Security log audit trail ACT-USER, CANC-USER, ED-SECU-PID ALW-MSG-ALL INH-MSG-ALL General Broadcast tool Log Names Log name Log eventsSECU401 SECU410 Modifiable Login Banner Example of Modified Login Banner Restore-banner Login banner functionality STS Managed DSM NE3 DSM DSM NE1 DSMNE2 NE4 NE5 NE1NE4 DSM STS1 AID is used to perform BWM operations on STS1 endpoints to DS1 facility grouping assignmentsGroup of DS1 facilities Support for 12 DSM Synchronization Internal timing External timingLine timing Transport line timing Timing signal sources Internal timing mode External timing modeLine timing mode transport / tributary Tributary line timing Timing modes Synchronization hierarchy Stratum clocksSMC Timing loops Hierarchy violationsST3 Hierarchical network synchronization Building-integrated timing supply Bits Network element synchronization modes External timing Line timing Flow of synchronization timing signals Timing sources and timing distribution Synchronization-status messages ST1 PRS STUST2 ST4 User-specified quality levels for timing sources User-initiated synchronization switchesBits output with VTX-series or STX-192 circuit packs DUS Test Access Test Access Ports TAPs Site Manager Test Access Session Management window Test access configurations Monitoring test accessTest access components DCN Test access-monitor state Single FAD, Mone and Single FAD Monf Monitoring test access-Single FAD, Mone Monitoring test access-Single FAD, MonfMonitoring test access-Dual FAD, Monef TAP Test access-split state Split test accessSingle FAD, Splte and Single FAD Spltf Split test access-Single FAD, Spltf Split test access-Single FAD, SplteSplit test access-Single FAD, Splta Split test access-Dual FAD, Spltef Loss of association and auto recoveryDual FAD, Spltef User interface Site Manager Time of day synchronization 170Operation, administration, and maintenance OAM features TOD parameters applicable to NP only TL1 Changes to Cross Connect AID parameter Hhminsec Unknown TL1 event / log feature TL1 event exerciserCLX RTRV-EQPT Behaviour Card in Slot 13 RTRV-EQPT Output CLX-13CTYPE=VTXOOS-AU, UEQ Log events Database change eventsInventory events Topology enhancements VT management option on STX equipped OPTera MetroAtag sequence numbers VT management on a Upsr VTX Per-site dedicated STSSTX Per-site dedicated STS no VT loss in case of a fiber cut Virtual ring path-in-line and shared VT-managed STS STXW/STX VT#1 UPSR, 2 way STS-1 #1 Unprotected OM3500 180Operation, administration, and maintenance OAM features VT grooming on a Upsr VT grooming with dedicated STS at each site VT grooming with shared VT-managed STS DS1 DS3 EC1 184Operation, administration, and maintenance OAM features OM3500 VT#1, STS-1 #1 Collocated OPTera Metro 3000 NE and shared VT-managed STS EX1561p 188Operation, administration, and maintenance OAM features Upsr planning guidelines summary General guidelinesPhysical subtending rings VT grooming at an STS-managed OPTera Metro 3500 sitePage Hardware feature descriptions New hardware in OPTera Metro 3500 Release OPTera Metro 3500 hardware Extended Reach ZX Small Form Factor Pluggable SFP NTTP51DZ Shelves equipped with VTX-48 or VTX-48e circuit packs Shelves equipped with STX-192 circuit packs Operational temperature range OPTera Metro Shelf Assembly Universal Shelf NTN476DANTN476AH OC-3 circuit packs OC-48 non-DWDM circuit packs OC-48 Dwdm circuit packs OC-48 ER Dwdm NTN408CW OC-48 Dwdm NTN442LFOC-48 Dwdm NTN442NB OC192 non-DWDM circuit packs Electrical tributary circuit packs NTN433AA NTN438DANTTP51AA NTTP51BD OPTera Packet Edge System circuit packs NTN433BBNTN433EA NTN433FA NTN438BA Cross-connect / synchronization circuit packsNTN414AA NTN414AB Power modules and BIPs Protection switching circuit packsNetwork / Shelf processors, and Ilan circuit packs Cooling unit assemblies Accessory shelvesModules NTN452EA NTN452AHNTN452CH NTN452EH NTN452JA NTN452JHNTN452KA NTN452NA LIFs and LOAMs NTN451BANTN451MA NTN451BH LIF, Loam 20Hardware feature descriptions OPTera Metro 3500 Shelf Assembly NTN476DA Loam LIF DS1 NTN452AA and BNC 12-Port Front I/O module NTN452JABNC 12 port I/O EX1157p 24Hardware feature descriptions Air deflector Replaceable I/O modules Hardware feature descriptions Type / PEC Positions Transport slot Module type and slot positionsNTN476DA ADD / Drop DS1 1-28 Front I/O module NTN452AA DS1 29-56 Front I/O module NTN452CA DS1 29-84 Front I/O module NTN452EA BNC 12-Port Front I/O module NTN452JA 8xRJ-45 Front I/O module NTN452NA DS1 1-28 Front Enhanced I/O module NTN452AH DS1 29-56 Front Enhanced I/O module NTN452CH DS1 29-84 Front Enhanced I/O module NTN452EH BNC 12-Port Front Enhanced I/O module NTN452JH 8xRJ-45 Front Enhanced I/O module NTN452NH DS1 1-28 Rear I/O module NTN452BA DS1 29-56 Rear I/O module NTN452DA DS1 29-84 Rear I/O module NTN452FA 8xRJ-45 Rear I/O module NTN452HB Left OAM Loam NTN451MA, NTN451MH Common modulesBNC 12-Port Rear I/O module NTN452KA Left interface LIF NTN451BA, NTN451BH Left OAM Loam NTN451MA, NTN451MHColan Ilan ACO Left interface LIF NTN451BA, NTN451BH OPTera Metro 3500 Cooling unit assembly NTN458QA OPTera Metro 3500 Universal cooling unit assembly NTN458QH Universal power module NTN451HA Universal power module NTN451HAOPTera Metro 3000 breaker interface panel BIP NTN458RA Power Input Alarm Breaker AlarmBay Alarms Alarm Circuits OPTera Metro 3500 BIP European deployment NTFW56BA Core circuit packs VTX equipped OPTera Metro 3500 shelf Core circuit packs STX-192 equipped OPTera Metro 3500 shelf Tributary circuit packs EX1474p OPTera Packet Edge circuit packs 2xGigE/FC-P2P and SFP interfaces PSC NPx, ILAN, PSC, and PSX circuit packsPSX Ilan STX-192 circuit pack NTN415AA External timing reference input signalsEquipping rules OC-48 STS OC48 STS DSM VTX-48 circuit pack NTN414AA Alarm LED definitionsLED name Color Description VTX-48e circuit pack NTN414AB, NTN414AH Extended shelf processor SPx NTN423BA, BH TL1 sessions Alarms and Tbos Reset buttonExtended network processor NPx NTN424BA, BH Section data communication channel Sdcc Alarms and provisioning data Ilan interface NTN425AA OC-192 optical interface circuit pack NTN445CB, DA STS-1 path trace for OC-192 Forward Error Correction FECSection trace for OC-192 Alarm Text or conditions +1 linear protection OC-192 protection switchingUpsr path protection Blsr protection 64Hardware feature descriptions STS-1 path trace for OC-48 OC-48 optical wavelength OC-48 circuit pack Wavelength Section trace for OC-48 Following table lists the OC-48 interface circuit pack LEDs OC-48 protection switching OC-48 STS optical interface circuit pack NTN440HA, KA, LA STS-1 path trace for OC-48 70Hardware feature descriptions Section data communication channel Sdcc Optical transmit OC-12 Protection switching Unidirectional path switched rings UPSRsOptical receive +1 linear 74Hardware feature descriptions Multimode Interworking OC12x4 STS IR optical interface circuit pack NTN446CAParameters Value 76Hardware feature descriptions OC-3 optical interface circuit pack NTN401AA, DA OC-3 Protection switching Section data communication channel Sdcc OC-3x4 optical interface circuit pack NTN441AA, AC Equipping rules EC-1x3 circuit pack NTN436AA Protection switching EC-1x12 circuit pack NTN436DA EC-1x12 circuit packs do not support Sdcc channels DS1 mapper NTN430AA, BA DS1 I/O module types DS1 88Hardware feature descriptions DS3x12 / DS3x12e mapper NTN435AA, AH / NTN435BA DS3 alarms available only on DS3x12e mapperDS3 Path PMs Near-End available only on DS3x12e mapper DS3VTx12 mapper NTN435FA DS3/VT protection switching 2x100BT-P2P circuit pack NTN433AA 92Hardware feature descriptions Shelf Module Scenario description OPTera Packet Edge System 4x100BT circuit pack NTN433BB WAN OPTera Packet Edge System 4x100FX circuit pack NTN433EA, FA LEDs Color Description 98Hardware feature descriptions Hardware feature descriptions Protection switch controller PSC NTN412AA Protection switch extender PSX NTN413AA OMX + Fiber Manager 4CH NT0H32AE, BE, CE, DE, EE, FE, GE, HE OMX + Fiber Manager 4CH equipment drawer OMX shelf not required with OMX + Fiber Manager 4CH NTN449ZW OMX shelf NTN449ZW OMX Mounting bracket labels Letter Rack type Fiber manager NT0H57BB DS1 service module DSM shelf NTN407MA Multiple is DS1 service module DSM NTN407MA EX0959p DSM OAM Hardware Release 6 with cover off NTN313AA, AC DSM DS1x84 termination module TMDSM OAM Hardware Release 6 with cover on LED Name LED Color On condition description LOSPage OPTera Metro Multiservice Platform