Security mechanisms in FOT PON solutions

“Denial-of-service attack, ARP attack, Firewalls, ARP spoofing…”

  Designed with carrier-class reliability, the FOT GEPON/GPON solution can fully guarantee the security of subscribers’ services.

System (CO, central office) side security measures

Denial-of-service attack
A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the CO PON server (Internet).
A distributed denial-of-service (DDoS) is where the attack source is more than one–and often thousands–of unique IP addresses.
  • Supports L2 to L7 packet filtering function.
    Performs the illegal frame filtering based on source MAC address, destination MAC address, source IP address, destination IP address, port No., Ethernet type, protocol type, VLAN and VLAN range, so as to prevent illegal attempts to access the Internet.
  • Supports protection against DOS attack to enhance the anti-attack capability.
  • Supports ACL (Access Control List)-based permission / denial controls.
  • Supports protection against ICMP (Internet Control Message Protocol) / IP message attack.
  • Supports protection against ARP (Address Resolution Protocol) attack.
  • Supports the user operation authority management.
    Both GUI and CLI network management systems can provide operator accounts with different operating rights, so as to ensure operating security of the network management system.
  • Supports automatic reporting of ONU SN and MAC address to the network management system.
  • Supports authenticating ONU based on multiple modes.
    The authenticating ONU can be based on physical address, logic identifier, logic identifier+password, logic identifier+physical address, logic identifier +password+physical address.
  • Supports broadcast storm control.
  • Supports frame filtering and rate limiting.

Subscriber (CP, Customer Premises) side security measures

In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses.
More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy, with PON equipments (or routers) being adversely affected before the traffic gets to the firewall.
  • Supports access security control through DHCP Option-82 and PPPOE+.
    The FOT GEPON/GPON solution can insert physical information into protocol messages of DHCP request dial or PPPoE dial. When used in combination with a verifying system, it can effectively and dynamically control subscriber access to specific network resources, so as to greatly facilitate troubleshooting and attack positioning.
  • Supports the DHCP snooping function.
    The ONU snoops subscriber information such as MAC address, IP address, lease time and VLAN ID, so as to trace and locate DHCP subscriber’s IP address and port by establishing and maintaining a DHCP snooping binding table. In addition, it directly discards illegal messages (ARP spoofing messages and the messages that modify IP address randomly). These illegal messages are not compliant with the binding table entries. Therefore, it guarantees DHCP environment integrity and consistency.
    ARP spoofing
    ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host, such as the default OLT (gateway), causing any traffic meant for that IP address to be sent to the attacker instead.
  • Supports limit on the maximum number of MAC addresses learned, to prevent MAC attack.
  • Supports limit on the number of MAC addresses that access a single FE interface of an ONU.
  • Supports limit on the number of multicast groups that a single FE interface of an ONU can join.
  • Supports the ONU port binding function.
    Achieves the dynamic binding of FE interface and MAC address, so as to guarantee validity of subscribers accessing the network.
  • Supports AES-128 encryption and decryption algorithm to guarantee the security of subscribers’ data.

Ask for FTTH Catalogue & PON Solution!

Latest Blog

About Us

Why FTTH can save telecom cost

FTTH: saving money

【Our Goal】

Benefits our customers via Fiber Network (FTTH).

【FOT Telecom】

Your reliable fiber network equipment and service provider: Read More

Contact us

Email: Skype: fanny-lee2007Tel: +86-20-2209 8370
Add.:97th Science Avenue, Science Town,  Guangzhou, Guangdong, China