chassis key, the standby ICSR peer can recover services if the active peer goes out of service; the standby
peer will still have access to the passwords in their decrypted form.
ICSR peers use Service Redundancy Protocol (SRP) to periodically check to see if the redundancy configuration
matches with either decrypted passwords or DES-based two-way encryption strings. Since the configuration
is generated internally to the software, users are not able to access the configuration used to check ICSR
compatibility.
Encrypted SNMP Community Strings
Simple Network Management Protocol (SNMP) uses community strings as passwords for network elements.
Although these community strings are sent in clear-text in the SNMP PDUs, the values can be encrypted in
the configuration file.
The
snmp community encrypted name
command enables the encryption of SNMP community strings. For
additional information, see the
Global Configuration Mode Commands
chapter in the
Command Line Interface
Reference
.
Lawful Intercept Restrictions
This section describes some of the security features associated with the provisioning of Lawful Intercept (LI).
LI Server Addresses
An external authenticating agent (such as RADIUS or Diameter) sends a list of LI server addresses as part of
access-accept. For any intercept that was already installed or will be installed for that subscriber, a security
check is performed to match the LI server address with any of the LI-addresses that were received from the
authenticating agent. Only those addresses that pass this criteria will get the intercepted information for that
subscriber.
While configuring a campon trigger, the user will not be required to enter the destination LI server addresses.
When a matching call for that campon trigger is detected, a security check is done with the list received from
the authentication agent. The LI-related information is only forwarded if a matching address is found.
When an active-only intercept is configured, if a matching call is found, a security check is made for the LI
address received from the authentication agent and the intercept configuration will be rejected.
If no information related to LI server addresses is received for that subscriber, LI server addresses will not be
restricted.
A maximum of five LI server addresses are supported via an authenticating agent.
Important
The ability to restrict destination addresses for LI content and event delivery using RADIUS attributes is
supported only for PDSN and HA gateways.
Important
ASR 5500 System Administration Guide, StarOS Release 21.5
77
System Security
Encrypted SNMP Community Strings
Содержание ASR 5500
Страница 100: ...ASR 5500 System Administration Guide StarOS Release 21 5 74 System Interfaces and Ports VLANs and Management Ports ...
Страница 136: ...ASR 5500 System Administration Guide StarOS Release 21 5 110 Smart Licensing Smart Licensing Bulk Statistics ...
Страница 140: ...ASR 5500 System Administration Guide StarOS Release 21 5 114 Monitoring the System Clearing Statistics and Counters ...
Страница 260: ...ASR 5500 System Administration Guide StarOS Release 21 5 234 Routing Viewing Routing Information ...
Страница 278: ...ASR 5500 System Administration Guide StarOS Release 21 5 252 BGP MPLS VPNs VPN Related CLI Commands ...
Страница 292: ...ASR 5500 System Administration Guide StarOS Release 21 5 266 Session Recovery Sample Output for show rct stats verbose ...
Страница 324: ...ASR 5500 System Administration Guide StarOS Release 21 5 298 Interchassis Session Recovery Fallback Procedure ...
Страница 338: ...ASR 5500 System Administration Guide StarOS Release 21 5 312 Engineering Rules ECMP Groups ...
Страница 362: ...ASR 5500 System Administration Guide StarOS Release 21 5 336 StarOS Tasks Management Processes ...