Port Lockdown, Isolating SMs, and Filtering Management

Port Lockdown
Cambium devices support access to various communication protocols and only the ports required for these protocols are available for access by external entities. Operators may change the port numbers for these protocols via the radio GUI or SNMP.

Isolating SMs
In an AP, you can prevent SMs in the sector from directly communicating with each other. In CMMmicro Release 2.2 or later and the CMM4, you can prevent connected APs from directly communicating with each other, which prevents SMs that are in different sectors of a cluster from communicating with each other.

In the AP, the SM Isolation parameter is available in the General tab of the Configuration web page. In the drop-down menu for that parameter, you can configure the SM Isolation feature by any of the following selections:
• Disable SM Isolation (the default selection). This allows full communication between SMs.
• Block SM Packets from being forwarded. This prevents both multicast/broadcast and unicast SM-to-SM communication.
• Block and Forward SM Packets to Backbone. This not only prevents multicast/broadcast and unicast SM-to-SM communication but also sends the packets, which otherwise may have been handled SM to SM, through the Ethernet port of the AP.

In the CMMmicro and the CMM4, SM isolation treatment is the result of how you choose to manage the port-based VLAN feature of the embedded switch, where you can switch all traffic from any AP to an uplink port that you specify. However, this is not packet level switching. It is not based on VLAN IDs. See the VLAN Port Configuration parameter in the dedicated user guide that supports the CMM product that you are deploying.

Filtering management through Ethernet
You can configure the SM to disallow any device that is connected to its Ethernet port from accessing the IP address of the SM. If you set the Ethernet Access Control parameter to Enabled, then:
• No attempt to access the SM management interface (by http, SNMP, ftp, or tftp) through Ethernet can succeed.
• Any attempt to access the SM management interface over the air (by IP address, presuming that LAN1 Network Interface Configuration, Network Accessibility is set to Public, or by link from the Session Status or Remote Subscribers tab in the AP) is unaffected.

Allowing management from only specified IP addresses
The Security tab of the Configuration web page in the AP and SM includes the IP Access Control parameter. You can specify one, two, or three IP addresses that must be allowed to access the management interface (by HTTP, SNMP, FTP or TFTP).
If you select
• IP Access Filtering Disabled, then management access is allowed from any IP address, even if the Allowed Source IP 1 to 3 parameters are populated.
• IP Access Filtering Enabled, and specify at least one address in the Allowed Source IP 1 to 3 parameter, then management access is limited to the specified address(es).

Configuring management IP by DHCP
The IP tab in the Configuration web page of every radio contains a LAN1 Network Interface Configuration, DHCP State parameter that, if enabled, causes the IP configuration (IP address, subnet mask, and gateway IP address) to be obtained through DHCP instead of the values of those individual parameters. The setting of this DHCP state parameter is also viewable, but is not settable, in the Network Interface tab of the Home page.
In the SM, this parameter is settable
• in the NAT tab of the Configuration web page, but only if NAT is enabled.
• in the IP tab of the Configuration web page, but only if the Network Accessibility parameter in the IP tab is set to Public.

Planning for airlink security
Cambium’s fixed wireless broadband IP systems employ the following form of encryption for security of the wireless link:
• DES (Data Encryption Standard): An over-the-air link encryption option that uses secret 56-bit keys and 8 parity bits. DES performs a series of bit permutations, substitutions, and recombination operations on blocks of data. DES encryption does not affect the performance or throughput of the system.
• AES (Advanced Encryption Standard): An over-the-air link encryption option that uses the Rijndael algorithm and 128-bit keys to establish a higher level of security than DES. AES products are certified as compliant with the Federal Information Processing Standards (FIPS 197) in the U.S.A.

Planning for RF Telnet Access Control
The RF Telnet Access feature restricts Telnet access to the AP from a device situated below a network SM (downstream from the AP). This is a security enhancement to restrict RF-interface sourced AP access specifically to the LAN1 IP address and LAN2 IP address (Radio Private Address, typically 192.168.101.[LUID]). This restriction disallows unauthorized users from running Telnet commands on the AP that can change AP configuration or modifying network-critical components such as routing and ARP tables.

Forwarding Downlink PPPoE PADI packets
The AP supports the control of forwarding of PPPoE PADI (PPPoE Active Discovery Initiation) packets. This forwarding is configured on the AP GUI Configuration, Radio tab by parameter PPPoE PADI Downlink Forwarding. When set to “Enabled”, the AP allows downstream and upstream transmission of PPPoE PADI packets. When set to “Disabled”, the AP does NOT allow PPPoE PADI packets to be sent out of the AP RF interface (downstream) but will allow PPPoE PADI packets to enter the RF interface (upstream) and exit the Ethernet interface.

Planning for RADIUS integration
PMP 450 modules include support for the RADIUS (Remote Authentication Dial In User Service) protocol supporting Authentication, Authorization, and Accounting (AAA).
RADIUS Functions
RADIUS protocol support provides the following functions:
• SM Authentication allows only known SMs onto the network (blocking “rogue” SMs), and can be configured to ensure SMs are connecting to a known network (preventing SMs from connecting to “rogue” APs). RADIUS authentication is used for SMs, but is not used for APs. Cambium modules support EAP-TTLS and EAP-MSCHAPv2 authentication methods.
• SM Configuration: Configures authenticated SMs with MIR (Maximum Information Rate), CIR (Committed Information Rate), High Priority, and VLAN (Virtual LAN) parameters from the RADIUS server when a SM registers to an AP.
• SM Accounting provides support for RADIUS accounting messages for usage-based billing. This accounting includes indications for subscriber session establishment, subscriber session disconnection, and bandwidth usage per session for each SM that connects to the AP.
• Centralized AP and SM user name and password management allows AP and SM usernames and access levels (Administrator, Installer, Technician) to be centrally administered in the RADIUS server instead of on each radio and tracks access events (logon/logoff) for each username on the RADIUS server. This accounting does not track and report specific configuration actions performed on radios or pull statistics such as bit counts from the radios. Such functions require an Element Management System (EMS) such as Cambium Networks Wireless Manager. This accounting is not the ability to perform accounting functions on the subscriber/end user/customer account.
• Framed IP allows operators to use a RADIUS server to assign management IP addressing to SM modules (framed IP address).

Planning for SNMP security
Canopy modules provide the following Configuration web page parameters in the SNMP tab. These govern SNMP access from the manager to the agent:
• Community String, which specifies the password for security between managers and the agent.
• Accessing Subnet, which specifies the subnet mask that allows managers to poll the agents.