TR-069 / ACS Cybersecurity Solution

Secure the TR-069 communication between CPE and ACS.

Encrypted communication

If communication between CPEs and ACS is not encrypted, it represents a significant cybersecurity risk of attackers, hijack CPEs, turn them into a botnet or directly compromise customer privacy. TeskaLabs SeaCat PKI is cybersecurity product which provides the highest possible level of cryptographic protection.

Automated certificate lifecycle

With thousands of devices in place, handling of certificates represents a large administrative overhead, which could be an obstacle in cybersecurity deployment. TeskaLabs SeaCat PKI automatically manages TLS certificates of CPEs over their entire lifecycle removing this obstacle completely.

Strong protection of sensitive data

Strong encryption protects sensitive customers’ data and prevents data leakages. The actor not authorized via the enrolment procedure (PCKS#10 / CSR) is not allowed to communicate with ACS or CPE.

Our references


O2 Slovakia, s.r.o.

TeskaLabs SeaCat PKI secures the communication of ACS server and CPEs for one of the largest Telecommunication provider in Slovakia – O2. Now there are more than 50 000 CPEs that are using encrypted communication channel and managed automatically from centralized server.

Technical features

TeskaLabs SeaCat PKI solution for ACS/TR-069 cyber security is compliant with Technical Report "TR-069 CPE WAN Management Protocol Issue: 1 Amendment 6" published by The Broadband Forum. This means that we offer broad out-of-the-box compatibility with various existing CPE and ACS brands.

  • data integrity
  • transaction confidentiality
  • certificate-based mutual TLS authentication between the CPE and ACS

The network access

The network access is authenticated and authorized by TeskaLabs SeaCat PKI to allow only approved CPEs to communicate with the ACS, using strong TLS/SSL mutual authentication method.This method also excludes any unauthorized communication..

Large fleets

Hundreds of thousands actively communicating concurrent actors can be handled from a single instance of the system. The system is also designed for vertical and horizontal scaling. The high throughput with authorization is delivered even for extreme workloads with optimal investments in the hardware infrastructure.

High availability

Clustering is natively supported to provide linear scalability for huge fleets of CPEs or deployments with high-availability requirements. The cluster could be configured in fully redundant setup with no single point of failure (SPOF).

Compatible with

ZTE
Mikrotik

and others

Specifications

The lifecycle of the client and server certificates is completely automated so that there is no “human” overhead from this cybersecurity layer.

Certificate lifecycles Server CA Certificates validity: 20-30 years (configurable)
PE CA Certificates validity: 20-30 years (configurable)
CPE Certificates validity: ~1 year (automatic renewal)
Server Certificate: 3 months (automatic renewal)
HTTPS/TLS specification TLS v1.2+
RSA 2048 for CPE
RSA 4096 for Server
RSA 8192 for CA
TLS_RSA_WITH_AES_128_CBC_SHA (cypher specification)
X.509 certificates
EC cryptography: NIST P-256, Brainpool P-256, Brainpool P-384
Certificate enrolment protocols SCEP
EST
ACME

We also offer complete outsourcing of the TR-069 cyber security. It represents mainly a delegated work with CPE vendors so that they are compliant with the cyber security standards. That consists of initial technical specification clarifications, technical assistance, test environment and formal verification prior to introducing of the CPE type into the network.

Need any more information? Please contact us.

sales@teskalabs.com

We guarantee that your email and other personal information are confidential and will not be sold or rented.