Vous êtes sur la page 1sur 72

SingleRAN

OM Security Feature Parameter


Description
Issue

Draft A

Date

2014-01-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.


No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions


and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address:

Huawei Industrial Base


Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website:

http://www.huawei.com

Email:

support@huawei.com

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

Contents

Contents
1 About This Document..................................................................................................................1
1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................1
1.3 Change History...............................................................................................................................................................1

2 Overview.........................................................................................................................................3
3 Technical Description...................................................................................................................4
3.1 OMCH Security..............................................................................................................................................................4
3.2 Web Security..................................................................................................................................................................5
3.2.1 Overview.....................................................................................................................................................................5
3.2.2 User Authentication.....................................................................................................................................................5
3.2.3 HTTPS-based Data Transmission...............................................................................................................................6
3.2.4 Anti-attack...................................................................................................................................................................7
3.2.5 Rights Control..............................................................................................................................................................8
3.3 User Management...........................................................................................................................................................8
3.3.1 Overview.....................................................................................................................................................................8
3.3.2 Login Authentication.................................................................................................................................................10
3.3.3 User Rights Control...................................................................................................................................................11
3.3.4 Login Password Policy..............................................................................................................................................12
3.3.5 FTP User Management..............................................................................................................................................14
3.4 User Data Anonymization............................................................................................................................................15
3.5 Digital Signature-based Software Integrity Protection.................................................................................................15
3.5.1 Definition...................................................................................................................................................................15
3.5.2 Application Scenarios................................................................................................................................................15
3.5.3 Digital Signature........................................................................................................................................................16
3.6 Time Security...............................................................................................................................................................18
3.6.1 SNTP Security for Base Station Controllers.............................................................................................................18
3.6.2 NTP Security Authentication for Base Stations........................................................................................................19
3.7 Security Alarms, Events, and Logs..............................................................................................................................20
3.7.1 Overview...................................................................................................................................................................20
3.7.2 Security Alarms and Events......................................................................................................................................20
3.7.3 Security Logs and Security Audit..............................................................................................................................21
3.7.3.1 O&M Event Recording...........................................................................................................................................21
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ii

SingleRAN
OM Security Feature Parameter Description

Contents

3.7.3.2 Centralized Log Management................................................................................................................................24


3.7.3.3 Security Log Auditing............................................................................................................................................25
3.8 OMU Anti-attack..........................................................................................................................................................26
3.9 Security Policy Level Configuration............................................................................................................................26

4 Engineering Guidelines.............................................................................................................29
4.1 OMCH Security............................................................................................................................................................29
4.2 Web Security................................................................................................................................................................29
4.2.1 When to Use Web Security.......................................................................................................................................29
4.2.2 Deployment...............................................................................................................................................................29
4.2.2.1 Requirements..........................................................................................................................................................29
4.2.2.2 Activation...............................................................................................................................................................29
4.2.2.2.1 Using MML Commands......................................................................................................................................29
4.2.2.2.2 Using the CME....................................................................................................................................................30
4.2.2.3 Activation Observation...........................................................................................................................................32
4.3 User Management.........................................................................................................................................................32
4.3.1 When to Use User Management................................................................................................................................32
4.3.2 Deployment...............................................................................................................................................................32
4.3.2.1 Requirements..........................................................................................................................................................32
4.3.2.2 Activation...............................................................................................................................................................32
4.3.2.2.1 Using the MML Commands................................................................................................................................32
4.3.2.2.2 Using the CME....................................................................................................................................................34
4.3.2.3 Activation Observation...........................................................................................................................................35
4.4 User Data Anonymization............................................................................................................................................35
4.5 Digital Signature-based Software Integrity Protection.................................................................................................35
4.6 Time Security...............................................................................................................................................................35
4.6.1 Deployment of SNTP Security for Base Station Controllers....................................................................................35
4.6.1.1 Requirements..........................................................................................................................................................35
4.6.1.2 Activation...............................................................................................................................................................35
4.6.1.3 Activation Observation...........................................................................................................................................35
4.6.2 Deployment of NTP Security Authentication for Base Stations...............................................................................36
4.6.2.1 Requirements..........................................................................................................................................................36
4.6.2.2 Data Preparation.....................................................................................................................................................36
4.6.2.3 Activation...............................................................................................................................................................36
4.6.2.3.1 Using MML Commands......................................................................................................................................37
4.6.2.3.2 MML Command Examples.................................................................................................................................37
4.6.2.3.3 Using the CME....................................................................................................................................................37
4.6.2.4 Activation Observation...........................................................................................................................................39
4.6.2.5 Reconfiguration......................................................................................................................................................39
4.6.2.6 Deactivation............................................................................................................................................................39
4.7 Security Alarms, Events, and Logs..............................................................................................................................39
4.8 OMU Anti-attack..........................................................................................................................................................39
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

iii

SingleRAN
OM Security Feature Parameter Description

Contents

4.8.1 When to Use OMU Anti-Attack................................................................................................................................39


4.8.2 Required Information................................................................................................................................................40
4.8.3 Deployment...............................................................................................................................................................40
4.8.3.1 Requirements..........................................................................................................................................................40
4.8.3.2 Activation...............................................................................................................................................................40
4.8.3.3 Activation Observation...........................................................................................................................................40
4.8.3.4 Deactivation............................................................................................................................................................41
4.9 Security Policy Level Configuration............................................................................................................................41

5 Parameters.....................................................................................................................................42
6 Counters........................................................................................................................................65
7 Glossary.........................................................................................................................................66
8 Reference Documents.................................................................................................................67

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

iv

SingleRAN
OM Security Feature Parameter Description

1 About This Document

About This Document

1.1 Scope
This document describes operation and maintenance (O&M) security, including its technical
descriptions, engineering guidelines, and parameters.
This document covers the following features:
l

MRFD-210305 Security Management

LBFD-004010 Security Management

TDLBFD-004010 Security Management

1.2 Intended Audience


This document is intended for personnel who:
l

Need to understand the features described herein

Work with Huawei products

1.3 Change History


This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:
l

Feature change
Changes in features of a specific product version

Editorial change
Changes in wording or addition of information that was not described in the earlier version

Draft A (2014-01-20)
This document is created for SRAN9.0.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

1 About This Document

This document originates from Base Station and OM Security Feature Parameter Description
and Base Station Controller and OM Security Feature Parameter Description of SRAN8.0.
Compared with SRAN8.0, SRAN9.0 adds security policy level configuration described in 3.9
Security Policy Level Configuration. For details about the engineering guidelines, see 4.2 Web
Security.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

2 Overview

Overview

Table 2-1 lists the O&M security measures supported by Huawei network elements (NEs) in
SRAN9.0.
Table 2-1 Supported security measures
Security Measures

MBSC

eGBTS

NodeB

eNodeB

MBTS

Operation and maintenance


channel (OMCH) security

Web security

User management

User data anonymization

Digital signature-based
software integrity protection

Time security

Security alarms, events, and


logs

OMU anti-attack

Security policy level


configuration

NOTE
indicates that the NE supports this security measure.
- indicates that the NE does not support this security measure.

NOTE

In his document, MBSC is called the base station controller, and eGBTS, NodeB, eNodeB and MBTS are
collectively referred to as the base station. For details about O&M security measures for the GBTS, see
GBSS Security Overview Feature Parameter Description.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Technical Description

3.1 OMCH Security


An OMCH is configured between a base station (other than a GBTS) or base station controller
and the U2000 or WebLMT to transmit information for base station management and
maintenance.
Data transmitted over OMCHs is secured using Secure Sockets Layer (SSL).
SSL is a cryptographic protocol designed to secure communication over the Internet. SSL at the
transport layer supports only TCP. As shown in Figure 3-1, SSL works between the transport
layer and the application layer. It secures data transmission for various application protocols,
such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP).
Figure 3-1 SSL-encrypted transmission

SSL protects transmitted data against eavesdropping, tampering, and forging using encryption,
integrity protection, and identity authentication.
l

Encryption
With SSL, the sender encrypts data at the application layer before transmission and the
receiver decrypts the received data. In this manner, data is transmitted as ciphertext,
preventing eavesdropping.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

SSL supports multiple standard encryption algorithms, such as Triple Data Encryption
Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4).
l

Integrity protection
SSL uses the Hash function to generate a digital signature for the data to be transmitted.
The receiver then checks the digital signature to determine whether the data was tampered
with during transmission.
SSL supports multiple standard Hash algorithms, such as Secure Hash Algorithm 1
(SHA-1).

Identity authentication
SSL supports certificate-based authentication. The communicating parties authenticate the
digital certificates of each other before establishing an SSL connection.

Huawei equipment supports SSL versions SSL3.0, TLS1.0, TLS1.1, and TLS1.2. The SSL
version to be used can be negotiated with the peer party. The SSL version used is always TLS1.2
in SRAN8.0 or later and TLS1.1 in SRAN7.0 or earlier. During SSL negotiation, NEs choose a
supported SSL version from the list provided by the U2000.
For details about SSL, see SSL Feature Parameter Description.
The FTP connection between a base station or base station controller and the U2000 is based on
SSL. FTP files on the U2000 can be encrypted using SSL and then transmitted in ciphertext
format. For details about SSL application to FTP, see SSL Feature Parameter Description.
NOTE

Currently, SSL 2.0 cannot be used. In addition, encryption and plaintext algorithms whose lengths are
shorter than 64 bits cannot be used.

3.2 Web Security


3.2.1 Overview
A user can access a base station or base station controller to perform O&M with a WebLMT.
The WebLMT is an HTTP/HTTPS-based web application that takes the following measures to
ensure O&M security:
l

User authentication

HTTPS-based Data Transmission

Anti-attack

Rights control

3.2.2 User Authentication


To log in to the WebLMT, a user must input the correct user name and password.
There are two types of users:
l

Local users: User information is stored and authenticated on the base station controller.

Domain users: Managed by the U2000. User information is stored and authenticated on the
U2000.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

The authentication module uses a brute-force cracking prevention mechanism to authenticate


users that attempt to log in to the WebLMT.
l

A user must input a verification code after inputting the user name and password. The
verification code is an image randomly generated by the web server.

If a user fails to log in to the WebLMT after several consecutive attempts, the account will
be locked and then automatically unlocked after a certain period of time. The
MaxMissTimes(BSC6900,BSC6910,NodeB) parameter specifies the maximum number of
login attempts allowed and the AutoUnlockTime(BSC6900,BSC6910,NodeB) parameter
specifies the duration for which the account is locked. The two parameters can be
configured using the SET PWDPOLICY command. If no operation is performed within
a specified period of time, the WebLMT GUI will be automatically locked. GUI unlock
authentication is implemented on the base station controller. If the user cannot unlock the
GUI after multiple attempts, the current session will be locked for another 30 minutes.

The password policies for local users are as follows:


l

The minimum password length is specified by PwdMinLen(BSC6900,BSC6910).

The password complexity is specified by Complicacy(BSC6900,BSC6910).

The maximum number of single character repetitions is specified by


MaxRepeatCharTimes(BSC6900,BSC6910).

The period in which a password remains valid is specified by MAXVALIDDATES


(BSC6900,BSC6910).

The maximum number of login retries is specified by MaxMissTimes


(BSC6900,BSC6910).

The warning before the password expires (days) is specified by MAXPROMPTDATES


(BSC6900,BSC6910).

Users can change their passwords.

The maximum number of previously used passwords recorded is specified


HISTORYPWDNUM(BSC6900,BSC6910). Users cannot reuse previously used
passwords.

If FirstLoginMustModPWD(BSC6900,BSC6910) is set to ON(Open), users are required


to change their passwords when they log in to the WebLMT for the first time.

If DICTCHKSW(BSC6900,BSC6910) is set to ON(Open), users cannot use the passwords


in the weak password dictionary.

Password security-related parameters can be configured using the SET PWDPOLICY


command. Only local users can configure these parameters.

3.2.3 HTTPS-based Data Transmission


The policy for logging in to the WebLMT is specified by the policy parameter in the SET
WEBLOGINPOLICY command. By default, the WebLMT uses HTTPS to secure data
transmission. A digital certificate is required to use HTTPS. The WebLMT uses a digital
certificate delivered with itself.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Table 3-1 WebLMT login policy


Scenario

Protocol Used
in the Internet
Explorer
Address Box

Protocol Used
in Login Web
Page

Protocol Used
in the
WebLMT
GUI

Policy
Description

Scenario 1

HTTP

HTTPS

HTTPS

Scenario 2

HTTPS

HTTPS

HTTPS

Forcible
HTTPS:
HTTPS
connection must
be used for the
login web page
and the
WebLMT GUI.

Scenario 3

HTTP

HTTPS

HTTP

Scenario 4

HTTPS

HTTPS

HTTP

Scenario 5

HTTP

HTTP

HTTP

Scenario 6

HTTPS

HTTPS

HTTPS

HTTPS for
login only:
HTTPS
connection must
be used for the
login web page.
Compatibility
mode: Either
HTTP or
HTTPS is used.

NOTE

As of SRAN8.0, the default policy for logging in to the WebLMT changed from compatibility mode to
forcible HTTPS mode.
In compatibility mode, the policy for logging in to the WebLMT is determined by the protocol (HTTP or
HTTPS) entered in the Internet Explorer address box.

3.2.4 Anti-attack
The web server has been reinforced to prevent the impacts of various attacks. The following
types of attacks have been taken into consideration before delivery:
l

Cross-site scripting attack


Attackers inject malicious scripts into web pages. If the web server does not filter out the
malicious scripts, the scripts will be executed when users view the web pages.

Remote file inclusion attack


Attackers forcibly include their own files in the codes on the web server by exploiting the
Web server's vulnerability in filtering file inclusion. By doing this, the attackers can attack
certain websites.

Directory traversal attack


Attackers use the security holes of applications to access data or directories without
obtaining authorization, thereby causing data leak or tampering.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Distributed denial of service (DDoS) attack


Attackers use the inherent security holes of network protocols to forge reasonable requests
to consume limited transmission bandwidth or occupy excess resources. As a result, the
network or service cannot properly respond to authorized requests and breaks down.

Structured query language (SQL) injection attack


SQL injection attacks are a common type of injection attacks. Attackers inject malicious
SQL commands into a web form entry to trick the web server into executing the SQL
commands.

Broken authentication and session management attack


Attackers exploit the defects in functions related to identity authentication in web
applications to steal authentication information or session management data, causing user
or administrator account thefts.

3.2.5 Rights Control


When a local user or domain user account is created, it is allocated certain rights. After a user
accesses the base station or base station controller over the WebLMT, all operations performed
by the user take effect only after being authenticated on the base station controller. If the
authentication fails, the base station or base station controller returns a message indicating that
the user does not have rights to perform the operations.

Accessing the Web Server Directory Using the File Manager


Each user that uses the WebLMT to access the base station controller can download files from
or upload files to the base station controller on the File Manager tab. Different levels of users
have different rights to obtain information:
l

Administrator: Can upload, download, or delete files.

Operator/User/Guest: Can only download files.

Custom user: Can obtain information according to the added commands.

Accessing Static Files on the Web Server


Rights control is implemented for users to access files on the Web server. Users can directly
view the home page of the Web server and a few other web pages. However, they must pass
login authentication to view information on all other web pages.

Performing Operations on the WebLMT GUI


As of SRAN8.0, local Custom users can be authorized based on function items.

3.3 User Management


3.3.1 Overview
User management implements authentication and access control on users who log in to an NE
to perform O&M. Authentication identifies users, and access control defines and restricts the
operations that users can perform and the resources they can access.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Table 3-2 describes user management functions.


Table 3-2 User management functions
Function

Description

User account management

l Adding, modifying, and deleting accounts


l Querying account information

User password management

l Restricting the minimum password length


and enforcing password complexity
l Limiting the password validity period
l Prohibiting the reuse of recent passwords

Login management

l Authenticating a user identity based on the


account, password, and verification code.
l Specifying the time during which users
can log in
l Locking an account after the number of
failed logins reaches a limit
l Locking the GUI if no operation is
performed within a specified period of
time

User operation authentication

l Authenticating operation objects


l Authenticating operation NEs
l Limiting operation GUIs
l Specifying the MML commands that
users can execute
l Restricting directories that users can
access (over FTP or on the File
Manager tab of the WebLMT)
l Specifying message tracing permission

Centralized user monitoring

l Monitoring online user status


l Monitoring user operations
l Forcing users out

Centralized user management

l (EMS) to authenticate users in a


centralized manner
l Delivering and revoking rights of domain
users
l Degrading local user account
management
l Synchronizing local user account
management policies

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
OM Security Feature Parameter Description

Function

3 Technical Description

Description

NOTE
l Local users perform O&M in the event of site deployment and transmission faults.
l Domain users perform routine O&M and are managed by the U2000 in centralized mode. The
centralized mode indicates that all the domain user accounts are created, modified, authenticated, and
authorized by the U2000.
l In addition to local and domain users, the base station controller provides the default OS root account
for logging in to the OMU to perform O&M.
l U2000 users can run the MOD OP command to remotely change the password for the admin account.

3.3.2 Login Authentication


User login authentication on an NE (a base station or base station controller) involves two types
of users:
l

Local users: Managed by the WebLMT

Domain users: Managed by the U2000

A domain user can also log in to the WebLMT to access an NE. In this case, the NE forwards
login authentication information to the U2000, which then authenticates the user.
As of SRAN8.0, user login security is enhanced through challenge-response authentication.
However, in versions earlier than SRAN8.0, user names and passwords are transmitted in
symmetric encryption mode, which is incompatible with the enhanced user login mechanism.
Therefore, a new MML command SET AUTHPOLICY is added and the AUTHPOLICY
(BSC6900,BSC6910,NodeB) parameter in this command is used to control the login mode. By
default, this parameter is set to COMPATIBLE_MODE(Compatible Mode), to allow both
the original and enhanced user login mechanisms. This parameter can be set to
ENHANCED_MODE(Enhanced Mode) only if no tool (or service) is directly connected to
the base station controller on the live network or if such a tool (or service) uses the enhanced
user login mechanism. Value ENHANCED_MODE(Enhanced Mode) is preferred, depending
on actual site requirements.
The machine-machine interface between the base station controller and the U2000 uses user
name EMSCOMM by default for mutual authentication. As of SRAN8.0, the password for the
default user can be changed either by performing operations on the U2000 or by running the
MOD OP command on the WebLMT.
NOTE

If both the U2000 and NEs support the enhanced user login mechanism, it is good practice to set
AUTHPOLICY(BSC6900,BSC6910,NodeB) to ENHANCED_MODE(Enhanced Mode) for security
purposes.
In challenge-response authentication mode, the authentication server sends a different question
("challenge") to the client, which must provide a valid answer ("response").

Verifying User Identities


Identities of users are verified by user names and passwords to ensure login security. The users
include local users managed by an NE or domain users who log in to an NE by using the
WebLMT.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

10

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

NOTE

When deployed or upgraded using USB flash drives, base stations verify the validity of the software
packages in USB flash drives by the digital signatures.

Controlling Login Time


The following login time control policies are used to ensure access security:
l

A validity period can be set for a user account. After the period elapses, login using the
account is not allowed. Administrators can modify validity periods of accounts.

Permissible access time ranges can be set for a user account. The ranges include validity
date ranges, time ranges, and week restrictions. Login is not allowed beyond the permissible
access time ranges.

Displaying Login Status


Users are prompted with login success or failure information to identify security risks, if any.
l

Login success information includes information about the last login success.

Login failure information does not include detailed information.

Locking Insecure Accounts


Administrators can enable or disable local user accounts or unlock locked user accounts.
Disabled or locked user accounts cannot be used for login. The identities of locked user accounts
cannot be checked.

Monitoring Users
The U2000 allows users to query information about online local and domain users and monitor
their status (login or logout). The U2000 can monitor all operations of specified online users.
When detecting that users are forcibly logged out, the U2000 disconnects the management
connections from the users.
Base stations and base station controllers determine the users to be monitored according to the
commands from the U2000 and report the results to the U2000.

3.3.3 User Rights Control


The base stations and base station controllers define five user levels: Administrator, Operator,
User, Guest, and Custom. Rights of these users to use command groups are restricted as follows:
l

The rights of Administrators, Operators, Users, and Guests to use command groups are
fixed.

The rights of Custom users to use command groups are defined depending on actual
requirements.

A command group is a group of commands that have the same attributes. For example, the G_8
command group consists of commands used to query equipment data, including the DSP
DSPUSAGE and DSP E1T1 commands. The LST CCG command can be used to query the
specific commands in a command group.
Table 3-3 lists the mapping between user levels and command groups.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

11

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Table 3-3 Mapping between user levels and command groups


User Level

Command Group

Administrator

G_0&G_1&G_2&G_3&G_4&G_5&G_6&G_7&G_8&
G_9&G_10&G_11&G_12&G_13&G_14

Operator

G_0&G_2&G_3&G_4&G_5&G_6&G_7&G_8&G_9&
G_10&G_11&G_12&G_13&G_14

User

G_0&G_2&G_4&G_6&G_7&G_8&G_9&G_10&G_1
1&G_12&G_13&G_14

Guest

G_0&G_2&G_4&G_6&G_8&G_13

Custom

To be added by the user

Users can perform operations only after a successful login. All user operations are monitored
and operation permission is controlled. All operations must be classified according to permission
levels.
User operation permission is controlled by using MML commands or performing WebLMT
menu operations. Each MML command or menu can be associated with a command group. Base
station controllers support authorizing users to use command groups. If a user is authorized for
a command group, the user can run all commands in the command group.
After a user logs in to the WebLMT, the WebLMT hides the controls (such as menus and buttons)
that the user is not authorized to operate.
Before users operate NEs and objects, or run commands, the system checks their operation
permission levels to determine whether the operations are allowed.
When users attempt to perform operations for which they have no permission, the system
displays a message indicating that the operations are not allowed.
User permission information is stored on servers. After users successfully log in to the clients,
the servers send user permission lists to the clients. The user permission lists are always stored
on clients before users log out.
The system does not allow users to run any commands beyond permissible time ranges.
If required, administrators can grant permission to a specific user. If users attempt to access base
station controllers beyond the permissible time range, the base station controllers refuse to
perform user authentication. If users use expired passwords for login, the system forces users to
change their passwords. Administrators can cancel password expiration policies.

3.3.4 Login Password Policy


The policy for controlling the login password can be set using the SET PWDPOLICY
command. The parameters in this command specify the thresholds for determining the password
policy priorities. Table 3-4 describes these parameters.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

12

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Table 3-4 Parameters in the SET PWDPOLICY command


Parameter Name

High Priority

Medium Priority

Low Priority

password minimal
length

The value of this


parameter ranges
from 16 to 32.

The value of this


parameter is between
8 and 16.

The value of this


parameter ranges
from 6 to 8.

The value contains


uppercase letters,
lowercase letters,
digits, and special
characters.

The value contains


uppercase letters,
lowercase letters,
and digits.

The value contains


only digits.

password max miss


times

Auto Unlock Time

30 minutes

30 minutes

10 minutes

Resetting Interval of
Account Lock
Counter

10 minutes

5 minutes

2 minutes

Maximum Valid
Days

30 days

60 days

90 days

Expire Prompt Dates

5 days

5 days

5 days

Password History
Records Number

Maximum Single
Char Repeat Times

First Login Must


Modify Password
Switch

ON(Open)

ON(Open)

OFF(Close)

Weak Password
Dictionary Checking
Switch

ON(Open)

ON(Open)

OFF(Close)

(6 to 32 characters)
password
complicacy
(uppercase letter,
lowercase letter,
digit, special
character)

Recommended configurations are as follows:


l

Configuring the policy for high-complexity passwords


SET PWDPOLICY: PwdMinLen=18,
Complicacy=LOWERCASE-1&UPPERCASE-1&DIGIT-1&SPECHAR-1,
MaxMissTimes=2, AutoUnlockTime=30, RESETINTERVAL=10,
MAXVALIDDATES=30, MAXPROMPTDATES=5, HISTORYPWDNUM=3,
MaxRepeatCharTimes=2, FirstLoginMustModPWD=ON, DICTCHKSW=OFF;

Configuring the policy for medium-complexity passwords


SET PWDPOLICY: PwdMinLen=10,
Complicacy=LOWERCASE-1&UPPERCASE-1&DIGIT-1&SPECHAR-0,

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

13

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

MaxMissTimes=2, AutoUnlockTime=30, RESETINTERVAL=5,


MAXVALIDDATES=60, MAXPROMPTDATES=5, HISTORYPWDNUM=2,
MaxRepeatCharTimes=2, FirstLoginMustModPWD=ON, DICTCHKSW=ON;
l

Configuring the policy for low-complexity passwords


SET PWDPOLICY: PwdMinLen=8,
Complicacy=LOWERCASE-0&UPPERCASE-0&DIGIT-1&SPECHAR-0,
MaxMissTimes=5, AutoUnlockTime=10, RESETINTERVAL=2,
MAXVALIDDATES=90, MAXPROMPTDATES=5, HISTORYPWDNUM=1,
MaxRepeatCharTimes=3, FirstLoginMustModPWD=OFF, DICTCHKSW=ON;

Password Usage Rules


To ensure that passwords are not disclosed, tampered with, or stolen, the system adheres to the
following password usage rules:
l

Passwords entered are displayed as asterisks (*).

Users must enter passwords twice when creating passwords, and the passwords entered
cannot be copied.

Users can change their passwords. The old password must be verified during a password
change.

Administrators can change their own passwords or other users' passwords. However,
administrators can only reset (not view) other user passwords during a password change.

User accounts are locked when the number of consecutive password attempts reached a
specified threshold.

Password Storage and Transmission Rules


The system adheres to the following password storage and transmission rules:
l

Passwords are encrypted using SHA256 when stored locally.

Administrators cannot retrieve passwords in the form of plaintext or query other user
passwords.

Password Validity Period Management


The system manages password validity periods using the following methods:
l

The system forces users to change their passwords when passwords expire.

When users first use default or factory passwords, which are automatically allocated by the
system, the system forces users to change the passwords.

The system prompts users to change their passwords before the passwords expire. If
passwords are not changed after expiration, users cannot log in to the system, but the
passwords can be modified or changed on the U2000. Administrators can disable password
expiration policies on the U2000.

3.3.5 FTP User Management


The base station controller has two FTP users:
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

14

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

FtpUsr: Uses a third-party FTP client to log in to the FTP server on the base station controller
and then upload or download information about the base station controller.

U2000 user: Uploads or downloads data between the base station controller and the U2000.

In SRAN7.0 and earlier versions, user management is defined as follows:


l

FtpUsr: The MOD FTPPWD command can be used to change the password, but the
password policy does not take effect on this user.

U2000 user: The password can be changed on the U2000 GUI, but the password policy
does not take effect on this user.

SRAN8.0 and later versions have the following enhancements to user management:
l

When an FtpUsr changes the password, the base station controller checks the password
complexity according to the configured password policy. The base station does not check
the complexity of the password input by the user during software installation. Instead, the
user, when logging in to the FTP server, is prompted with a message indicating that the
password complexity is lower than the current configuration and must be changed.
However, the user can still use the password to log in to the FTP server without interrupting
the current FTP connection. The user will be forced to change the password to meet the
password complexity requirements after a specified period of time. When a U2000 user
changes the password, the base station controller checks the password complexity
according to the configured password policy. However, if a U2000 user fails to log in to
the FTP server, the base station controller does not lock the account but reports a security
alarm. This is because the password is used to secure data transmission over the southbound
interface, which connects the U2000 to the base station controller.

3.4 User Data Anonymization


Huawei equipment supports user data anonymization. This function makes user identity
information anonymous during maintenance and commissioning to protect personal privacy.
For details, see User Data Anonymization Feature Parameter Description.

3.5 Digital Signature-based Software Integrity Protection


3.5.1 Definition
Software integrity protection adds a digital signature to software by using a private key before
uploading software to the target server or NE. When a target NE downloads, loads, or runs
software, the NE authenticates the digital signature by using a matched public key. This ensures
end-to-end software reliability and integrity.
With this function, any virus or software tampering can be promptly detected. This prevents
malicious software from running on NEs.

3.5.2 Application Scenarios


Software integrity protection applies to the following scenarios:
l

Software installation

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

15

SingleRAN
OM Security Feature Parameter Description

Software upgrade

OS (DOPRA Linux) upgrade

OS (DOPRA Linux) driver upgrade

3 Technical Description

3.5.3 Digital Signature


Overview
Integrity protection adopts the following two techniques:
l

Hash algorithm: A one-way Hash function. A Hash algorithm converts an arbitrary data
block into a fixed-size bit string. The most commonly used Hash algorithms are MessageDigest algorithm 5 (MD5) and SHA-1.

Public key cryptography: A pair of public and private keys is used for encryption and
decryption. The two keys relate to each other and belong to the same holder. The public
key is published for use, whereas the private key is confidential.

Principles
Figure 3-2 illustrates the principles of digital signatures.
Figure 3-2 Digital signature principles

The procedure for adding a digital signature is as follows:


1.

A Hash algorithm calculates the message digest for the files to be signed in the software
package.

2.

The private key is used to encrypt the message digest.

3.

The encrypted message digest is saved to a digitally signed file.

The digitally signed file is then released with the software package.
After an NE or a U2000 receives the software package, it verifies the contained digital signature.
The procedure for verifying the digital signature is as follows:
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

16

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

1.

The same Hash algorithm calculates the message digest for the files to be verified in the
software package.

2.

The public key is used to decrypt the digitally signed file to restore the message digest.

3.

The restored message digest is compared with the original message digest.
l If they are identical, the software was not tampered with.
l If they are different, the software was tampered with.

Huawei Software Digital Signature Solution


In addition to the CRC function, the Huawei software digital signature solution in SRAN6.0 and
later incorporates the SHA256 algorithm and public key cryptography-based digital signature.
The Huawei solution implements digital signature and authentication during the software life
cycle (including software generation, release, installation, and running) to ensure software
integrity protection.
Figure 3-3 illustrates the procedure for Huawei software digital signature solution.
Figure 3-3 Procedure for Huawei software digital signature solution

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

17

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

1: Calculate SHA256 check codes.

2: Release the software package.

3: Download the software package.

4: Distribute the software package.

1.

In the software package generation phase, SHA256 check codes are calculated for each
software component in the software package and saved to check code files. The check code
files are then digitally signed with the private key.
The check code files indicate files that are encrypted and added with verification
information and the algorithms that are used.

2.

In the software version release phase, all software files and digitally signed files are
packaged and then uploaded to a version server, for example, http://support.huawei.com.

3.

In the software version upgrade phase, when the U2000, WebLMT, or upgrade tool
downloads the software package from the version server, the U2000, WebLMT, or upgrade
tool authenticates the software package by using the public key. This is to verify the
software package authenticity.

4.

Also in the upgrade phase, when the NE downloads the software package from the U2000,
WebLMT, or upgrade tool, the NE authenticates the software package by using the public
key to verify that the software has not been maliciously tampered with.

External attackers or unauthorized internal users may tamper with the software after the OMU
software is installed. Therefore, the base station controller checks the integrity of the software
on the OMU and reports only one ALM-20723 File Loss or Damage if one or more files are
damaged or lost. This alarm is cleared after all the damaged or lost files are restored.
For an OS upgrade, the U2000 or upgrade tool checks the integrity of the OS upgrade package.
For an OS driver upgrade, the driver upgrade tool checks the integrity of the OS drive package.

3.6 Time Security


3.6.1 SNTP Security for Base Station Controllers
The base station controller must synchronize its time with the SNTP server (for example, the
U2000) to ensure that the system time is accurate. Time synchronization uses SNTP and supports
two modes: plaintext mode and authentication mode. The mode used is specified by the
AUTHMODE(BSC6900,BSC6910) parameter. The authentication mode refers to the SNTP
security mode.
SNTP security prevents the base station controller from adjusting the time incorrectly after
receiving a time synchronization attack message. This improves the reliability of the base station
controller on the network and helps ensure normal O&M functions. The base station controller
encrypts time synchronization request information, adds the key ID and digest value to the time
synchronization request, then sends the request to the SNTP server. Upon receiving a time
synchronization response from the SNTP server, the base station controller identifies the
encryption algorithm and key according to the configured key ID, calculates the digest value
based on the received SNTP packet, and checks whether the calculated digest value is the same
as that contained in the SNTP packet. If so, the base station controller considers the SNTP packet
legal and synchronizes its time with the SNTP server. If not, the base station controller considers
the SNTP packet illegal and the base station controller discards it.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

18

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

The base station controller supports the SNTP V3 protocol and is compatible with the SNTP
server and NTP server. However, the time synchronization precision of the base station controller
is the same as that supported by SNTP.

3.6.2 NTP Security Authentication for Base Stations


Base stations are deployed on public networks. If a base station uses an invalid reference clock,
the time on the base station becomes incorrect. This may cause errors in information such as
error alarms and logs, affecting base station maintenance.
NTP security authentication protects the integrity and authenticates the source of NTP packets
received by base stations to ensure that base stations use valid reference clock. The
AUTHMODE, KEY, and KEYID parameters in the NTPCP MO on a base station functioning
as an NTP client must be set to the same values as those on the NTP server. NTP security
authentication supports Data Encryption Standard (DES) and MD5. DES has been cracked and
is not recommended. NTP security authentication uses digital signatures to verify NTP packets
to ensure the validity of the reference time received by base stations. Figure 3-4 illustrates the
principle for NTP security authentication.
Figure 3-4 Principle for NTP security authentication

If the AUTHMODE parameter in the NTPCP MO is not set to PLAIN(Plain), NTP security
authentication is performed in encryption mode. The authentication procedure is as follows:
1.

After calculating the checksum of NTP packets, the NTP server sends the checksum and
NTP packets to the base station.

2.

The base station calculates the checksum of the received NTP packets, and compares the
calculated checksum with that in the NTP packets.
l If the checksums are identical, the NTP packets were not tampered with during
transmission and pass the NTP security authentication.
l If the checksums are different, the NTP packets were tampered with and fail the NTP
security authentication.

If the AUTHMODE parameter in the NTPCP MO is set to PLAIN(Plain), the NTP server sends
NTP packets directly to the base station without encryption, and therefore the base station does
not need to decrypt the received NTP packets.
NOTE

Only 3900 series base stations support NTP.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

19

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

3.7 Security Alarms, Events, and Logs


3.7.1 Overview
The U2000 and the WebLMT manage security alarms, events, and logs. If security faults occur,
users can be informed of the faults and perform fault diagnosis according to the reported alarm
or event information. In addition, security risks and vulnerability can be analyzed by tracing
history security alarms and logs.
Since SRAN7.0, user information and IP addresses can be recorded in the operation logs of
specific domain users. In versions earlier than SRAN7.0, domain users for the U2000 are not
distinguished and are collectively named EMSCOMM.
Since SRAN7.0, log tracing has been enhanced. Detailed information about the traced objects
is recorded in the tracing logs.

3.7.2 Security Alarms and Events


Table 3-5 lists the security alarms and events that may be reported by the base station controller
when the related security faults occur.
Table 3-5 Security alarms and events
Alarm or Event ID

Alarm or Event Name

ALM-20723

File Loss or Damage

EVT-22813

Domain User Login Failed

EVT-22814

Local User Login Failed

EVT-22815

Local User Locked

EVT-22805

Local User Modifying Other Operator's


Password

ALM-20732

SSL Certificate File Abnormity

ALM-20850

Digital Certificate Will Be out of Valid Time

ALM-20851

Digital Certificate Loss, Expiry, or Damage

ALM-20852

Exceeded Failures of Logins by the Local


User

ALM-20714

OMU Time Synchronization Abnormity

Table 3-6 lists the security alarms that may be reported by the base station when the related
security faults occur.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

20

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Table 3-6 Security alarms


Alarm ID

Alarm Name

ALM-26204

Board Not In Position

ALM-25670

Water Alarm

ALM-25671

Smoke Alarm

ALM-25672

Burglar Alarm

ALM-26830

Local User Consecutive Login Retries Failed

ALM-25950

Base Station Being Attacked

ALM-26266

Time Synchronization Failure

3.7.3 Security Logs and Security Audit


3.7.3.1 O&M Event Recording
Both base stations and base station controllers support security logs, in which security operations
and events during routine O&M are recorded and cannot be modified. Based on the recorded
information, the operators can perform security audit, identify sources of security accidents and
problems, and find ways to improve network security.
Logs record information about system security and user operations, and are classified into
operation logs of NEs and the U2000, system logs, and security logs. By querying logs, users
can obtain information about the running status, system security situation, and user operations
on NEs or the U2000. Users can also save logs as files or print them out.
The U2000 can centrally manage NE logs by performing the following:
l

Supporting centralized collection, query, measurement, analysis, and output of logs.

Recording information about its own running status, security events, and operations. The
information can be queried and audited.

Periodically collecting NE logs based on user settings.

Users can audit the security logs collected by the U2000 to evaluate O&M security.

O&M Event Recording


Logs of the U2000, base stations, and base station controllers record separate information about
system security and user operations, that is, O&M security-related events during the running
process.

Operation Logs
When commands are sent to NEs from the WebLMT or U2000, the command execution results
are saved in operation logs. The operation logs include those of the U2000 and NEs.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

21

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Operation logs record the operations to create, modify, query, modify, load, switch over NEs
and so on. The operations can be manually performed by O&M personnel or automatically
started by scheduled tasks on the WebLMT or U2000.

System Logs
System logs mainly record the system running status of NEs or the U2000. System logs help
users to learn the system running status and identify causes of security faults. The system herein
refers only to Huawei-developed application systems and system logs include those of the U2000
and NEs.
System logs record the following information:
l

Abnormal status and actions while the system is running, such as active/standby
switchovers, storage failures, and timer expiration

Key events during system running, such as system startup and shutdown

Running status, such as startup, exit, and suspension, of the system process

Running status, such as startup, suspension, exit, and breakdown of key system threads

Usage of system resources, such as central processing unit (CPU), memory, and hard disk

Security Logs
Security logs record information about security events.
Security logs of base stations record the following:
l

Events related to account login, such as user login, user logout, account locking, and account
unlocking

Events related to account management, such as account addition, deletion, and


modification, password change, and permission modification

Events related to user authentication, such as unauthorized access

Security logs include those of the U2000 and NEs. Users can evaluate system security by auditing
security logs. For details, see Security Log Auditing.
Table 3-7 describes security events recorded in security logs that a base station controller can
provide.
Table 3-7 Security logs of a base station controller
Security Event Type

Security Log

Account login event

A domain user has logged in to the base


station controller.
A domain user has logged in to the base
station controller.
A local user has logged in to the base station
controller.
A local user has logged out of the base station
controller.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

22

SingleRAN
OM Security Feature Parameter Description

Security Event Type

3 Technical Description

Security Log
The system locks a local user account whose
failed login attempts exceed the maximum
number.
The system automatically unlocks a local user
account after the locking time expires.
A local user account is manually unlocked.
A local user account is locked by the
administrator.
An account is automatically locked when the
password expires.

Account management event

A domain user or local user has been forced


to log out after having logged in to the base
station controller.
A local user account has been added,
removed, or modified.
The user group to which a local user belongs
has been changed.
The rights granted to a local user group have
been changed.
The commands in a command group have
been adjusted.
The rights granted to a local user have been
changed.
A local user has changed the user's password.
A local user has changed the password of
another user.
The account or password policy has been
changed.

OMU security event

The OMU has started or stopped, or active


and standby OMUs have been switched over.

Digital certificate security event

A digital certificate has been updated.

Upgrade-related security event

The driver has been upgraded.

OMU configuration-related security event

OMU network parameters, such as the


internal network, external network, VLAN,
mask, IP address, and host name, have been
modified.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

23

SingleRAN
OM Security Feature Parameter Description

Security Event Type

3 Technical Description

Security Log
Active and standby OMUs have been
configured.

OMU security event for changing the


password of an initial account

The password of the admin account has been


changed.
The password of a database account has been
changed.

SNTP time synchronization event

SNTP time synchronization has failed.

Table 3-8 lists security-related operation logs that a base station controller can provide.
Table 3-8 Security-related operation logs
Security Event Type

Operation Log

Account authentication events

A domain user or local user fails to be


authenticated to perform a certain operation.
A user attempts to access an object without
the permission, which is specified when the
user is created by running the ADD OP
command.

The LST SECLOG and LST OPTLOG commands can be used to query security logs and
operation logs, respectively.

3.7.3.2 Centralized Log Management


The U2000 supports the following centralized management on U2000 logs and NE logs:
l

Log collection
Users can set log collection tasks and specify task periods to enable the U2000 to
periodically collect NE logs. Users can also set dumping and export of U2000 logs and NE
logs.

Log query and printing


By querying logs, users can obtain information about the running status, system security
situation, and user operations of the U2000 or NEs. Users can also save logs as files or print
them out.

Log analysis
Based on U2000 logs and NE logs collected, users can analyze such information as system
running status, security events, and operations.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

24

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Log Collection
Users can collect and dump all operation logs, security logs, and system logs of the U2000 as
well as operation logs and security logs of NEs. NEs generate and save their own system logs
and automatically report the logs to the U2000. For details, see Log Management in the U2000
product documentation.

Log Query and Printing


For details about how to query or print logs on the U2000, see Log Management in the U2000
product documentation.
On the WebLMT, users can query log files generated during a time range, including operation
logs and security logs. For details, see MML Command Reference.

3.7.3.3 Security Log Auditing


Auditing Security Events
Security event auditing refers to a process where a base station or base station controller generates
audit records based on security events (security logs). Auditable security events include:
l

Startup and shutdown of the system or applications

User login success and failure events: Including information about user names, login time,
workstation (such as its IP addresses), and causes of login failures (such as incorrect
passwords and invalid accounts)

User logout success and failure events: Including information about user names, logout
time, workstation (such as its IP addresses), and causes of logout failures

Users' attempt to access resources without their permission

All O&M and configuration events: Including information about user names, O&M time,
workstation (such as its IP addresses), operations, and responses

Operations concerning user accounts and permission levels: Including addition, deletion,
and modification

Events to be recorded in security logs are configurable, and the configuration process must be
recorded in security events that can be audited. For details about how to audit security logs, see
Log Management in the U2000 product documentation.

Saving Security Logs


Both base stations and base station controllers use databases to save security logs. Users cannot
modify or delete these logs.
If the number of audit records saved in any security log exceeds 200,000, the base stations and
base station controllers transfer the earliest 10,000 records to a Flash to prevent the database
from overflowing.
If the number of saved logs reaches a limit, earliest logs will be discarded at the arrival of new
logs.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

25

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

NOTE

The maximum number of logs that can be saved can be configured by using the SET LOGLIMIT command
on a base station controller, but not on a base station.

Querying Security Logs


Users can query audit records available in databases. Both base stations and base station
controllers support query by time interval, user name, interface, workstation IP address, result,
and command name (for example, MML command names).
For details about how to query security logs, see Log Management in the U2000 product
documentation.

3.8 OMU Anti-attack


The integrated firewall performs the following operations on all IP data streams transmitted to
the OMU:
l

IP address filtering, which enables the OMU to only accept IP data streams from authorized
IP addresses and network segments

Defending against attacks, such as ICMP ping, IP fragmentation, low time to live (TTL),
Smurf, and distributed denial-of-service (DDoS) attacks

Defending against TCP sequence prediction attacks and synchronization (SYN) flood
attacks

Isolating the internal network from the external network on the base station controller side:
The base station controller discards packets whose destination IP addresses are internal IP
addresses or belong to an internal network segment.

For a properly running network, specifying whitelisted and blacklisted IP addresses is generally
not required and the base station controller does not restrict the IP addresses used for access.
Specifying whitelisted and blacklisted IP addresses can be used to improve the security of the
base station controller:
l

Whitelist: Only the specified IP address or IP addresses in the specified network segment
can be used to access the base station controller. The IP addresses can be specified for a
particular port or for all ports. Once some IP addresses are whitelisted, all the other IP
addresses are blacklisted and cannot be used for access.

Blacklist: The specified IP address or IP addresses in the specified network segment cannot
be used to access the base station controller. The IP addresses can be specified for a
particular port or for all ports. All IP addresses that are not blacklisted are whitelisted.
NOTE

Base stations do not have the OMU.

3.9 Security Policy Level Configuration


A large number of NEs are deployed on the RAN side and scattered. The required security
policies are various and complex. Therefore, security policies may be incorrectly or incompletely
configured.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

26

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Security policy level configuration, designed to drastically simplify security policy


configuration, allows hierarchical management of security polices and parameters based on
security risks and best practices in the industry.
Security policy level configuration is implemented by Consistency Check\Security Policy
Level function on the CME. This function manages some security policies for the entire network
and supports user-defined security policy management. The security policies to be managed
include:
l

General security policies

Security policies that are vulnerable to attacks

Security policies that have little impacts on services

By default, there are two levels of security policies:


l

Level 1 enables security policies on condition that function compatibility is guaranteed.

Level 2 enables strongest security policies but may cause compatibility problems.

Table 3-9 provides a default example of the security policy configuration level template.
Table 3-9 Security policy configuration template
#

Property

Level 1

Level 2

Belonging to

OS Password
Complicacy

LOWERCASE-1&
DIGIT-1

LOWERCASE-1
&DIGIT-1&UPP
ERCASE-1

O&M security/
user
management

OS Password Minimal
Length

10

O&M security/
user
management

Set the Activation Status


of the Local OAM
Account

ON

OFF

O&M security/
user
management

Set Local OAM Account


Locked State

OFF

ON

O&M security/
user
management

OAM Password
Complicacy

LOWERCASE-1&
DIGIT-1

LOWERCASE-1
&DIGIT-1&UPP
ERCASE-1

O&M security/
user
management

OAM Password
Minimal Length

10

O&M security/
user
management

OAM Password Max


Period

120

90

O&M security/
user
management

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

27

SingleRAN
OM Security Feature Parameter Description

3 Technical Description

Property

Level 1

Level 2

Belonging to

Set OAM Login


Authentication Policy

AUTO

ONLY_HARD

O&M security/
OMCH
security

Set OAM Connection


SSL Mode

ALL

ONLY_SSL

O&M security/
OMCH
security

10

Set OAM Connection


SSL Authentication
Mode

NONE

PEER

O&M security/
OMCH
security

11

Set FTP SSL Mode

Auto

Encrypted

O&M security/
OMCH
security

12

Set FTP SSL Certificate


Authentication

NO

YES

O&M security/
OMCH
security

13

Set Web LMT login


policy

LOGIN_HTTPS_
ONLY

HTTPS_ONLY

O&M security/
Web security

14

Invalid Packet Check


Switch

ENABLE

ENABLE

Device
security/
integrated
firewall

15

ARP Spoofing Check


Switch

ENABLE

ENABLE

Device
security/
integrated
firewall

16

ARP Learning Strict


Switch

DISABLE

ENABLE

Device
security/
integrated
firewall

NOTE

Security policy level configuration invokes the batch configuration interface of an NE. Therefore, the
configuration restoration function on the CME can be used to roll back batch configuration or restore the
configurations of an NE.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

28

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

Engineering Guidelines

4.1 OMCH Security


OMCHs are secured using SSL. For details, see SSL Feature Parameter Description.

4.2 Web Security


4.2.1 When to Use Web Security
Web applications are vulnerable to attacks. It is good practice to configure the following:
l

Password security policy

WebLMT login policy

Rights to access File Manager on the WebLMT

4.2.2 Deployment
4.2.2.1 Requirements
None

4.2.2.2 Activation
4.2.2.2.1 Using MML Commands
To set the password security policy, perform the following step:
Step 1 Run the SET PWDPOLICY command to set the password security policy for local WebLMT
users.
----End
To set the WebLMT login policy, perform the following step:
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

29

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

Step 1 Run the SET WEBLOGINPOLICY commandto set the policy for logging in to the WebLMT.
In this step, set Policy for login to LMT and transmission to an appropriate value.
Step 2 Run the RST OMUMODULE command to restart the WebLMT server for the configured
WebLMT login policy to take effect. In this step, set Target OMU to ACTIVE(Active
OMU) and Module Name to weblmt.
----End
NOTE

Running the RST OMUMODULE command disconnects all users from the WebLMT but does not affect
OMU services. The WebLMT server can be restarted within 5 seconds if no exception occurs during the
restart.
While the WebLMT server restarts, WebLMT clients are disconnected and therefore cannot receive the
restart command response from the WebLMT server. In addition, an error message indicating that the
command fails to be sent is displayed. Ignore this error prompt because the command was successfully
sent.
The configured WebLMT login policy takes effect only after you log out and then log back in to the
WebLMT.
You can run the LST WEBLOGINPOLICY command to query the current policy for logging in to the
WebLMT.

To configure the rights of the Custom user to access the File Manager, perform the following
steps:
Step 1 On the WebLMT GUI, click User-defined command Group to add commands and function
items to a specific command group.
Step 2 Run the ADD OP or MOD OP command with Operator Level set to Customs(Custom) and
Command Group set to the same value as that specified in Step 1.
----End
NOTE

The configured rights to access the File Manager take effect only after you log out and then log back in
to the WebLMT.

4.2.2.2.2 Using the CME


Security policy level configuration on the CME can be used to configure password security
policy and WebLMT login policy for existing base stations.
You can perform consistency check on the Current Area on the CME. If the check results need
to be delivered, create or select a planned area first.
Step 1 On the CME, choose CME > Advanced > Consistency Check > Security Policy Level (CME
client mode) to set the consistency check parameters for security policies.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

30

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

NOTE

Users can define parameters for security policies as required based on the default level settings. For contextsensitive help on a current task in the client, press F1.

Step 2 Select the NEs for which consistency check is to be performed, execute the check to generate a
check report.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

31

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

Step 3 Based on the check report, correct the configurations on NEs in batches in the event of
inconsistency.
----End

4.2.2.3 Activation Observation


N/A

4.3 User Management


4.3.1 When to Use User Management
User management includes the following security functions:
l

Login authentication

User rights control

FTP user management

4.3.2 Deployment
4.3.2.1 Requirements
None

4.3.2.2 Activation
4.3.2.2.1 Using the MML Commands

Login Authentication
Currently, login authentication is performed in the following scenarios:
l

The U2000 is used for connection to a base station or base station controller.
In this scenario, the challenge-response mechanism is used for mutual authentication
between the U2000 and the NE. The user name EMSCOMM is used during the
authentication. The password for the user can be changed either by performing operations
on the U2000 or by running the MOD OP command on the WebLMT. The passwords
recorded must be the same on the U2000 and the NE to ensure a successful connection.

A third-party tool is used for direct connection to a base station controller.


To configure the login authentication mode in this scenario, run the SET
AUTHPOLICY command with the AUTHMODE parameter set to
COMPATIBLE_MODE(Compatible Mode) or ENHANCED_MODE(Enhanced
Mode) based on site requirements. ENHANCED_MODE(Enhanced Mode) is preferred.
If this parameter is set to COMPATIBLE_MODE(Compatible Mode), both the
original and enhanced user login mechanisms are supported.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

32

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

If this parameter is set to ENHANCED_MODE(Enhanced Mode), only the enhanced


user login mechanism is supported.

User Rights Control


You can add users in either of the following scenarios:
l

To add a user of a predefined level (Administrator, Operator, User, or Guest), do not


configure the user's rights to use command groups, because the system has allocated fixed
command group rights to the user.

To add a Custom user, configure the user's rights to use command groups.

To add a user of a predefined level (for example, Operator), perform the following step:
Step 1 Run the ADD OP command to add an Operator user. In this step, set User Group to OPERATOR
(Operator).
----End
NOTE

The command group lists that an Operator user has the rights to use are always
G_0&G_2&G_3&G_4&G_5&G_6&G_7&G_8&G_9&G_10&G_11&G_12&G_13&G_14 and cannot
be changed.

To add a Custom user who has the rights to use the G_22 command group including the COL
LOG command so that the user can collect log files, perform the following steps:
Step 1 Run the SET CCGN command to configure G_22 as the command group.
Step 2 Run the ADD CCG command to add commands to the G_22 command group. In this step, add
the COL LOG command to the command group.
Step 3 Add a Custom user and configure the rights to use the G_22 command group for the user.
----End

FTP User Management


To configure FTP clients to use encrypted transmission, perform the following step:
Step 1 Run the SET FTPSCLT command with The Encrypted Mode set to ENCRYPTED(SSL
Encrypted).
----End

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

33

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

NOTE

An FTP client refers to a module that has the FTP client function on the OMU. The SET FTPSCLT
command takes effect on all FTP clients.
After SSL encrypted transmission is configured for an FTP client, the FTP server must also be configured
with SSL encrypted transmission before running FTP-related MML commands, Otherwise, the MML
commands fail to be executed.
If the Support SSL Certificate Authentication(BSC6900,BSC6910) parameter is set to YES(Yes), a
digital certificate must be configured for the connected server. Otherwise, file upload and download fail.
For instructions on how to configure digital certificates when the U2000 functions as the FTP server, choose
Security Management > Data Management > Configuring Digital Certificates > Importing Cross
Digital Certificates > Installing a Device Digital Certificate > Activating a Device Digital
Certificate > Follow-up Procedure in the U2000 online help.
You can run the LST FTPSCLT command to query the transmission encryption mode of FTP clients.

To configure the FTP server to use encrypted transmission, perform the following steps:
Step 1 Run the SET FTPSSRV command with Transport Encrypted Mode set to ENCRYPTED
(SSL Encrypted).
NOTE

If the FTP server is configured with the SSL encrypted transmission mode, the same mode must also be
configured for all FTP clients that access the FTP server. The detailed configuration method varies
depending on the third-party FTP client software.

Step 2 Reset the ftp_server module for the encrypted transmission mode to take effect.
1.

Run the DSP OMU command to query the OMU mode. If only one result for Operational
state is displayed, the OMU works in standalone mode. If two results for Operational
state are displayed, the OMUs work in active/standby mode.

2.

Run the RST OMUMODULE command to reset the ftp_server module on the active
OMU. In this step, set Module Name to ftp_server.
If the OMU works in standalone mode, the encrypted transmission mode takes effect after
you perform this step. If the OMU works in active/standby mode, go to 3.

3.

Run the RST OMUMODULE command to reset the ftp_server module on the standby
OMU. In this step, set Module Name to ftp_server.

----End
To configure the port for transmitting data over FTP, perform the following step:
Step 1 Run the SET FTPSSRV command to the value range of ports for transmitting data over FTP.
In this step, set Passive mode data port lower limit and Passive mode data port upper
limit to appropriate values.
----End
NOTE

You can run the LST FTPSSRV command to query the encryption mode of the FTP server and the value
range of ports for transmitting data over FTP.

4.3.2.2.2 Using the CME


The transmission encryption mode for FTP clients can be configured using security policy level
configuration on the CME. For details, see the 4.2 Web Security.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

34

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

4.3.2.3 Activation Observation


N/A

4.4 User Data Anonymization


Wireless networks use the Hash algorithm to makes individual identification fields anonymous
in maintenance and commissioning data to protect individual privacy. For details, see User Data
Anonymization Feature Parameter Description.

4.5 Digital Signature-based Software Integrity Protection


This function is always enabled and is not configurable.

4.6 Time Security


Correct time synchronization guarantees normal operation of O&M systems. A standalone NTP
server needs to be configured and wireless NEs function as NTP clients. NTP security ensures
correct time synchronization. The NTP server is generally configured by operators and therefore
the NTP security policies on wireless NEs are configured based on the interworking requirements
of the NTP server.

4.6.1 Deployment of SNTP Security for Base Station Controllers


4.6.1.1 Requirements
Parameters related to time synchronization are configured on the NTP server.

4.6.1.2 Activation
To configure the SNTP security for a base station controller, perform the following step:
Step 1 Run the ADD SNTPSRVINFO command to add the IP address and port number for the SNTP
server on the base station controller and set the SNTP time synchronization security policy.
----End
NOTE

Set Key ID, Encryption Algorithm, and Key if SNTP security is used. Based on the values of these
parameters, the base station controller sends encrypted and authenticated time synchronization requests to
the SNTP server and authenticates the time synchronization responses from the SNTP server.
You can run the LST SNTPCLTPARA command to query information about the SNTP server.

4.6.1.3 Activation Observation


NTP security is activated if the NTP parameters are correctly configured and NTP link status is
normal.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

35

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

4.6.2 Deployment of NTP Security Authentication for Base Stations


4.6.2.1 Requirements
Parameters related to time synchronization are configured on the NTP server.

4.6.2.2 Data Preparation


Table 4-1 describes key parameters that must be set in the NTPCP MO to activate NTP security
authentication.
Table 4-1 Data to prepare before activating NTP security authentication
MO

Parameter
Name

Parameter
ID

Setting Notes

Data Source

NTPCP

IPv4 Address
of NTP Server

IP

This parameter specifies the


IPv4 address of the NTP
server.

Network plan
(negotiation
not required)

Port Number

PORT

This parameter specifies the


number of the time
synchronization port on the
NTP server. The NTP client
synchronizes with the NTP
server through the specified
port.

Network plan
(negotiation
not required)

Synchronizati
on Period

SYNCCYCL
E

This parameter specifies the


NTP time synchronization
interval.

Network plan
(negotiation
not required)

Authenticatio
n Mode

AUTHMOD
EP

This parameter specifies the


NTP authentication mode.

Network plan
(negotiation
not required)

Authenticatio
n Key

KEY

This parameter specifies the


key used for NTP
authentication.

Network plan
(negotiation
not required)

Authenticatio
n Key Index

KEYID

This parameter specifies the


index of the authentication key
on the NTP server. The local
index must be the same as that
on the NTP server.

Network plan
(negotiation
not required)

4.6.2.3 Activation

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

36

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

4.6.2.3.1 Using MML Commands


Step 1 Run the ADD NTPC command to configure an NTP client on a base station.
----End

4.6.2.3.2 MML Command Examples


//Configuring an NTP client
ADD NTPC: MODE=IPV4, IP="192.168.88.168", PORT=123, SYNCCYCLE=10, AUTHMODE=PLAIN;

4.6.2.3.3 Using the CME

Using the CME to Perform Single Configuration


On the CME, set the parameters listed in the "Data Preparation" section for a single base station.
For detailed instructions, see CME Single Configuration Operation Guide.

Using the CME to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 4-2 in a summary data file, which also contains
other data for the new base stations to be deployed. Then, import the summary data file into the
CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:
l

The MO in Table 4-2 is contained in a scenario-specific summary data file. In this situation,
set the parameters in the MOs, and then verify and save the file.

The MO in Table 4-2 is not contained in a scenario-specific summary data file. In this
situation, customize a summary data file to include the MO before you can set the
parameters.
Table 4-2 MO related to NTP security
MO

Sheet in the
Summary Data
File

Parameter Group

Remarks

NTP

Common Data

NTP IP, NTP IP


Mask, Port,
SyncCycle,
Authentication
Mode,
Authentication
Key,
Authentication Key
Index, MasterFlag,
IpMode

For instructions about how to perform batch configuration for each type of base stations, see the
following sections in 3900 Series Base Station Initial Configuration Guide.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

37

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

For a NodeB, see "Creating NodeBs in Batches."

For an eNodeB, see "Creating eNodeBs in Batches."

For a separate-MPT multimode base station, see "Creating Separate-MPT Multimode Base
Stations in Batches."

For an eGBTS and a co-MPT multimode base station, see "Creating Co-MPT Base Stations
in Batches."

Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure. The procedure is as follows:
Step 1 After creating a planned data area, choose CME > Advanced > Customize Summary Data
File (U2000 client mode), or choose Advanced > Customize Summary Data File (CME client
mode), to customize a summary data file for batch reconfiguration.
NOTE

For context-sensitive help on a current task in the client, press F1.

Step 2 Export the base station data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Export Data > Export
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > Export eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Export Data > Export eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data (U2000 client mode), or choose UMTS Application > Export Data > Export Base
Station Bulk Configuration Data (CME client mode).
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Export Data > Export Base Station Bulk Configuration Data
(U2000 client mode), or choose LTE Application > Export Data > Export Base Station
Bulk Configuration Data (CME client mode).
Step 3 In the summary data file, set the parameters in the MOs listed in Table 4-2 and close the file.
Step 4 Import the summary data file into the CME
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Data > Import Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Import Data > Import eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

38

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

Data (U2000 client mode), or choose UMTS Application > Import Data > Import Base
Station Bulk Configuration Data (CME client mode).
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Import Data > Import Base Station Bulk Configuration
Data (U2000 client mode), or choose LTE Application > Import Data > Import Base
Station Bulk Configuration Data (CME client mode).
----End

4.6.2.4 Activation Observation


To verify that NTP security authentication is activated on a base station, perform the following
steps:
Step 1 Run the LST NTPC command to query the NTP configuration information. Verify that the
parameter settings in the command output are consistent with that configured in the activation
procedure.
Step 2 Run the DSP NTPC command to query the time synchronization information of the base station.
Verify that the value of Link State of Current NTP Server is Available in the command output.
Step 3 Run the LST LATESTSUCCDATE command to query the latest successful time
synchronization of the base station. Verify that the value of Latest Successful Synchronization
Time is the same as the time that time synchronization was recently performed.
----End
If all the preceding verifications are true, NTP security authentication is activated.

4.6.2.5 Reconfiguration
To change the authentication mode for a base station, run the MOD NTPC command and change
the encryption algorithm on the NTP server to be consistent as that on the base station.

4.6.2.6 Deactivation
N/A

4.7 Security Alarms, Events, and Logs


Security alarms, events, and logs are always enabled and do not involve engineering guidelines.

4.8 OMU Anti-attack


4.8.1 When to Use OMU Anti-Attack
OMU anti-attack is supported by base station controllers but not base stations. The IPTable
function of the OS is used to implement OMU anti-attack.
Configuring the whitelist and blacklist for the IPTable function has high risks. To ensure the
normal operation of a base station controller, do not configure the whitelist or blacklist if the
network runs properly.
Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

39

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

4.8.2 Required Information


Collect the IP address and port data of the OMU and any peer NE that exchanges service data
with the OMU.

4.8.3 Deployment
4.8.3.1 Requirements
None

4.8.3.2 Activation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -A INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
----End
l

Set restricted IP to an IP address to be denied or allowed access. The IP address can be a


single IP address or IP addresses in a network segment.

Set Ethernet adapter to the external network adapter of the OMU.

Set transport protocol to TCP or UDP. This parameter is used with restricted port.

Set restricted port to the port over which access is denied.

If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
The following is a command example used to allow only users in the 10.141.148.0 network
segment to access the WebLMT:
iptables -A INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP
NOTE

"!" is a logical negation operator.

----End

4.8.3.3 Activation Observation


Step 1 Log in to the PC whose IP address has been restricted.
Step 2 Run the DOPRA Linux command iptables L to query all filtering criteria on the OMU. Verify
that the new criteria have been added successfully.
l If access over port 80 is denied, you cannot access the WebLMT. In this situation, check
whether you can access the WebLMT on the PC.
l If access over port 22 is denied, you cannot log in to the OMU remotely. In this situation,
check whether you can log in to the OMU using PuTTY on the PC.
NOTE

Execute caution when disabling port 22, because this operation prohibits users from remotely logging in
to the OMU.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

40

SingleRAN
OM Security Feature Parameter Description

4 Engineering Guidelines

l If access over port 21 is denied, you cannot access the ftp_server module on the OMU. In
this situation, check whether you can access the ftp_server module on the OMU using an
FTP client on the PC.
----End

4.8.3.4 Deactivation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -D INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
l Set restricted IP to an IP address to be denied or allowed access. The IP address can be a
single IP address or IP addresses in a network segment.
l Set Ethernet adapter to the external network adapter of the OMU.
l Set transport protocol to TCP or UDP. This parameter is used with restricted port.
l Set restricted port to the port over which access is denied.
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
Step 3 Run the DOPRA Linux command iptables L to query all filtering criteria on the OMU. Verify
that the new criteria have been removed successfully.
----End
The following command example is used to deactivate OMU anti-attack.
iptables -D INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP

4.9 Security Policy Level Configuration


This function is configured using batch configuration management of common security policies
on the CME. Therefore, no engineering guidelines are involved.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

41

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameters

Table 5-1 Parameter description


Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

MaxMissTimes

BSC6900

SET
PWDPOLICY

None

None

Meaning:Maxi
mum number of
password retries
when a user logs
in. When
password retries
by a user exceed
this number, this
user is locked.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

42

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

MaxMissTimes

BSC6910

SET
PWDPOLICY

None

None

Meaning:Maxi
mum number of
password retries
when a user logs
in. When
password retries
by a user exceed
this number, this
user is locked.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3

MAXMISSTIM
ES

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

SET
PWDPOLICY

None

None

LST
PWDPOLICY

Meaning:Indicates the
maximum times
of attempts with
incorrectly
entered
passwords.If the
times of
attempts with
incorrectly
entered
passwords
exceed this
parameter,the
NE will lock the
operator
account.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

43

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

AutoUnlockTim
e

BSC6900

SET
PWDPOLICY

None

None

Meaning:Durati
on after which a
locked user is
unlocked
automatically.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30

AutoUnlockTim
e

BSC6910

SET
PWDPOLICY

None

None

Meaning:Durati
on after which a
locked user is
unlocked
automatically.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30

AUTOUNLOC
KTIME

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

SET
PWDPOLICY

None

None

LST
PWDPOLICY

Meaning:Indicates the
unlocking time
after the account
is locked
because of
incorrect
password inputs.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

44

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

PwdMinLen

BSC6900

SET
PWDPOLICY

None

None

Meaning:Minim
um length of an
LMT login
password. When
a password is
shorter than this
length, the
password is
invalid.
GUI Value
Range:6~32
Unit:None
Actual Value
Range:6~32
Default Value:8

PwdMinLen

BSC6910

SET
PWDPOLICY

None

None

Meaning:Minim
um length of an
LMT login
password. When
a password is
shorter than this
length, the
password is
invalid.
GUI Value
Range:6~32
Unit:None
Actual Value
Range:6~32
Default Value:8

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

45

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

Complicacy

BSC6900

SET
PWDPOLICY

None

None

Meaning:Compl
exity of a
password.
LOWERCASE
(Lowercase)
indicates that the
password must
include
lowercase
letters.
UPPERCASE
(Uppercase)
indicates that the
password must
include
uppercase
letters. DIGIT
(Digit) indicates
that the
password must
include digits.
SPECHAR
(Special
character)
indicates that the
password must
include special
characters.
Special
characters are ~!
@#$%^&*()_+{}|[]:<>?./.
GUI Value
Range:LOWER
CASE
(Lowercase),
UPPERCASE
(Uppercase),
DIGIT(Digit),
SPECHAR
(Special
character)
Unit:None
Actual Value
Range:LOWER
CASE,
UPPERCASE,

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

46

SingleRAN
OM Security Feature Parameter Description

Parameter ID

NE

MML
Command

5 Parameters

Feature ID

Feature Name

Description
DIGIT,
SPECHAR
Default
Value:LOWER
CASE:
1,UPPERCASE
:1,DIGIT:
1,SPECHAR:0

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

47

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

Complicacy

BSC6910

SET
PWDPOLICY

None

None

Meaning:Compl
exity of a
password.
LOWERCASE
(Lowercase)
indicates that the
password must
include
lowercase
letters.
UPPERCASE
(Uppercase)
indicates that the
password must
include
uppercase
letters. DIGIT
(Digit) indicates
that the
password must
include digits.
SPECHAR
(Special
character)
indicates that the
password must
include special
characters.
Special
characters are ~!
@#$%^&*()_+{}|[]:<>?./.
GUI Value
Range:LOWER
CASE
(Lowercase),
UPPERCASE
(Uppercase),
DIGIT(Digit),
SPECHAR
(Special
character)
Unit:None
Actual Value
Range:LOWER
CASE,
UPPERCASE,

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

48

SingleRAN
OM Security Feature Parameter Description

Parameter ID

NE

MML
Command

5 Parameters

Feature ID

Feature Name

Description
DIGIT,
SPECHAR
Default
Value:LOWER
CASE:
1,UPPERCASE
:1,DIGIT:
1,SPECHAR:0

MaxRepeatChar
Times

BSC6900

SET
PWDPOLICY

None

None

Meaning:Maxi
mum number of
single character
repeats allowed
in an LMT login
password. When
a single
character in a
password
repeats for more
times than this
number, the
password is
invalid.
GUI Value
Range:2~32
Unit:None
Actual Value
Range:2~32
Default Value:2

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

49

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

MaxRepeatChar
Times

BSC6910

SET
PWDPOLICY

None

None

Meaning:Maxi
mum number of
single character
repeats allowed
in an LMT login
password. When
a single
character in a
password
repeats for more
times than this
number, the
password is
invalid.
GUI Value
Range:2~32
Unit:None
Actual Value
Range:2~32
Default Value:2

MAXVALIDD
ATES

BSC6900

SET
PWDPOLICY

None

None

Meaning:Days
between the day
when a
password takes
effect and the
day when the
password
expires. The
password
becomes invalid
after being valid
for the days.
GUI Value
Range:1~999
Unit:day
Actual Value
Range:1~999
Default Value:
90

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

50

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

MAXVALIDD
ATES

BSC6910

SET
PWDPOLICY

None

None

Meaning:Days
between the day
when a
password takes
effect and the
day when the
password
expires. The
password
becomes invalid
after being valid
for the days.
GUI Value
Range:1~999
Unit:day
Actual Value
Range:1~999
Default Value:
90

MAXPROMPT
DATES

BSC6900

SET
PWDPOLICY

None

None

Meaning:Longe
st days for which
users are
prompted in
advance to
notice that the
password is
going to expire.
When this day
arrives, users
will be
prompted with
the remaining
days.
GUI Value
Range:1~255
Unit:day
Actual Value
Range:1~255
Default Value:5

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

51

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

MAXPROMPT
DATES

BSC6910

SET
PWDPOLICY

None

None

Meaning:Longe
st days for which
users are
prompted in
advance to
notice that the
password is
going to expire.
When this day
arrives, users
will be
prompted with
the remaining
days.
GUI Value
Range:1~255
Unit:day
Actual Value
Range:1~255
Default Value:5

HISTORYPWD
NUM

BSC6900

SET
PWDPOLICY

None

None

Meaning:Maxi
mum number of
historical
passwords that
can be saved.
When this
number is
reached, the
earliest
historical
password will be
deleted at the
arrival of a new
one.
GUI Value
Range:1~10
Unit:None
Actual Value
Range:1~10
Default Value:5

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

52

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

HISTORYPWD
NUM

BSC6910

SET
PWDPOLICY

None

None

Meaning:Maxi
mum number of
historical
passwords that
can be saved.
When this
number is
reached, the
earliest
historical
password will be
deleted at the
arrival of a new
one.
GUI Value
Range:1~10
Unit:None
Actual Value
Range:1~10
Default Value:5

FirstLoginMustModPWD

BSC6900

SET
PWDPOLICY

None

None

Meaning:Switch
for forcing users
to change the
password upon
their first login
to the LMT.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

53

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

FirstLoginMustModPWD

BSC6910

SET
PWDPOLICY

None

None

Meaning:Switch
for forcing users
to change the
password upon
their first login
to the LMT.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

54

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

DICTCHKSW

BSC6900

SET
PWDPOLICY

None

None

Meaning:Switch
for checking
whether the
password is in
the weak
password
dictionary when
users add or
modify user's
password. Weak
passwords are
inlcuded in the
weak password
dictionary. After
this switch is
turned on, you
must not use
common words
or combinations
of simple letters
and digits as
passwords, such
as 111111,
aaaaaa, abc123,
linda, and
snoopy.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

55

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

DICTCHKSW

BSC6910

SET
PWDPOLICY

None

None

Meaning:Switch
for checking
whether the
password is in
the weak
password
dictionary when
users add or
modify user's
password. Weak
passwords are
inlcuded in the
weak password
dictionary. After
this switch is
turned on, you
must not use
common words
or combinations
of simple letters
and digits as
passwords, such
as 111111,
aaaaaa, abc123,
linda, and
snoopy.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

56

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

AUTHMODE

BSC6900

ADD
SNTPSRVINF
O

None

None

Meaning:Authe
ntication mode
used when the
active OMU
(NTP client)
synchronizes
with the NTP
server.
GUI Value
Range:PLAIN
(PLAIN),
NTPV3
(NTPV3)
Unit:None
Actual Value
Range:PLAIN,
NTPV3
Default
Value:PLAIN
(PLAIN)

AUTHMODE

BSC6910

ADD
SNTPSRVINF
O

None

None

Meaning:Authe
ntication mode
used when the
active OMU
(NTP client)
synchronizes
with the NTP
server.
GUI Value
Range:PLAIN
(PLAIN),
NTPV3
(NTPV3)
Unit:None
Actual Value
Range:PLAIN,
NTPV3
Default
Value:PLAIN
(PLAIN)

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

57

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

AUTHMODE

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

ADD NTPC

None

None

Meaning:Indicates the
encryption
mode. If this
parameter is set
to PLAIN, data
is transmitted in
plaintext.

MOD NTPC
LST NTPC

GUI Value
Range:PLAIN
(Plain), DES_S
(DES_S),
DES_N
(DES_N),
DES_A
(DES_A), MD5
(MD5)
Unit:None
Actual Value
Range:PLAIN,
DES_S,
DES_N,
DES_A, MD5
Default
Value:PLAIN
(Plain)

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

58

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

KEY

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

ADD NTPC

None

None

Meaning:Indicates the key


used for NTP
authentication.
The key used in
the DES_S
algorithm is a
hexadecimal
number whose
length is 64 bits
in binary format.
The seven least
significant bits
of each byte are
used to construct
56-bit key data,
and the eighth
bit is the odd
parity bit for
each byte. Any
empty bit is
filled with 0 to
ensure that the
key data is
composed of 16
hexadecimal
digits and has an
odd number for
parity check.
The key used in
the DES_N
algorithm is
similar to the
key used in the
DES_S
algorithm. The
only difference
is that in the key
used in the
DES_N
algorithm, the
most significant
bit is used for
parity check of
each byte. The
key used in the
DES_A
algorithm is an

Issue Draft A (2014-01-20)

MOD NTPC
LST NTPC

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

59

SingleRAN
OM Security Feature Parameter Description

Parameter ID

NE

MML
Command

5 Parameters

Feature ID

Feature Name

Description
ASCII string of
one to eight
characters. The
seven least
significant digits
of the ASCII
value
corresponding
to each character
are used to
construct 56-bit
key data. For
any ASCII
string of less
than eight
characters, 0s
are appended to
the string to
ensure that the
key data is
composed of 56
bits. The key
used in the MD5
algorithm is an
encrypted
ASCII string of
one to eight
characters.
GUI Value
Range:1~16
characters
Unit:None
Actual Value
Range:1~16
characters
Default
Value:None

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

60

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

KEYID

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

ADD NTPC

None

None

Meaning:Indicates the serverside index of the


NTP
authentication
key. The index
must be the same
as the setting on
the server.

MOD NTPC
LST NTPC

GUI Value
Range:
1~4294967295
Unit:None
Actual Value
Range:
1~4294967295
Default
Value:None
IP

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

ADD NTPC

None

None

MOD NTPC
RMV NTPC
SET
MASTERNTPS

Meaning:Indicates the IPv4


address of the
NTP server.
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Default Value:
0.0.0.0

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

61

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

PORT

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

ADD NTPC

None

None

Meaning:Indicates the port


number of the
NTP server. An
NTP client
performs time
calibration with
the NTP server
through the port
specified by this
parameter.

MOD NTPC
LST NTPC

GUI Value
Range:
123~5999,6100
~65534
Unit:None
Actual Value
Range:
123~5999,6100
~65534
Default Value:
123

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

62

SingleRAN
OM Security Feature Parameter Description

5 Parameters

Parameter ID

NE

MML
Command

Feature ID

Feature Name

Description

SYNCCYCLE

BTS3900,
BTS3900
WCDMA,
BTS3900 LTE

ADD NTPC

None

None

Meaning:Indicates the period


based on which
NTP time
synchronization
is performed
periodically.
The switch for
periodic NTP
time
synchronization
is turned on
automatically.T
he time of a base
station may have
differences with
the standard
time, and a large
difference
affects the
accuracy of
KPIs. Therefore,
a period must be
configured for
the base station
to perform time
synchronization
with the NTP
server
periodically to
ensure the
accurate time.
The period for
periodic NTP
time
synchronization
must be
configured
based on the
NTP server
performance,
transport
network quality,
and base station
quantity. A
smaller period
for periodic
NTP time

Issue Draft A (2014-01-20)

MOD NTPC
LST NTPC

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

63

SingleRAN
OM Security Feature Parameter Description

Parameter ID

NE

MML
Command

5 Parameters

Feature ID

Feature Name

Description
synchronization
leads to higher
loads for the
NTP server and
transport
network. A
larger period
leads to lower
loads.
GUI Value
Range:
1~525600
Unit:min
Actual Value
Range:
1~525600
Default
Value:None

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

64

SingleRAN
OM Security Feature Parameter Description

6 Counters

Counters

There are no specific counters associated with this feature.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

65

SingleRAN
OM Security Feature Parameter Description

7 Glossary

Glossary

For the acronyms, abbreviations, terms, and definitions, see Glossary.

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

66

SingleRAN
OM Security Feature Parameter Description

8 Reference Documents

Reference Documents

1.

GBSS Security Overview Feature Parameter Description for GSM BSS

2.

SSL Feature Parameter Description for SingleRAN

3.

User Data Anonymization Feature Parameter Description for SingleRAN

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

67