Professional Documents
Culture Documents
Introduction to the
BSC6900 V900R014
FeatureSecurity
Features
www.huawei.com
RAN14 Security Design Team
To be simple, product security problems are online product problems directly or indirectly caused by
malicious behaviors, including virus infection, hacker attack, information disclosure, information
tampering, and product security function defects.
For example, the breakdown caused by product defects is a reliability problem, whereas the
breakdown caused by malicious behaviors such as DOS attack, hacker attack, and intentional damage
to the system is a security problem.
DHCP
SNTP OSS
IPCLKServer Server
BTS MSC
IP
MBSC
NodeB
Internet A/IuCS/IuPS
NodeB Iub/Abis SGSN
Uu LMT/WebLMT
Um
File/Software corruption
Network attack Interception, Interception, tampering, File/Software virus infection
Illegal local access tampering, corruption, corruption, and attack Port scanning
Traffic attack and replay attack Port scanning Time synchronization
Virus (from USB flash drive) Illegal access information
Base station forgery interference/tampering
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6
Security Solution Antivirus software (Windows OS)
OS patch and OS hardening
Emergency UEA1/UEA0 SSL IP clock Customized system (Dopra Linux)
call/user UIA1 FTPS synchronization Account/password management
location SNOW3G security User privacy protection
A5/1, A5/2, A5/3, GEA1, PKI (CMPv2)
GEA2, GEA3, GEA4
DHCP
SNTP OSS
IPCLKServer Server
BTS MSC
IP
MBSC
NodeB
LMT/WebLMT
Internet A/IuCS/IuPS
NodeB Abis/Iub SGSN
Uu (Um)
ACL & ACL enhancement
HTTPS
Flow control FTPS(FTP over SSL)
VLAN/VPN FTPS
Closing of local maintenance Software integrity protection
window IPSec (PKI or PSK) SSL
DHCP Time synchronization security
USB flash drive encryption authentication authentication
PKI (CMPv2)
802.1X
Security alarm/log Page 7
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
General Layout of Security Technologies
for GU Products
Operation & maintenance security End user security
Centralized user Account and User privacy protection (identity information, activity status, and
management password policy communication contents)
User rights Log and audit Trace data privacy Trace function rights
management management protection control
User operation Data backup and
monitoring restoration Terminal location Attack defense of terminals
OM transmission security
(FTPS/SSL/HTTPS)
Communication security
Security alarm Web security Isolation of three Signaling plane User plane
planes encryption encryption
Met
Disabling insecure
DHCP security services Signaling Network layer IPv6 security
Database security robustness protocol robustness
SNTP security hardening Attack defense of Terminal junk traffic Equipment identity To be
Digital certificate devices filtering authentication enhanced
PKI deployment
application
ACL/firewall Air interface security Charging anti-spoofing
Clock synchronization NE security status (A5/4 and Snow3G)
security monitoring
Jamming detection
Under
Strong authentication LDAP centralized development
(dual factors) user management
Centralized USB flash drive Equipment platform security
authentication of OSS security Not met
products Windows/Linux
Windows hardening Solaris hardening hardening
Remote maintenance
OS log management security OS security patch Windows antivirus Software integrity
Software integrity OS remote management protection
protection patching/upgrade To be
Remote disabling of Banner information Femeto Pico security planned
Security documents (user manuals and pre- maintenance ports security
sales and maintenance documents)
Technical features
The RAN13 protects software integrity by using digital signature and
can effectively detect whether a software package is tampered.
You can choose whether to enable the digital signature function.
Software Software
Receiver
Decryption using
Message public keys Digital
digest signature
Compare
Calculate message
Message digest Software
digest
the reliability of the whole software Signature Signature verification Signature verification
verification module module module
package. NE NE NE
Solution:
Export files USB flash drive
Other files
Encrypt data in a USB flash drive to
protect the data integrity. File encryption and decryption, Security policy
NE
and integrity check module information
USB data integrity protection is similar
Configure data Other files Export files
to software integrity protection. Data Software
package
2. Security
1. Security design implementation
Linux security
check tool
Linux patch
Linux system Huawei Linux management solution
service description
security solution
Dopra Linux is a minimum system customized based on the Suse kernel. It performs
excellently in attack defense tests.
Dopra Linux is a Suse system that is tailored thoroughly and does not support antivirus
software. As a result, customers are doubtful about the system.
To remove customers' doubts, a Dopra system that is immune to viruses must be developed.
The MBSC based on IPtable of Dopra Linux supports the ACL blacklist and white list
configuration.
The logs about operations of domain users on the BSC must record real user
names and IP addresses.
At present, when an M2000 user performs a BSC operation on the M2000 client, the BSC cannot
distinguish the NM user and the IP address of the client. The BSC records the EMSCOMM user as
the operator and the IP address of the M2000 server as the IP address of the client. EMSCOMM is
a virtual user name and represents the M2000 server. As a result, you cannot determine or trace
which M2000 users perform BSC operations by querying logs of the BSC. The user experience is
poor.
MML or binary commands sent to the BSC through the M2000 client
MML or binary commands sent over third-party interfaces (such as northbound interface,
Nastar, NIC, and NodeB Proxy) provided by the M2000 to the BSC
Machine-machine interface commands sent by the M2000 server and the NetEco to the BSC
Events related to A domain user or a local user who has logged in Audit success or failure EMS/LMT Recorded
account to the BSC is forced to log out. Major
management A local BSC user is added, deleted, or modified. Audit success or failure LMT Recorded
Minor
The group local users belong to is changed. Audit success or failure LMT Recorded
Minor
The commands in the command group are Audit success or failure LMT Enhanced
adjusted. Major
The rights of local BSC users are changed. Audit success or failure LMT Recorded
Major
A local BSC user changes his/her password. Audit success or failure LMT Recorded
Minor
A local BSC user changes the password of Audit success or failure LMT Recorded
another user. Major
The account or password policy is modified. Major Audit success or failure LMT Recorded
MBSC MBSC
The network information collector (NIC) server on the operator's network can collect
security data from all NEs. The NIC server can also be embedded on the M2000 server.
The shell script in the M2000 is used to collect security data of the M2000.
The SAT server imports security data files and exports security analysis reports.
When this function is enabled, the password entered by a user cannot be the
same as any password in the weak password dictionary.
To query whether weak password check is enabled, run the LST PWDPOLICY
command.
Note:
Related configuration
To set and query the FTPS server, run the SET FTPSSRV and LST FTPSSRV commands.
To add, modify, and query the destination port of an FTP client, run the ADD
FTPSCLTDPORT, MOD FTPSCLTDPORT, and LST FTPSCLTDPORT commands.
Note: If RAN13.0 has set the login policy in a file, you must set the login policy again in RAN14.0,
which is described in the upgrade guide.
Certain weak algorithm controllers are not available in SSL but available on the web LMT.
The web server uses the certificates delivered with controllers. (The SET CERTFILE
command can be run to replace a certificate.)
The web LMT and SSL use the same weak algorithm controllers.