Escolar Documentos
Profissional Documentos
Cultura Documentos
Internet Router
__________________________________________________________________________________________________________________
Uninor Internal
_______________________________________________________________________________________________________
Copyright
All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The information
contained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used or
disclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd.
Trademarks
Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies
and are hereby acknowledged.
Uninor Internal
_______________________________________________________________________________________________________
Table of Contents
Introduction .........................................................................................................................................................................................4
Use of the Document ...........................................................................................................................................................................4
Warning .................................................................................................................................................................................................4
Purpose ..................................................................................................................................................................................................5
General Security Controls..................................................................................................................................................................6
Control Categories ...............................................................................................................................................................................7
Detailed security controls:.................................................................................................................................................................8
Uninor Internal
_______________________________________________________________________________________________________
Introduction
This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration
standard, detail many important items such as user account management, password management, interfaces, ports, audit logging,
monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system
security issues and configurations, this document should be considered a general guideline and starting point.
Warning
This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security
specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these
services performed for an organization should contact the designated security support staff within their office or territory. Partners or
managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate
technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.
Uninor Internal
_______________________________________________________________________________________________________
Purpose
This MBSS document relates to the Huawei NE 40 Internet Router. It is intended for use by technical security practitioners for
implementation of minimum General Security Controls.
A technical environment is comprised of a number of inter-related elements that include:
Applications;
Databases;
Communications infrastructure elements; and
Hardware.
The primary focus of this technical practice aid is to provide minimum baseline security standard for Internet Router that includes
properties, features and operating system of the respective product.
Uninor Internal
_______________________________________________________________________________________________________
General Security Controls
General Security Controls work requires the examination of both technology-specific and technology independent controls. For
example, configuration parameter, program and data file security controls will normally be specific to the underlying technical
environment, whereas, security process review controls will largely be independent of the technical environment in use.
Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective
control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure
exists for reviewing and acting upon the logged information, the technical control is ineffective.
To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an
understanding of the following platform independent areas:
Uninor Internal
_______________________________________________________________________________________________________
Control Categories
The following control categories are included in the MBSS document.
Control Category 1: User Accounts and Groups
A control that restricts user access to the technology. This includes account permissions, sensitive system
user interfaces, and related items.
Control Category 2:
Password Management
A control that must be enabled/implemented to ensure true and authorized users to gain access on a
system. This includes password complexity, aging, account locking, etc. parameters.
Control Category 3:
Control Category 4:
System Updates
A control that must be performed either manually or automated on a regular basis. This includes any
procedure that a security administrator or system administrator would continually or periodically
perform such as installation of hot fixes, security patches, etc.
Control Category 5:
Control Category 6:
Control Category 7:
Node properties and feature configurationsA control that must be enabled/implemented via a system-level parameter, or upon installation of the
node/device that affects the technology at an overall system level. This includes network services
enabling/disabling, boot sequence parameters, system interface, etc.
Uninor Internal
_______________________________________________________________________________________________________
Detailed security controls:
SN
Control
Area
Control
Description
1.2
Privileged
accounts
Uninor Internal
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
Implemented, but
we are also using
common Read0nly user ID for
monitoring
purpose.
Exceptions to be
approved by
Uninor IS team.
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
1.3
Default
Accounts
Factory default
user accounts and
guest user
accounts on
routers such as
Huawei, etc. must
be removed.
Implemented
1.4
Dormant
Accounts
Implemented but
Router does not
enforce any
restriction it is
defined by
administrator.
Dormant user
accounts should be
deactivated after
the number of days
that is specified in
the Uninor
Information
Security Policy
guidelines for
inactive accounts.
2. Password Management
2.1
Complexity Internet router
should enforce that
passwords must
meet the
complexity
requirements in
accordance to
Uninor
Information
Uninor Internal
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
SN
2.2
2.3
2.4
Control
Area
Default
passwords
Password
Encryption
Administra
tor
password
encryption
Uninor Internal
Control
Description
Control
Objective/Rationale
Implementation Guidance
Security Policy.
Strong system
passwords should
be used for the
EXEC and PRIV
EXEC levels.
Assign system
passwords that are
in accordance with
Uninor
Information
Security Policy for
the EXEC and
PRIV EXEC levels.
Encrypt all
passwords for
login access (i.e.,
CON, VTY).
The Administrative
password should
be protected using
an encryption
algorithm in
accordance with
Mitigating
Control, If
any
Implementation
Status
Implemented
Implemented
#local-user user-name
password { simple | cipher }
password
10
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Uninor
Information
Security Policy.
Encrypt the
administrative
password using
hashing algorithms
such as MD5.
2.5
Account
Lock
2.6
Default
Passwords
Uninor Internal
The account
lockout feature,
disabling an
account after a
number of failed
login attempts,
should be enabled
and the related
parameters should
be set in
accordance with
the Uninor
security policy and
guidelines.
Default passwords
on the Router
should be changed
upon installation.
In addition these
passwords should
be complex and
conform to Uninor
Mitigating
Control, If
any
Implementation
Status
,10,YB,.\#C3YB91!!
If the digit following the super
password level command is a 0,
the password has been encrypted
using a weak algorithm. If the
digit is a 15, the password has
been hashed using the stronger
MD5 algorithm.
Unauthorized users may gain
access to a system by running a
program which guesses user
passwords through brute force
attacks. Without the lockout
feature enabled the chance of
successful compromise of
system resources through brute
force password guessing attacks
increases.
Not Supported.
Exceptions to be
approved by
Uninor IS team.
Implemented
11
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
Security Policy.
Securing VTY
Uninor Internal
#system-view
#user-interface vty first-uinumber [ last-ui-number ]
#shell
#idle-timeout minutes [
12
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
CON port is a
physical port
located on the
router.
3.2
System
Disable
Services
unauthorized
services/daemon
from the router
based on Uninor
Information
security policy.
Identify authorized
services running
on the device via
vulnerability
assessment and
disable
unauthorized
services. Only
those services that
serve a
documented
operational or
business need
should be listening
on the node.
4. System Updates
4.1
Patch
Upgrade the router
upgrade
patch to a
supported stable
Uninor Internal
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
seconds ]
Unauthorized services/daemon
allows unauthenticated access
to a system and lets users to
transfer files, manipulate with
the system functioning, etc. A
system with services such as ftp
enabled can be used as a depot
for the unauthorized transfer of
information. A system with
Telnet service enabled can be
used to run a spurious process
(e.g.) in the system leading to
dead weight on processor load.
Implemented
Implemented
13
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
version
recommended by
OEM after proper
testing has been
performed.
Follow Routers
firmware upgrade
procedures for the
model being
upgraded. It must
be updated with
the latest stable
patches (bug fixes)
specifically related
to security.
5. File Access Control
5.1
Restrict
Accesses
file access
(Read/Write/Modi
fy) to sensitive
Router
configuration file
should be
restricted from
unauthorized
personnel.
5.2
Configurati Perform backups
on backup of the running
configuration to
the routers
Flash/NVRAM
Uninor Internal
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
Implemented
14
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
5.3
Configurati
on backup
5.4
Legal
notice
banner
Uninor Internal
Control
Description
Control
Objective/Rationale
Implementation Guidance
memory Fault
tolerance, backup,
and recovery
procedures should
be documented in
accordance with
Uninor
Information
Security Policy.
Network file
servers containing
router
configuration files
should be properly
restricted from
unauthorized
personnel.
Restrict network
file servers so that
only authorized
personnel can
access router
configuration files.
Implemented
Implemented
15
Mitigating
Control, If
any
Implementation
Status
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
awareness of legal
issues. Configure
Uninor authorized
login banner on
the router as
specified in the
Uninor
Information
Security Policy.
6. Audit Logging and Monitoring
6.1
Audit
Enable system
logging
logging in
accordance with
Uninor
Information
Security Policy to
capture O&M
activities, system
failures, policy
violation,
unauthorized
access attempts,
system events,
faults, etc.
Uninor Internal
Control
Objective/Rationale
Implementation Guidance
16
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
6.2
Command
logging
Any authorized/unauthorized
or known/unknown access to
critical commands used to
change either the database or
the configuration parameters
should be logged so that none of
the access to these sensitive files
goes unnoticed. It also ensures
that all the evidences are
available for reverse tracking
the source of change. Rolling
back from unstable network due
to improper command fire is
possible.
6.3
Logs
Archive
Configuration file
changes should be
monitored and
logged in
accordance with
Uninor
information
security policy.
Sensitive files such
as configuration
parameters, logs
should not be
allowed for
modification or
deletion.
Router Logs
should be sent to a
central syslog
server.
Archive all security
relevant logs for a
period stipulated
as per applicable
laws and
regulations. The
activity logs needs
to be retained
online for 12
months and offline
Uninor Internal
Implementation Guidance
Implementation
Status
Implemented
17
Mitigating
Control, If
any
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
SNMP configured
on routers
connected to
networks should
be configured in a
secure manner
that is consistent
with Uninor
Information
Security Policy.
Mitigating
Control, If
any
Implementation
Status
for 24 months.
6.4
Monitoring
6.5
Hardware
Support
Mission critical
routers should
utilize hardware
support programs.
6.6
Review of
security
and audit
logs
Uninor Internal
18
Implemented
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Uninor Internal
19
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
7.2
7.3
Idletimeout
Uninor Internal
Routers should be
configured to abort
vty interactive
sessions that were
terminated in an
abnormal way.
20
Implemented
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
7.4
Encryption
IPSec should be
implemented
where sensitive
data traverses
untrusted or semitrusted internal
networks in
accordance with
Uninor
Information
Security Policy.
Uninor Internal
21
Mitigating
Control, If
any
Implementation
Status
Not Required.
Uninor IS team to
decide if it is
required or not.
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
7.5
7.6
Privileged
password
Encryption
Uninor Internal
Different levels of
PRIV EXEC access
should be defined
to restrict
administrators
with varying
responsibilities in
accordance with
Uninor
Information
Security Policy.
SSH should be
used to remotely
access a router.
If telnet access is
required, it should
be allowed via a
secure IPSec
tunnel between the
remote system and
the module.
For devices that
support SSH
feature, enable the
SSH protocol and
Implemented
Implemented
22
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
remove telnet
access to the
router.
7.7
7.8
TCP SYN
attacks
Port
description
Uninor Internal
Routers should be
configured to
reduce the
likelihood of a TCP
SYN attacks.
Interfaces should
have an
appropriate
description
assigned to them.
Mitigating
Control, If
any
Implementation
Status
To be checked.
Detailed descriptions of
connections will make it easier
for administrators to review
what types of connections are
being made to the router.
23
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Assign a
description to each
interface.
7.9
7.10
7.11
Auto load
configurati
on
ICMP
restriction
Disable
HTTP
Uninor Internal
Mitigating
Control, If
any
Implementation
Status
Example:
interface { interface-type
interface-number |
interfacename
}
Routers should
load configuration
information from
local memory only.
Disable AutoLoading thereby
requiring that the
router
configuration is
loaded from local
memory and not
the network.
Routers should not
respond to ICMP
mask requests on
interfaces
connected to
untrusted
networks.
Web-based router
administration
(HTTP) should not
Implemented
To be checked.
24
Implemented
_______________________________________________________________________________________________________
SN
7.12
7.13
Control
Area
Static
route
Idle
timeout
Uninor Internal
Control
Description
be allowed. Disable
the HTTP service
on the router.
If remote
administration is
required,
administration
should only be
allowed from
approved IP
addresses.
Routers should not
perform route
caching. Disable
the router's ability
to cache routes.
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
Not relevant as
Static routing is
required.
25
Implemented
_______________________________________________________________________________________________________
SN
7.14
Control
Area
IP spoofing
Control
Description
Control
Objective/Rationale
Implementation Guidance
environment
should have
appropriate
session timeout
values assigned.
Routers should be
configured to
prevent IP
spoofing.
Create an access
list that drops
incoming traffic
with a source
address of that of
the internal
network to prevent
IP spoofing.
If IP spoofing is allowed it is
possible that unauthorized
traffic may bypass access
control lists on the router by
claiming that the traffic came
from the internal network.
Implementation
Status
Uninor Internal
Mitigating
Control, If
any
26
To be checked.
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
interfaces.
7.15
Remote
terminals
access
Routers should
restrict which
hosts can access
remote terminal
sessions. Assign an
appropriate Access
List that restricts
access to all VTY
sessions.
Implemented
7.16
Time
synchroniz
ation
Uninor Internal
Synchronize the
routers time with
a central
timeserver.
Enable Network
Time Protocol
(NTP) with
authentication on
the router and
27
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
Mitigating
Control, If
any
Implementation
Status
host by issuing:
clock manual source sourcevalue
Disable NTP on external
interfaces through which NTP
information does not flow. This
will help prevent attacks directed
at the network time protocol.
NTP can be disabled on an
interface using the following
command:
ntp disable.
7.17
Source
routing
Uninor Internal
Routers should
discard any IP
datagram
containing a
source-route
option.
Prevent IP source
routing options
from being used to
spoof traffic.
28
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Implementation Guidance
7.18
Unused
port
Interfaces not
being used should
be disabled.
Shut down unused
interfaces.
Uninor Internal
Example:
system-view
interface serial 1/1
[shutdown
29
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
Author & Reviewer
Approvals
Head - Operations
Head NOC
Date
Date
Date
Uninor Internal
30