Академический Документы
Профессиональный Документы
Культура Документы
Make: NSN Platform: DX-200 O&M unit: OMU (Operation and Maintenance Unit) Unitech Wireless Tamilnadu (P) Ltd.
Uninor Internal
_______________________________________________________________________________________________________
Copyright All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The information contained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used or disclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Uninor Internal
_______________________________________________________________________________________________________
Table of Contents
Introduction .........................................................................................................................................................................................4 Use of the Document ...........................................................................................................................................................................4 Warning .................................................................................................................................................................................................4 Purpose ..................................................................................................................................................................................................5 General Security Controls..................................................................................................................................................................6 Control Categories ...............................................................................................................................................................................7 Detailed security controls:.................................................................................................................................................................8
Uninor Internal
_______________________________________________________________________________________________________
Introduction This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration standard, detail many important items such as user account management, password management, interfaces, ports, audit logging, monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system security issues and configurations, this document should be considered a general guideline and starting point.
Use of the Document The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the Original Equipment Manufacturers and/or to Managed Service Partners.
Warning This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these services performed for an organization should contact the designated security support staff within their office or territory. Partners or managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.
Uninor Internal
_______________________________________________________________________________________________________
Purpose This MBSS document relates to the Base Station Subsyatem (BSS) of Nokia Siemens Network. It is intended for use by technical security practitioners for implementation of minimum General Security Controls. A technical environment is comprised of a number of inter-related elements that include: Applications; Databases; Communications infrastructure elements; and Hardware.
The primary focus of this technical practice aid is to provide minimum baseline security standard for Base Station Subsystem (BSS) that includes properties, features and operating system of the respective product.
Uninor Internal
_______________________________________________________________________________________________________
General Security Controls General Security Controls work requires the examination of both technology-specific and technology independent controls. For example, configuration parameter, program and data file security controls will normally be specific to the underlying technical environment, whereas, security process review controls will largely be independent of the technical environment in use. Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure exists for reviewing and acting upon the logged information, the technical control is ineffective. To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an understanding of the following platform independent areas: Uninor Information security policy and procedures; Change and Problem Management; Incident Management; System Development; Disaster Recovery and Contingency Planning; and Physical Security.
Uninor Internal
_______________________________________________________________________________________________________
Control Categories The following control categories are included in the MBSS document. Control Category 1: User Accounts and Groups A control that restricts user access to the technology. This includes account permissions, sensitive system user interfaces, and related items. Control Category 2: Password Management A control that must be enabled/implemented to ensure true and authorized users to gain access on a system. This includes password complexity, aging, account locking, etc. parameters. Interface, Ports and Services A control that must be performed either manually or automated on a regular basis to disable or delete unused ports and services and restrict services that transfer data in clear text. System Updates A control that must be performed either manually or automated on a regular basis. This includes any procedure that a security administrator or system administrator would continually or periodically perform such as installation of hot fixes, security patches, etc. File Access Control A control that restricts access to critical configuration files, operating systems, etc. Audit logging and Monitoring Any control that logs user, administrative or system activity. Any control that assists in, or performs, system event logging or the monitoring of the security of the system. Node properties and feature configurationsA control that must be enabled/implemented via a system-level parameter, or upon installation of the node/device that affects the technology at an overall system level. This includes network services enabling/disabling, boot sequence parameters, system interface, etc.
Control Category 3:
Control Category 4:
Control Category 5:
Control Category 6:
Control Category 7:
Uninor Internal
_______________________________________________________________________________________________________
Detailed security controls: SN Control Area Control Description Control Objective/Rationale Implementation Guidance Mitigating Control, If any Implementation Status
1. User Accounts and Groups 1.1 Unique Individual users User ID should be assigned with a separate user-id for BSC authentication in accordance with Uninor Security policy. 1.2 Privileged User IDs which accounts disclose the privileges associated with it, should not be created.(For e.g. ADMINISTRATOR, monitor, config, etc.) 1.3 Account expiry Third party user accounts created to access the BSC must have an associated expiry date.
The audit trail is of limited or no use if there are shared accounts. The use of individual accounts creates accountability for each individual.
Assign unique IDs for all users having access to the system
Knowing the name of an account on a machine can be valuable information to an attacker. Enforcing this security control makes it more difficult for unauthorized users to guess and gain access to the accounts such as ADMINISTRATOR, monitor, config, etc. and ultimately the system. Attributing expiry date to a third party user account with respect to the duration of the service contract will ensure automatic disabling of such accounts and hence strengthen the user access management.
Delete all the privileged IDs from the system and review the system ID periodically. Instead, another user account with equal administrator privileges to be created so that ADMINISTRATOR, etc user account can be deleted. Identify and review third party user ID created on system. Keep documented evidence in a separate file for the expiry date of third party user ID with administrator.
Implemented
Uninor Internal
_______________________________________________________________________________________________________
1.5
Dormant Accounts
1.6
Dormant user accounts should be deactivated after the number of days that is specified in the Uninor Information Security Policy guidelines for inactive accounts. System error message should not disclose any details on logon failures.
Delete all the system/default IDs from the system and review the system ID periodically.
Logon failure message may act as a source of information for an unauthorized user to access the system. Information such as invalid user ID or invalid password would help an unauthorized user to understand his mistakes while accessing the system. Logon
Incorrect login shows: user authorization failure and after three consecutive failure time delay is applicable.
Uninor Internal
_______________________________________________________________________________________________________
failure messages may further let an attacker to guess the invalid input. 1.7 Password Unattended Unattended workstations where prompt terminals must users have left themselves automatically blank logged in present a special the screen and attraction for vandals. A vandal suspend the session can access the person's files after the amount of with impunity. Alternatively, time specified in the the vandal can use the person's Uninor Information account as a starting point for Security Policy. Re- launching an attack against the establishment of system or the entire network: the session must any tracing of the attack will take place only after usually point fingers back the user has toward the account's owner, not provided a valid to the vandal. password. 2. Password Management 2.1 Complexit y BSC should enforce that passwords must meet the complexity requirements in accordance to Uninor information security policy. Enforcing password complexity requirements reduces the probability of an attacker determining a valid credential. Easily derived passwords undermine system security by making user account easy to access. Once an intruder gains access to a user account, they can modify or delete files or
This control can be mitigated by using windows screensaver lockout feature on local workstations.
NSN system has auto logout after 15 minute; Local workstation window screen saver lockout is also activated.
Implemented
Uninor Internal
10
_______________________________________________________________________________________________________
2.2
Default passwords
Default temporary passwords assigned to the users must be changed after first login.
2.3
Password Age
Password should be changed regularly in accordance with the Uninor Information Security Policy.
Requiring new users to change their password upon first login ensures that the temporary password (recorded in written) will not be in use. Additionally, by having users create their own passwords the chance of them remembering their password is significantly increased. A passwords lifetime should be short enough to reduce the risk that the passwords will be compromised and long enough that users will not need to keep a written record of the password. The risk that passwords will be compromised is reduced by frequently changing the password of all the user accounts created to access the BSC.
Implemented
Strong Password shall -Be at least 10 characters in length -Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z) -Have at least one numerical character (e.g. 0-9) -Have at least one special character (e.g. ~! @#$%^&*()_+=) -Last three passwords will not be used again. -Dates of birth, names of family members, and other
Implemented.
Uninor Internal
11
_______________________________________________________________________________________________________
2.4
Account Lock
2.5
The account lockout feature, disabling an account after a number of failed login attempts, should be enabled and the related parameters should be set in accordance with the Uninor security policy and guidelines. The Administrative password should be protected using an encryption algorithm in accordance with Uninor Security policy. Encrypt the administrative password using hashing algorithms such as MD5
Unauthorized users may gain access to a system by running a program which guesses user passwords through brute force attacks. Without the lockout feature enabled the chance of successful compromise of system resources through brute force password guessing attacks increases. Administrator account is privileged with highest access rights. Availability of Administrator's password in clear text from system configuration files would let an unauthorized user gain the access of Administrator account. Impersonification of Administrator can be avoided by encrypting the Administrator password.
Account lock out functionality is not available in NSN system, but time duration delay for next attempt keep increasing after three consecutive failed login.
Implemented
Uninor Internal
12
_______________________________________________________________________________________________________
Default Default passwords Passwords on the BSC should be changed upon installation. In addition these passwords should be complex and conform to Uninor Security Policy. 3. Interfaces, Ports and Services 3.1 Physical Disable console interfaces login used to access physically at BSC Site. Only ethernet port should be allowed. 3.2 AbisBSC should contain interface the configuration (DPC, Signaling links, TGs) for only authorized BTS's in the network. 3.3 STP interface BSC should contain the configuration (point codes and signaling links) for authorized STPs only in the network.
If this type of control is not implemented then an unauthorized user may get an opportunity to login physically on the BSC. In absence of this enforcement, an unused BTS configuration on the BSC can lead to misuse of network such as DoS attacks, flooding, etc. on the BSC. In absence of this enforcement, an unused STP configuration on the BSC can lead to misuse of network such as DoS attacks, flooding, etc. on the BSC.
Ensure that BSC contain the configuration for only approved and authorized DPC, Signalling links and TGs. Maintain an approval copy of change management form with administrator. Ensure that BSC contain the configuration for only approved and authorized Point codes and for identified authorized STPs. Maintain an approval copy of change management form with administrator.
Implemented
Uninor Internal
13
_______________________________________________________________________________________________________
3.5
O&M interface
Enforcing this security control will ensure that only legitimate and authorized O&M terminals can be used to access the BSC.
Implemented
3.6
System Services
Unauthorized services/daemon allows unauthenticated access to a system and lets users to transfer files, manipulate with the system functioning, etc. A system with services such as ftp enabled can be used as a depot for the unauthorized transfer of information. A system with Telnet service enabled can be used to run a spurious process (e.g.) in the system leading to dead weight on processor load.
Uninor Internal
14
_______________________________________________________________________________________________________
Operating system security vulnerabilities are found on a regular basis. These security holes may pose a significant risk to the internal network. Enforcing this security control will help ensure the system always has the most recent critical operating system updates and service packs installed.
No such patches required for NSN system, time to time network related update are being implemented
Uninor Internal
15
_______________________________________________________________________________________________________
Windows based servers/clients and O&M terminals which are used to manage BSC nodes shall be installed with latest Antivirus software and must regularly be updated. 5. File Access Control 5.1 Restrict Accesses file access (Read/Write/Modif y) to sensitive BSC system and configuration files should be restricted from unauthorized personnel. 5.2 Restrict file access Configuration backup servers containing BSC configuration files such as M2000 should be properly restricted from unauthorized personnel. Review the security and
An unrestricted access may let the unauthorized users to modify/delete the sensitive system and configuration files which may further lead to an unstable performance of the BSC. An unrestricted access to the backup servers may let the unauthorized users to gain the critical information from configuration files which may be further used to gain an unauthorized access to the BSC, impersonify the BSC, etc.
Implemented. No such files are available in NSN system configuration. It is stored in System specific data file and cannot be decoded. Implemented. OSS is accessible via restricted users only
Uninor Internal
16
_______________________________________________________________________________________________________
access requirements in accordance with the Uninor information security policy. 5.3 Legal A legal notice and notice warning should be banner implemented in order to provide adequate protection and awareness of legal issues. Configure Uninor authorized login banner on the BSC as specified in the Uninor Information Security Policy. 6. Audit Logging and Monitoring 6.1 Audit Enable system logging logging in accordance with Uninor Information Security Policy to capture O&M activities, system failures, policy violation, unauthorized access attempts, system
Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets.
No such banner is available in NSN system. Uninor IS team to take up with NSN.
Enforcing audit logging allows security incidents to be detected and enough evidence to be available for analysis of those incidents. Insufficient logging will result in a lack of an audit trail in the event of an unauthorized access. With good logging and monitoring, administrators are often given early warnings for
Enable recording audit logs for O&M activities, system failures, unauthorized access attempts, etc.
Implemented
Uninor Internal
17
_______________________________________________________________________________________________________
6.3
Logs Archive
System restriction : all activity logs are stored at specific Uninor IT server
Uninor Internal
18
_______________________________________________________________________________________________________
The BSC should be rebooted only by authorized personnel at scheduled times and when users can be properly notified. Unplanned or unscheduled system rebooting will deny users access to the system and could allow unauthorized users access to the system. 6.5 Software Maintain all the Any changes to the systems updates software and patch firmware needs to be logged to logs updates logs since ensure availability of complete inception. list of changes made to the firmware. Also this audit log helps identify any unknown and unauthorized change made to the system. 7. BSC Properties and Features Configuration 7.1 Encryptio Cipher must be Cipher is used to ensure the n enabled to ensure confidentiality of data, thus that the signaling sensitive signaling information and user data and data are protected against cannot be eavesdropping attacks overheard on the radio interfaces 7.2 Ciphering Changing of No change in ciphering while ciphering algorithm algorithm during handover handover should not be ensures same level of allowed at encryption during a call. If the handover. target BTS is configured with
Implemented
Implemented
Uninor Internal
19
_______________________________________________________________________________________________________
7.3
Clock sync Clock synchronization to be configured using the Network Time Protocol (NTP).
Implemented
Uninor Internal
20
Approvals
Head - Operations
Date
Head NOC
Date
Uninor Internal
21