Node Name BSS __________________________________________________________________________________________________________________

Minimum Baseline Security Standard Base Station Subsystem

Make: NSN Platform: DX-200 O&M unit: OMU (Operation and Maintenance Unit) Unitech Wireless Tamilnadu (P) Ltd.

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Copyright All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The information contained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used or disclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Table of Contents

Introduction .........................................................................................................................................................................................4 Use of the Document ...........................................................................................................................................................................4 Warning .................................................................................................................................................................................................4 Purpose ..................................................................................................................................................................................................5 General Security Controls..................................................................................................................................................................6 Control Categories ...............................................................................................................................................................................7 Detailed security controls:.................................................................................................................................................................8

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Introduction This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration standard, detail many important items such as user account management, password management, interfaces, ports, audit logging, monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system security issues and configurations, this document should be considered a general guideline and starting point.

Use of the Document The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the Original Equipment Manufacturers and/or to Managed Service Partners.

Warning This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these services performed for an organization should contact the designated security support staff within their office or territory. Partners or managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Purpose This MBSS document relates to the Base Station Subsyatem (BSS) of Nokia Siemens Network. It is intended for use by technical security practitioners for implementation of minimum General Security Controls. A technical environment is comprised of a number of inter-related elements that include: Applications; Databases; Communications infrastructure elements; and Hardware.

The primary focus of this technical practice aid is to provide minimum baseline security standard for Base Station Subsystem (BSS) that includes properties, features and operating system of the respective product.

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
General Security Controls General Security Controls work requires the examination of both technology-specific and technology independent controls. For example, configuration parameter, program and data file security controls will normally be specific to the underlying technical environment, whereas, security process review controls will largely be independent of the technical environment in use. Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure exists for reviewing and acting upon the logged information, the technical control is ineffective. To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an understanding of the following platform independent areas: Uninor Information security policy and procedures; Change and Problem Management; Incident Management; System Development; Disaster Recovery and Contingency Planning; and Physical Security.

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Control Categories The following control categories are included in the MBSS document. Control Category 1: User Accounts and Groups A control that restricts user access to the technology. This includes account permissions, sensitive system user interfaces, and related items. Control Category 2: Password Management A control that must be enabled/implemented to ensure true and authorized users to gain access on a system. This includes password complexity, aging, account locking, etc. parameters. Interface, Ports and Services A control that must be performed either manually or automated on a regular basis to disable or delete unused ports and services and restrict services that transfer data in clear text. System Updates A control that must be performed either manually or automated on a regular basis. This includes any procedure that a security administrator or system administrator would continually or periodically perform such as installation of hot fixes, security patches, etc. File Access Control A control that restricts access to critical configuration files, operating systems, etc. Audit logging and Monitoring Any control that logs user, administrative or system activity. Any control that assists in, or performs, system event logging or the monitoring of the security of the system. Node properties and feature configurationsA control that must be enabled/implemented via a system-level parameter, or upon installation of the node/device that affects the technology at an overall system level. This includes network services enabling/disabling, boot sequence parameters, system interface, etc.

Control Category 3:

Control Category 4:

Control Category 5:

Control Category 6:

Control Category 7:

Uninor Internal

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Detailed security controls: SN Control Area Control Description Control Objective/Rationale Implementation Guidance Mitigating Control, If any Implementation Status

1. User Accounts and Groups 1.1 Unique Individual users User ID should be assigned with a separate user-id for BSC authentication in accordance with Uninor Security policy. 1.2 Privileged User IDs which accounts disclose the privileges associated with it, should not be created.(For e.g. ADMINISTRATOR, monitor, config, etc.) 1.3 Account expiry Third party user accounts created to access the BSC must have an associated expiry date.

The audit trail is of limited or no use if there are shared accounts. The use of individual accounts creates accountability for each individual.

Assign unique IDs for all users having access to the system

Implemented. All users have unique user id.

Knowing the name of an account on a machine can be valuable information to an attacker. Enforcing this security control makes it more difficult for unauthorized users to guess and gain access to the accounts such as ADMINISTRATOR, monitor, config, etc. and ultimately the system. Attributing expiry date to a third party user account with respect to the duration of the service contract will ensure automatic disabling of such accounts and hence strengthen the user access management.

Delete all the privileged IDs from the system and review the system ID periodically. Instead, another user account with equal administrator privileges to be created so that ADMINISTRATOR, etc user account can be deleted. Identify and review third party user ID created on system. Keep documented evidence in a separate file for the expiry date of third party user ID with administrator.

Implemented

Implemented (same is validated by Uninor password authorization form)

Uninor Internal

Node Name: BSS

SN 1.4 Control Area Default Accounts Control Description Factory default user accounts and guest user accounts on BSCs such as ROOT, SYS, ericsson, zte, etc. must be removed from the systems. Control Objective/Rationale Disabling the factory default user accounts will prevent unknown users being authenticated as ericsson, zte, SYS, etc. Disabling these accounts will reduce the system's remote unauthenticated attack surface and ensure that only specific security principals can access resources on the system. Dormant user accounts increase the risk that unauthorized users could potentially use these accounts to gain access to the system.

Minimum Baseline Security Standard

Implementation Guidance Delete all the privileged IDs from the system and review the system ID periodically. In case any of the factory account is required then a different user account with equal privileges can be created so that factory default accounts can be deleted. Mitigating Control, If any Implementation Status Implemented (some of the profile in NSN system cannot be removed due to system limitation as those are fix for OSS usage and critical for KPIs ). Exceptions to be approved by Uninor IS team. Implemented, validation, signoff is done quarterly.

_______________________________________________________________________________________________________

1.5

Dormant Accounts

1.6

Log ON error message

Dormant user accounts should be deactivated after the number of days that is specified in the Uninor Information Security Policy guidelines for inactive accounts. System error message should not disclose any details on logon failures.

Delete all the system/default IDs from the system and review the system ID periodically.

Logon failure message may act as a source of information for an unauthorized user to access the system. Information such as invalid user ID or invalid password would help an unauthorized user to understand his mistakes while accessing the system. Logon

Configure logon banner on the system

Incorrect login shows: user authorization failure and after three consecutive failure time delay is applicable.

Uninor Internal

Node Name: BSS

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

failure messages may further let an attacker to guess the invalid input. 1.7 Password Unattended Unattended workstations where prompt terminals must users have left themselves automatically blank logged in present a special the screen and attraction for vandals. A vandal suspend the session can access the person's files after the amount of with impunity. Alternatively, time specified in the the vandal can use the person's Uninor Information account as a starting point for Security Policy. Re- launching an attack against the establishment of system or the entire network: the session must any tracing of the attack will take place only after usually point fingers back the user has toward the account's owner, not provided a valid to the vandal. password. 2. Password Management 2.1 Complexit y BSC should enforce that passwords must meet the complexity requirements in accordance to Uninor information security policy. Enforcing password complexity requirements reduces the probability of an attacker determining a valid credential. Easily derived passwords undermine system security by making user account easy to access. Once an intruder gains access to a user account, they can modify or delete files or

This control can be mitigated by using windows screensaver lockout feature on local workstations.

NSN system has auto logout after 15 minute; Local workstation window screen saver lockout is also activated.

Implemented

Uninor Internal

10

Node Name: BSS

SN Control Area Control Description Control Objective/Rationale processes owned by that user.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

2.2

Default passwords

Default temporary passwords assigned to the users must be changed after first login.

2.3

Password Age

Password should be changed regularly in accordance with the Uninor Information Security Policy.

Requiring new users to change their password upon first login ensures that the temporary password (recorded in written) will not be in use. Additionally, by having users create their own passwords the chance of them remembering their password is significantly increased. A passwords lifetime should be short enough to reduce the risk that the passwords will be compromised and long enough that users will not need to keep a written record of the password. The risk that passwords will be compromised is reduced by frequently changing the password of all the user accounts created to access the BSC.

Implemented

Strong Password shall -Be at least 10 characters in length -Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z) -Have at least one numerical character (e.g. 0-9) -Have at least one special character (e.g. ~! @#$%^&*()_+=) -Last three passwords will not be used again. -Dates of birth, names of family members, and other

Implemented.

Uninor Internal

11

Node Name: BSS

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance combinations of such personal details which can be connected to the individual or can be easily be guessed should not be used. -Words found in dictionaries should not be used. Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

2.4

Account Lock

2.5

System password storage

The account lockout feature, disabling an account after a number of failed login attempts, should be enabled and the related parameters should be set in accordance with the Uninor security policy and guidelines. The Administrative password should be protected using an encryption algorithm in accordance with Uninor Security policy. Encrypt the administrative password using hashing algorithms such as MD5

Unauthorized users may gain access to a system by running a program which guesses user passwords through brute force attacks. Without the lockout feature enabled the chance of successful compromise of system resources through brute force password guessing attacks increases. Administrator account is privileged with highest access rights. Availability of Administrator's password in clear text from system configuration files would let an unauthorized user gain the access of Administrator account. Impersonification of Administrator can be avoided by encrypting the Administrator password.

Account lock out functionality is not available in NSN system, but time duration delay for next attempt keep increasing after three consecutive failed login.

Implemented

Uninor Internal

12

Node Name: BSS

SN 2.6 Control Area Control Description Control Objective/Rationale Application default passwords are widely known and typically initial targets for attacks. The risk that unauthorized access will be obtained is increased if these passwords are not changed.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status Implemented

_______________________________________________________________________________________________________

Default Default passwords Passwords on the BSC should be changed upon installation. In addition these passwords should be complex and conform to Uninor Security Policy. 3. Interfaces, Ports and Services 3.1 Physical Disable console interfaces login used to access physically at BSC Site. Only ethernet port should be allowed. 3.2 AbisBSC should contain interface the configuration (DPC, Signaling links, TGs) for only authorized BTS's in the network. 3.3 STP interface BSC should contain the configuration (point codes and signaling links) for authorized STPs only in the network.

If this type of control is not implemented then an unauthorized user may get an opportunity to login physically on the BSC. In absence of this enforcement, an unused BTS configuration on the BSC can lead to misuse of network such as DoS attacks, flooding, etc. on the BSC. In absence of this enforcement, an unused STP configuration on the BSC can lead to misuse of network such as DoS attacks, flooding, etc. on the BSC.

Console login to be restricted to minimum (for emergency use only).

Implemented. Allowed for emergency cases only. Implemented

Ensure that BSC contain the configuration for only approved and authorized DPC, Signalling links and TGs. Maintain an approval copy of change management form with administrator. Ensure that BSC contain the configuration for only approved and authorized Point codes and for identified authorized STPs. Maintain an approval copy of change management form with administrator.

Implemented

Uninor Internal

13

Node Name: BSS

SN 3.4 Control Area MAP E interface Control Description BSC should contain the Trunk Groups configuration for only authorized BSCs/GBSCs and LI systems in the network. BSC should restrict only authorized O&M devices. Node must be configured to identify authorized devices using which O&M activities can be performed. Disable unauthorized services/daemon from the nodes based on Uninor Information security policy. Identify authorized services running on the device via vulnerability assessment and disable unauthorized Control Objective/Rationale In absence of this enforcement, an unused TG configuration on the BSC can lead to misuse of network such as DoS attacks, flooding, etc. on the BSC.

Minimum Baseline Security Standard

Implementation Guidance Ensure that BSC contain the configuration for only approved and authorized TG for authorized BSCs and GBSC or LI system. Maintain an approval copy of change management form with administrator. Ensure that BSC is accessible from only authorized O&M devices, Nodes Maintain an approval copy of change management form with administrator. Disable and replace FTP and telnet by SFTP and SSH respectively. System restriction: and FTP telnet is used for CDR, license, software loading. Exceptions to be approved by Uninor IS team. Mitigating Control, If any Implementation Status Implemented

_______________________________________________________________________________________________________

3.5

O&M interface

Enforcing this security control will ensure that only legitimate and authorized O&M terminals can be used to access the BSC.

Implemented

3.6

System Services

Unauthorized services/daemon allows unauthenticated access to a system and lets users to transfer files, manipulate with the system functioning, etc. A system with services such as ftp enabled can be used as a depot for the unauthorized transfer of information. A system with Telnet service enabled can be used to run a spurious process (e.g.) in the system leading to dead weight on processor load.

Uninor Internal

14

Node Name: BSS

SN Control Area Control Description services. Only those services that serve a documented operational or business need should be listening on the node. 4. System Updates 4.1 Patch Upgrade the upgrade systems firmware to a supported stable version recommended by OEM after proper testing has been performed. Follow OEMs firmware upgrade procedures for the BSC model being upgraded. BSC must be updated with the latest stable patches (bug fixes) specifically related to security. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

Operating system security vulnerabilities are found on a regular basis. These security holes may pose a significant risk to the internal network. Enforcing this security control will help ensure the system always has the most recent critical operating system updates and service packs installed.

No such patches required for NSN system, time to time network related update are being implemented

Uninor Internal

15

Node Name: BSS

SN 4.2 Control Area Antivirus Control Description Control Objective/Rationale Enabling this feature will let the systems being prevented by the execution of unauthorized codes such as viruses and Trojan horses.

Minimum Baseline Security Standard

Implementation Guidance Deploy updated antivirus on the node used to access BSC Mitigating Control, If any Implementation Status Implemented(activ ity is done by Uninor IT team)

_______________________________________________________________________________________________________

Windows based servers/clients and O&M terminals which are used to manage BSC nodes shall be installed with latest Antivirus software and must regularly be updated. 5. File Access Control 5.1 Restrict Accesses file access (Read/Write/Modif y) to sensitive BSC system and configuration files should be restricted from unauthorized personnel. 5.2 Restrict file access Configuration backup servers containing BSC configuration files such as M2000 should be properly restricted from unauthorized personnel. Review the security and

An unrestricted access may let the unauthorized users to modify/delete the sensitive system and configuration files which may further lead to an unstable performance of the BSC. An unrestricted access to the backup servers may let the unauthorized users to gain the critical information from configuration files which may be further used to gain an unauthorized access to the BSC, impersonify the BSC, etc.

Limit access to such configuration files to admin level users only.

Limit access to such backup files to admin level users only.

Implemented. No such files are available in NSN system configuration. It is stored in System specific data file and cannot be decoded. Implemented. OSS is accessible via restricted users only

Uninor Internal

16

Node Name: BSS

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

access requirements in accordance with the Uninor information security policy. 5.3 Legal A legal notice and notice warning should be banner implemented in order to provide adequate protection and awareness of legal issues. Configure Uninor authorized login banner on the BSC as specified in the Uninor Information Security Policy. 6. Audit Logging and Monitoring 6.1 Audit Enable system logging logging in accordance with Uninor Information Security Policy to capture O&M activities, system failures, policy violation, unauthorized access attempts, system

Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets.

No such banner is available in NSN system. Uninor IS team to take up with NSN.

Enforcing audit logging allows security incidents to be detected and enough evidence to be available for analysis of those incidents. Insufficient logging will result in a lack of an audit trail in the event of an unauthorized access. With good logging and monitoring, administrators are often given early warnings for

Enable recording audit logs for O&M activities, system failures, unauthorized access attempts, etc.

Implemented

Uninor Internal

17

Node Name: BSS

SN Control Area Control Description events, faults, etc. 6.2 Command logging Security configuration file changes should be monitored and logged in accordance with Uninor information security policy. Sensitive files such as configuration parameters and audit logs should not be allowed for modification or deletion. Archive all security relevant logs for a period stipulated as per applicable laws and regulations. The activity logs needs to be retained online for 12 months and offline for 24 months. Control Objective/Rationale hardware and software errors or problems. Any authorized/unauthorized or known/unknown access to critical commands used to change either the database or the configuration parameters should be logged so that none of the access to these sensitive files goes unnoticed. It also ensures that all the evidences are available for reverse tracking the source of change. Rolling back from unstable network due to improper command fire is possible. Having all audit logs archived ensures that if they are needed they will be available. At the same time it ensures compliance with the requirements of the regulator.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

Command logs are stored at specific location

6.3

Logs Archive

System restriction : all activity logs are stored at specific Uninor IT server

Uninor Internal

18

Node Name: BSS

SN 6.4 Control Area Monitorin g Control Description BSC shutdown and restarts should be monitored. Any unauthorized shutdown and/or unexpected restarts should be investigated. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Keep records of reasons for BSC shutdown, reboot or restart with the administrator Mitigating Control, If any Implementation Status Implemented : RCA for any unplanned restart is available

_______________________________________________________________________________________________________

The BSC should be rebooted only by authorized personnel at scheduled times and when users can be properly notified. Unplanned or unscheduled system rebooting will deny users access to the system and could allow unauthorized users access to the system. 6.5 Software Maintain all the Any changes to the systems updates software and patch firmware needs to be logged to logs updates logs since ensure availability of complete inception. list of changes made to the firmware. Also this audit log helps identify any unknown and unauthorized change made to the system. 7. BSC Properties and Features Configuration 7.1 Encryptio Cipher must be Cipher is used to ensure the n enabled to ensure confidentiality of data, thus that the signaling sensitive signaling information and user data and data are protected against cannot be eavesdropping attacks overheard on the radio interfaces 7.2 Ciphering Changing of No change in ciphering while ciphering algorithm algorithm during handover handover should not be ensures same level of allowed at encryption during a call. If the handover. target BTS is configured with

Implemented :an excel sheet is maintained for records

Implemented

Implemented

Uninor Internal

19

Node Name: BSS

SN Control Area Control Description Control Objective/Rationale lower level of ciphering algorithm (for e.g. A5/0) as compared to the current serving BTS (for e.g. A5/1) then this would result in lowering the encryption level. To maintain a same level of encryption level, change of ciphering algorithm should be prohibited at handover. Configuring NTP for clock synchronization will ensure that internal clocks of all the telecom nodes in the network are in synchronization and provide Coordinated Universal Time (UTC) including scheduled leap second adjustments.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.3

Clock sync Clock synchronization to be configured using the Network Time Protocol (NTP).

Implemented

Uninor Internal

20

Node Name: BSS

Minimum Baseline Security Standard

_______________________________________________________________________________________________________ Author & Reviewer

Created by Information Security Team

Date 13th Jan 2013

Reviewed by Rohit Verma

Date 15th Jan 2013

Approvals

Head - Operations
Date

Head NOC
Date

Head - Managed Services

Date

Head - Information Security: Saurabh Agarwal

Date 29th Jan 2013

Uninor Internal

21