Академический Документы
Профессиональный Документы
Культура Документы
Issue
V2.0
Date
20140831
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Tel:
0755-28560000 4008302118
Fax:
0755-28560111
ii
CBS Solution
Security Technical White Paper
Contents
Contents
1 Start .................................................................................................................................................. 1
1.1 Document Scope .............................................................................................................................................. 1
1.2 Document Structure .......................................................................................................................................... 1
1.3 Usage Instruction ............................................................................................................................................. 2
1.4 CBS Solution Overview ................................................................................................................................... 2
1.4.1 Software Architecture ............................................................................................................................. 2
1.5 Security Threats................................................................................................................................................ 7
iii
CBS Solution
Security Technical White Paper
Start
By analyzing the security threats to the network architecture and service application of
the convergent billing system (CBS) solution, this document describes the security
architecture of the CBS solution and the security policies and measures that are adopted
to ensure the stable and secure running of the CBS solution.
This document assumes that the CBS product is deployed in an environment where the
physical security is ensured. Physical security threats (such as fire disaster, flood, and
theft) of the CBS product are not described in detail. The physical security of the CBS
product depends on carriers' equipment rooms and device deployment.
Network security of core function entities (such as operating systems, databases, and
application components)
Security threats and measures from the technical dimension (The network security is
an aggregation of the management, processes, technologies, and security
countermeasures.)
Security of carriers' internal network devices is not described in detail in this document.
CBS Solution
Security Technical White Paper
The CBS is not static, which means that not all security problems can be resolved by
implementing fixed deployment policies. Instead, an optimal deployment scheme needs
to be selected based on conditions in the live network environment.
The CBS security is ensured in a continuous process and is subject to the changes and
development of the CBS network, customers, applications, technologies, and intrusion
ways.
Functional Architecture
Figure 1-1 shows the CBS's functional architecture.
CBS Solution
Security Technical White Paper
Accounts Receivable
The Accounts Receivable (AR) module provides the following transaction services in a
postpaid service solution or hybrid service solution:
Single services: recharge and payment, recharge and payment reversal, refunding,
account adjustment, account transfer, payment application, write-off, and advance
deposit.
Query services: query for invoices, account balance, outstanding fees, payment records,
deposit details, adjustment logs, and transfer logs.
Billing Configurator
The Billing Configurator module sets the following public parameters and rules for Rating &
Charging and Invoicing:
Basic system data, such as bill cycle, network layer access data, and number analysis
data.
Data synchronization.
CBS Solution
Security Technical White Paper
Balance refunding
Bill Management
The Bill Management (BM) module exports formatted bills, including generating bills in a
special format, converting bill formats, and reprinting bills.
This module provides the following functions:
Bill design
Bill creation
Bill distribution
Automatic dunning.
Manual dunning. The DC provides a GUI for an operator to upload files, analyze file
content, and perform dunning on subscribers accordingly.
General Ledger
The General Ledger (GL) module provides daily transaction data, generates journals, and
sends post files to external financial systems.
Invoicing
The Invoicing module provides the core functions of bill run calculation, including real billing,
billing redo, test billing, hot billing, and CDR accumulation.
CBS Solution
Security Technical White Paper
Single services: recharge and payment, recharge and payment reversal, refunding,
account adjustment, and account transfer.
Query services: query for account balance, payment records, adjustment logs, and
transfer logs.
Product Management
The Product Management (PM) module manages offerings, products, plans (such as pricing
plan and notification plan), policies, and reference data (such as brands, free resources, and
time schemes).
Rating & Charging
The Rating & Charging module provides the following functions:
Online rating, offline rating, rerating, billing undoing, error CDR recycling, recurring
charging, and bypass.
Technical Architecture
Technical Features
The technical platform of the CBS has the following features:
Extensible rules
The various extensible charging rules can meet different requirements of customers on
charging policies in different charging scenarios.
Access layer: This layer is the entry for external systems. It manages the connection with
external systems and protocol adaption capabilities and uses BSBus to invoke back-end
services. Adapters and controllers are on this layer.
Service processing layer: This layer provides containers for executing services. It
supports the distributed data access framework and allows one service to access another
service. Containers are on this layer.
CBS Solution
Security Technical White Paper
Data access layer: This layer provides the distributed data access capability and shields
the data location and data source type from services. DAF, BoCache, GMDB, and PDB
are on this layer.
Table 1-1 lists the key functional modules on the technical platform.
Table 1-1 Key functional modules
Module
Description
Adapter
BatchController
BSBus
Container
DAF
Shields both the data location and access mode differences when
applications access data. DAF supports the following data source types:
Rule Engine
BoCache
GMDB
Oracle PDB
The CBS GUI such as PM and AR allows an operator to use the CRL
to define their own rules, such as authentication rule, rating rule,
notification rule, credit control rule, bill combination rule, and audit
rule.
Rule Engine encapsulates the charging virtual machine (CVM). As the
engine to execute the CRL, CVM executes the bytecode exported by
the CRL compiler.
CBS Solution
Security Technical White Paper
Module
Description
IDE
There is a lack of security management regulations, or the regulations are not strictly
complied with.
Security patches are not installed for systems and applications in a timely manner, which
brings security vulnerability.
Input validation
Buffer overflow, cross-site scripting, and structured query language (SQL) injection
Authentication
Network eavesdropping, brute force attacks, dictionary attacks, cookie replay, and
credential theft
Authorization
Elevation of privilege, disclosure of confidential data, data tampering, and luring attacks
Configuration management
Unauthorized access to administration interfaces, unauthorized access to configuration
stores, retrieval of clear text configuration data, lack of individual accountability, and
over-privileged process and service accounts
Sensitive data
Access to sensitive data in storage, network eavesdropping, and data tampering
Session management
Session hijacking, session replay, and man in the middle
Cryptography
Poor key generation or management, and weak or custom encryption
Parameter manipulation
Query string manipulation, form field manipulation, cookie manipulation, and Hypertext
Transfer Protocol (HTTP) header manipulation
Exception management
CBS Solution
Security Technical White Paper
Viruses: indicate programs that are designed to perform malicious acts and cause
disruption to an operating system or applications.
Worms: indicate programs that are self-replicating and self-sustaining. Worms also
increase traffic and take up bandwidth by using networks to spread copies of
themselves to other computers.
Trojan horses: indicate programs that appear to be useful but actually do damage.
In many cases, malicious code is unnoticed until it consumes system resources and slows
down or halts the execution of other programs. For example, the Code Red worm was
one of the most notorious to afflict Internet information services (IISs), and it relied upon
a buffer overflow vulnerability in an Internet server application programming interface
(ISAPI) filter.
Profiling
Profiling, or host enumeration, is an exploratory process used to gather information
about your server. An attacker uses this information to attack known weak points.
DoS
DoS occurs when your server is overwhelmed by service requests. The threat is that your
Web server will be too overwhelmed to respond to legitimate client requests.
Unauthorized access
Unauthorized access occurs when a user without correct permissions gains access to
restricted information or performs a restricted operation.
Information gathering
Information gathering can reveal detailed information about network topology, system
configuration, and network devices. An attacker uses this information to mount pointed
attacks at the discovered vulnerability.
Sniffing
Sniffing, also called eavesdropping, is the act of monitoring network traffic for data,
such as clear-text passwords or configuration information. With a simple packet sniffer,
all plaintext traffic can be read easily. In addition, lightweight hashing algorithms can be
cracked and the payload that was thought to be safe can be deciphered.
CBS Solution
Security Technical White Paper
Spoofing
Spoofing, also called identity obfuscation, is a means to hide one's true identity on the
network. A fake source address is used that does not represent the actual packet
originator's address. Spoofing can be used to hide the original source of an attack or to
work around network access control lists (ACLs) that are in place to limit host access
based on source address rules.
Session hijacking
With session hijacking, also known as man in the middle attacks, an attacker uses an
application that masquerades as either a client or a server. This results in either the server
or client being tricked into thinking that the upstream host is the legitimate host.
However, the upstream host is actually the attacker's host that is manipulating the
network so that it appears to be the desired destination. Session hijacking can be used to
obtain login information that can then be used to gain access to a system or to
confidential information.
DoS
A DoS attack is the act of denying legitimate users access to a server or services.
Network-layer DoS attacks usually tries to deny service by flooding the network with
traffic, which consumes the available bandwidth and resources.
If the root user of the operating system where the Hypervisor is deployed uses a weak
password and the remote su permission and insecure services such as FTP are allowed, the
Hypervisor is completely exposed on an insecure network and is prone to brute force attacks
and loophole attacks.
Malicious virtual machines (VMs) illegally access resources (including memory, file, and
storage resources) that belong to other VMs on the host. This will cause serious information
leakage and system faults.
MAC address spoofing, IP address spoofing, and ARP spoofing by malicious VMs
VMs communicate through virtual network devices (such as the TAP and bridge) on the host
and then through physical network devices on the host. During this process, malicious VMs
can hijack all the data packets sent to other VMs through MAC address spoofing, IP address
spoofing, and ARP spoofing. This causes leakage of confidential data and tempering or
destruction of important data.
DoS attacks by malicious VMs are similar to network-layer DoS attacks. When launching an
attack, malicious VMs internally run processes to occupy a large number of system resources
until physical resources (such as network I/O, storage I/O, and CPU) on the host are used up.
This affects the normal running of the host and other VMs on the host.
Storage resources of VMs are stored on the host as disk images. If the host is being attacked,
the attacker may obtain, tamper with, or destroy information in a virtual machine image
(VMI). This leads to security risks such as VM running failures or confidential data leakage.
CBS Solution
Security Technical White Paper
VMs may be deployed on multiple physical machines that are placed in different physical
locations, and each VM may provide services at different security levels. If VMs are not
effectively isolated on the network or the permission to access the VM network adapter is not
managed, a user who has the remote access permission on a VM at a low security level may
launch stepping-stone attacks, which will reduce the network security.
10
CBS Solution
Security Technical White Paper
The management layer security aims to manage all security functions in all systems.
The application layer security aims to protect the applications developed by Huawei, and
it includes access security, data security, communication security, and coding security.
The system layer security aims to protect the operating systems, databases, middleware,
and services that the applications use.
The virtualization layer security aims to protect the virtualization environment, including
resources such as the hosts, VMs, and virtual network, and the operating system and
service applications that are deployed in the environment.
Security mechanisms from all layers coordinate and ensure that the CBS can provide the
carrier with secure, reliable, and stable convergent charging and billing services, and protect
the carrier's assets and telecom users appropriately.
Password Management
Password policies are configurable. Strong passwords are used to prevent password attack.
Length limitation, composition, and weak password check are applied for passwords.
Password change policies are also applied.
A strong password has the following characteristics:
Comprises at least one uppercase letter, one lowercase letter, and one number (special
characters are allowed).
11
CBS Solution
Security Technical White Paper
The changing form includes the old password, the new password and a confirmation of
the new password.
A user must not be authenticated whose password has expired until the user changes the
expired password.
The administrator can set an expiration threshold for every password of a UserID.
Passwords are securely stored and access control to passwords is limited. Passwords are not
permitted to display or transfer, store in plain mode.
Encryption Algorithms
The CBS uses encryption for sensitive data such as operator password, mobile user servicing
password. Account and password in configuration file used to connecting to database or other
components are encrypted before stored. Maintenance engineers cannot see plain text
passwords in databases or configurations.
Encryption algorithms for encrypt operator password and service password are configurable.
Major popular encryption algorithms such as DES, AES, MD5, SHA256 are supported and
can be chosen via configuration.
Huawei recommends that SHA256 be used to encrypt these passwords.
12
CBS Solution
Security Technical White Paper
Security Logs
System logs security related events (such as logins, user maintenance, authorizations),
important operation events of applications, important running events, resource warning events
into log files.
These security log files are useful to audit.
Auditable Accounts
Operating systems, database, application accounts and their privilege are strictly planned in
order that management accounts are separated from operating ones; on the other hand,
operating accounts are strictly differentiated from application connect account, in order that
flexible and efficient audit strategy can be applied.
Application system can have only inherent super-user account, and common ones must be
created by maintenance. An account cannot be shared by more than one person.
13
CBS Solution
Security Technical White Paper
Management Layer
Prevent the risks caused by system vulnerability by using appropriate policies, standards,
procedures, guidelines, patch management processes, and so on.
The administrative control for all administrators is also very important. This must
include management responsibility and "soft" controls. These controls include the
development and publication of policies, standards, procedures, and guidelines, the
screening of personnel, security awareness training, the monitoring of system activity,
and change control procedures.
Application Layer
At the application layer, the security policies and services include but are not limited to the
following:
Authentication mechanism
Cryptography
Log management
Data protection
SSL/TLS
Ensure the security of applications that are based on UNIX, SUSE Linux, or Windows by
enhancing the corresponding operating system.
System Layer
14
CBS Solution
Security Technical White Paper
Use Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) to prevent insecure
network traffic.
Network Layer
Separate different network traffic and control different ACLs by using appropriate
security zones that are created based on subnet division and firewall technologies.
Virtualization Layer
At the virtualization layer, the following methods prevent the Hypervisor from being exposed
on an insecure network and from brute force attacks and loophole attacks:
VM resource isolation
These security methods prevent data loss of and DoS attacks on service applications in the
virtualization environment.
Security administrators: Take responsibility for system security and control important
accounts and passwords. Nobody can access devices including hosts, database servers,
and network devices without the consent of security administrators.
System operators: Perform routine system operations, for example, backing up system
data.
15
CBS Solution
Security Technical White Paper
are generated in special scenarios, explanation of the alarms is provided. The scanning
records (including the name and version of the scanner, version of the virus library,
scanning time, and scanning results) are archived and delivered to customers with the
software package.
An integrity verification mechanism is provided for software (including software packages
and patch packages) that is based on general operating systems. The software integrity is
verified during installation and upgrade.
Documen
t
Description
Intended
Audience
Obtain From
Installa
tion
Software
integrity
check
Huawei
technical
support
engineers
Security
Hardenin
g Guide
Huawei
technical
support
engineers
Backup
and
restore
guide
Huawei
technical
support
engineers
Password
change
guide
Operat
ion and
mainte
nance
Huawei
technic
al
support
16
CBS Solution
Security Technical White Paper
Refere
nce
User list
Process
list
Service
list
Communi
cation
matrix
Routine maintenance:
includes the maintenance
background and purpose,
reference standard,
precautions, procedures, and
troubleshooting.
enginee
rs
Custom
er
Huawei
technical
support
engineers
Huawei
technic
al
support
enginee
rs
Custom
er
Huawei
technic
al
support
enginee
rs
Custom
er
Huawei
technic
al
support
enginee
rs
Custom
er
Huawei
technic
al
support
enginee
rs
17
CBS Solution
Security Technical White Paper
Custom
er
If a new account has the same name as a deleted account, except the account name, the
new account cannot inherit other attribute information such as personal information,
authentication information, and authorization information from the deleted account.
An account cannot be written into the code, and a mechanism must be provided to make
accounts configurable.
Identity Authentication
The system provides GUIs for the login authentication and logout functions.
Strong web verification codes are used in web application account authentication and
support high-security features such as background interference and distorted characters.
For the scheme of authentication based on user name and password, the strong password
policy is forcibly used.
After the authentication fails, the system can provide users with only the general
message instead of detailed and definite failure causes.
Before a password expires, the system displays a message indicating that the password
will expire when the user logs in.
Users must provide the old password for verification when changing their passwords.
Only an administrator can change the passwords of others.
When the initial password is the default password or set by the system administrator,
operators/users are forced to change the initial password after successfully logging in by
using the initial password and before accessing the system. They can access the system
only when they change the initial password successfully.
18
CBS Solution
Security Technical White Paper
A password cannot be displayed on the GUI, printed on terminals, or stored in the logs in
plain text.
A password must be saved as encrypted text rather than plain text. Irreversible
algorithms are used to encrypt passwords that do not need to be restored.
Password files must be controlled for access so that common users cannot read or copy
passwords.
A user can change the password only after being successfully authenticated.
An account list and a password list must be provided with the product.
In B/S applications, the account whose password is to be changed must be obtained from
the session information on the server and cannot be specified by the client.
The default password of the built-in account must meet the password complexity
requirements. User documents must ask users to change the default password.
Authentication Failure
When the consecutive login attempts fail within the given time, the account will be
locked.
The given time segment in the policy "locking upon consecutive login failures" is
configurable
The allowed consecutive failure times in the policy "locking upon consecutive login
failures" is configurable.
After the policy "locking upon consecutive login failures" is executed and the locking
times out, the system supports automatic unlocking. In addition, the system supports the
manual unlocking by the administrators.
Rights Management
When an account is created, no role or a role with the least rights is assigned to the
account by default.
In the B/S applications, for each URL request requiring authorization, the system must
check whether the session ID of the user is valid and whether the user is authorized to
perform the operation.
Control horizontal access to prevent users from accessing sensible data of other users
without authorization.
The authorization and user role data must be stored on the server instead of the client.
The authentication must also be performed on the server.
Session Management
In B/S applications, after the user name and password are successfully authenticated, the
session ID must be changed to prevent session fixation.
In B/S applications, the information that cannot be modified in a session must be stored
or maintained as a part of the session status on the server.
19
CBS Solution
Security Technical White Paper
If a user does not perform any operations within a specified period, the system
automatically deletes the user's session. The period is configurable.
All the pages that can be accessed only after login must explicitly provide the logout (or
exit) button or menu.
In B/S applications, when a user exits, the session information about the user must be
deleted.
It is prohibited to store sensitive data in plain text format in the database or files.
In the B/S application, it is prohibited to store sensitive data in plain text format in
hidden domains.
In the B/S application, it is prohibited to buffer web pages containing sensitive data.
In the B/S application, sensitive data must be submitted by using the HTTP-POST
method.
Sensitive data (including passwords, bank accounts, and batch personal data) is
transmitted between untrusted networks through secure channels or transmitted after
encryption, unless otherwise specified by standard protocols.
In web applications, only the HTTPS protocol (namely, SSL with the server certificate)
can be used to transfer sensitive data between the client and the server. This function is
applicable only to local access and login but is not used in device management.
In the B/S application, it is prohibited to carry the session ID (such as jessionid) in the
URL.
It is prohibited to transfer the information that should be kept secret to users to clients.
Security certificates, bank accounts, service SMS messages are either masked in logs or
not printed in any log.
Use secure protocols, such as SSH v2, TLS1.0, SSL3.0, IPSec/SFTP, and SNMPv3, but
not insecure protocols, such as FTP and Telnet, for system management and among
terminals maintained.
Use a non-patented, secure, and public encryption algorithm instead of the patented
encryption algorithm.
The key for transmitting sensitive data cannot be fixed in the code.
Security Logs
20
CBS Solution
Security Technical White Paper
The recorded log content can support subsequent audit. Data including user ID, time,
event type, name of the accessed resource, and access result is recorded in the logs.
The log access control mechanism is provided to prevent unauthorized persons from
accessing, modifying, or deleting logs.
All external communication connections are mandatory for system running and
maintenance. If a communication port is used, describe it in the product communication
matrix document.
All communication ports and protocols that manage the system must have the access
authentication mechanism except for the standard protocol without authentication
mechanism.
The verification code must be a single image in only JPEG, PNG, or GIF format.
The verification code must be generated randomly, and the generated random number
must be secure.
The font, size, and position of each character in the verification code must change
randomly.
The content of the verification code cannot be associated with information submitted by
the client.
The random number generated by the verification code module cannot appear in the
source code of the static page of the client.
The verification code must have background interference. The color, position, and
quantity of the background interference elements must change randomly.
The verification code becomes invalid once it is used. New verification codes must be
generated for new requests.
The verification code and information (such as the user name and password) must be
sent to the server at the same time. The information is verified only after the verification
code check succeeds.
The confidentiality of sensitive data transferred through the Web Service interface must
be ensured.
The input parameters submitted by the Web Service interface must be checked.
Input verification
o
All user input must be verified. When any invalid data is found, inform the user of
the invalid input and ask the user to correct the input. Note: The user input is the
data from the text, password, or textareas fields. All user input is deemed incredible
by default, and the validity of the input must be verified.
All input produced by servers must be verified. When any invalid data is found,
sessions must be made invalid, and alarm logs must be generated. Note: The input
produced by servers indicates all input except for user input, such as URL parameter
21
CBS Solution
Security Technical White Paper
data contained in hidden fields, selection boxes, check boxes, option buttons,
cookies, HTTP headers, and hot spot links or client scripts. All input produced by
servers is deemed falsified and malicious by default. The validity of the input must
be verified. If the input is found invalid, data is falsified by malicious users. For
example: Assume that the Gender field is mandatory in the user information form,
use the option button (1 for male and 0 for female) to restrict the user input. If the
value of Gender received by the application is 2, someone falsifies the data
maliciously.
o
Do not rely on the client verification. Instead, the server code must be used for final
verification of the input data. Note: The client verification is used only as an
auxiliary measure to reduce the information interactions between the client and the
server.
Verify the input that has been verified on the client with the same rules on the server
again. Once the data is found invalid, the sessions must be made invalid and alarm
logs must be generated. Note: Attacks must exist, and the attackers bypass the input
verification on the client. Therefore, sessions must be made invalid, and alarm logs
must be generated.
If the input can only be certain characters or character combinations, use the
whitelist for input verification. Note: For the input compliant with certain rules,
such as email address, date, and decimal fraction, use the regular expression for
whitelist verification. This method is more effective than using the blacklist for
verification.
Verify the input data length. Note: If the input data is a string, the length of the
string must be verified. The length verification increases the difficulty of attacks.
Verify the input data range. Note: If the input data is a numerical value, the range of
the value must be checked. For example, the age should be a positive integer
ranging from 0 to 150.
The input parameters used for redirection cannot contain carriage returns and
linefeeds to avoid HTTP response splitting attacks. Note: A carriage return has
several expression modes (CR = %0d = \r). A linefeed also has several expression
modes (LF = %0a = \n).
User data must be verified on the server. Data can be transmitted to the client after being
HTML encoded, which avoids the execution of malicious codes and cross-site script
attacks. For untrusted data, the HTML encoding is mandatory before the data is
transmitted to the client.
Code comment
Comments cannot contain information about the physical path, database connection,
or SQL statement.
22
CBS Solution
Security Technical White Paper
For dynamic pages, common comments are not used, and only hidden comments are
used.
When the application is abnormal, capture the exception, filter the information and return
only the common error messages to the client (do not disclose unnecessary information
to the client), and record the detailed error information in the log.
The whitelist must be used on the server to strictly restrict the types of uploaded or
downloaded files.
The CBS provides privacy protection schemes so that carriers can meet local laws and
regulations and customer requirements on privacy protection.
Data collection
23
CBS Solution
Security Technical White Paper
To enable subscribers to use services and receive system notifications, the CBS collects
individual data based on service information. Carriers and subscribers must sign the data
collection contract so that the system can process subscriber data to generate production
data required by the service system. Without being authorized by subscribers, the CBS
does not collect, store, or process subscriber data.
Registration
During registration, the system collects service-related data including the customer's
name, certificate number, date of birth, phone number, password for query, home address,
email address, and invoice address. The system does not collect service-irrelevant
information, such as, family members and their health status. In the self-registration and
self-service scenarios, the system displays the data collection purpose and notifies the
subscriber of data to be collected. When connecting to a third-party system interface, the
CBS notifies the interface of the mandatory and optional data to be collected.
o
Deregistration
The CBS starts a scheduled task to automatically clear all individual data X days after
deregistration.
CDR
CDRs record the calling number, called number, communication time, location
information, and other information. The CBS can store CDR files without importing
them to a database or start a scheduled task to automatically clear CDR files a specified
time period after they are stored. The CBS does not import the location and peer number
in CDRs to the database.
NEs in the CBS use SFTP to transfer CDR files. Permission on the files is set as follows:
The owner has read, write, and delete permission, and users in the same group as the
owner has the read permission. Other non-root users have no permission on CDR files.
The CBS records an operation log each time a CDR file is queried.
CDR files in the CBS are used by the Invoicing to accumulate accounts, used by the
report system to collect and analyze statistics, used by the RA to audit and rerate CDRs,
used by the GL for accounting, and used by a third-party system (for example, PRM) to
execute settlement.
Invoice
Invoices record the customer name, invoice address, calling number, called number,
consumption information, balance, total outstanding amount, and other information. The
information can be customized by carriers, and called numbers are anonymized.
Receipt
Receipts record information such as the customer name and phone number.
Receipts are compressed before being stored in a database.
o
24
CBS Solution
Security Technical White Paper
The recharge and payment log table records information related to the bank account,
such as, the credit card number, card expiration time, credit card authorization code,
bank account, check number, and check data.
The CBS deducts fees based on the information related to the bank account. Therefore,
the system uses the reversible algorithm AES128 to encrypt and decrypt the information
and then stores it in the database.
o
Encrypted storage
The system encrypts sensitive data such as the password, bank account, cipher key, PIN1,
PIN2, PUK1, and PUK2 so that the sensitive data is not displayed in plaintext.
The system uses the irreversible algorithm Hmac-SHA256 to encrypt the login password.
The user name is used as the salt for password encryption, which ensures that different
ciphertexts are obtained for the same password. The ciphertext is stored in the CBS
database and is used for verifying the login password that a subscriber enters.
The system uses AES128 to encrypt and decrypt the authentication passwords transferred
between the client and server. The two ends use the same algorithm and cipher key to
ensure that the peer end can decrypt the received passwords. The passwords are
generally stored in configuration files in ciphertext for applications to query. Cipher keys
are generally stored in configuration files in ciphertext to protect key security.
The system generally uses AES128 to encrypt and decrypt bank accounts.
Encrypted transmission
Sensitive data is transferred in ciphertext or through an encryption channel such as
HTTPS, VPN, or SFTP. Passwords, bank accounts, and other information requiring
high-level security must be transferred through an encryption channel in ciphertext.
Data display
Sensitive data is not displayed on web pages, log files, and configuration files in
plaintext. To protect the security of sensitive data such as bank accounts, the system
saves the data in the database in ciphertext, displays the first six or last four digits of
each record on web pages for tracing services or transactions, and displays the
encryption status in log files. If the system does not displays the encryption status in log
files, it displays the first six or last four digits and uses asterisks (*) to mask other digits.
Passwords are masked with asterisks (*) on web pages or text boxes and recorded in
ciphertext in log files and configuration files. Cipher keys are displayed in ciphertext in
configuration files.
Other sensitive data such as PIN1, PIN2, PUK1, and PUK2 is displayed in ciphertext.
Individual data of subscribers such as their names, phone numbers, invoices, and
transaction data is displayed in plaintext on web pages and log files. However, individual
data exported to other systems out of the production system or imported to the
development and test system is anonymized. That is, the system performs transcoding for
individual data such as the name and mobile number to protect subscribers' privacy.
25
CBS Solution
Security Technical White Paper
Service-related data is backed up based on a backup policy. The backup scope, time, and
interval can be configured in the backup policy. Generally, data generated within a
specified time period is backed up as online backup data for fast restore. By default, the
CBS stores data backed up in the last month as online backup data on disks and stores
data backed up earlier as offline backup data.
Data restore tests must be performed on a regular basis to test the validity of the backup
policy and backup data.
During operating system installation, the latest security patches need to be installed. The
list of verified patches must be released regularly, and these patches must be installed on
the operating system.
After scanned by Nessus without user and password, there must not be any high-risk
security loopholes.
Highest privilege account such as 'root', ' Administrator' shall not be used for
software/application operating and daily maintenance
The file/path used for application operating or keeping critical data of related shall have
limit permission upon 770Database Security
During database installation, the latest security patches need to be installed. The list of
verified patches must be released regularly, and these patches must be installed in the
database.
After scanned by Nessus, there must not be any high-risk security loopholes.
Do not use the default password provided by the supplier for the database account cannot.
The password complexity must meet the requirements.
For the database with the listener function (such as listener.ora of Oracle), configure the
listener password or configure the listener to make it verified by the local operating
system.
Highest privilege account such as sys, 'sa' shall not be used for software/application
connecting and daily maintenance
26
CBS Solution
Security Technical White Paper
After scanned by Appscan, there must not be any high-risk security loopholes.
27
CBS Solution
Security Technical White Paper
deployed. The management network can be connected only through this zone to
manage system networks.
o DMZ: The security level is 50. Applications (such as the BMP Gateway, EVC
Portal, and SLB) that directly interact with Internet users are deployed to
implement the Internet access and request distribution.
o OIT: The security level is 55. The LBI is deployed and is provided only for
customers' system administrators. The administrators can use the system
reconciliation and report audit functions.
o HA: The security level is 60. The connection heartbeat interfaces for firewalls are
deployed.
o TEST: The security level is 80. NEs for test, training, and environment
development are deployed.
o Trust: The security level is 85. Service NEs including the CBP, BMP, EVC, UVC,
and UAP are deployed to implement core system functions such as charging,
recharge, and service management.
o OM: The security level is 90. The management plane (including network
management systems, management ports of hardware devices, and service
management plane) is located in the OM zone. To access and control the
management plane, an external network management center needs to connect to the
OM zone of the firewall.
Access control between zones
Security isolation is implemented through the firewall for the connection between external
networks and different zones on the network of the CBS.
Access control inside zones
Connection between internal security zones is controlled using the ACL of switches. Also, the
connection relationship between each module needs to be described in detail in the service
communication matrix.
Remote management of and login to network devices are supported only in the
management plane. The IP address of only the management plane can be used for remote
management and login. This can effectively prevent invasion and attacks from users.
28
CBS Solution
Security Technical White Paper
The management plane is a common plane that involves NEs in various security zones.
Security isolation must be implemented in the management plane to prevent NEs in various
security zones from connecting to each other in the management plane.
In addition, maintenance engineers are advised to use the VPN to connect to core services and
boundary firewalls of the data domain during remote maintenance. The VPN service can be
enabled in the firewalls. The VPN type is IPSec VPN. The VPN client IP address pool can be
configured in the firewalls, and the VPN service assigns IP addresses to maintenance
engineers' clients. Also, filter policies are configured in the firewalls to enable only IP
addresses in the VPN client IP address pool to connect to servers through the firewalls.
The security hardening of the Hypervisor prevents the Hypervisor from being exposed
on an insecure network and from brute force attacks and loophole attacks. In this way,
unauthorized access to the Hypervisor is prevented.
Using the computing resource uniform allocation module, the virtualization platform
uniformly allocates computing resources and memory resources for the VMs on the host,
to prevent DoS attacks from malicious VMs.
Under the VMware, the VM provides a private storage security mechanism. Using this
mechanism, the VMI cannot be obtained, tempered with, or destroyed even though the
host is attacked and the attacker has gained control over the host.
The security group management mechanism prevents malicious users from obtaining the
remote access permission on a VM of a low security level and using the VM as a
stepping stone to attack the network.
29
CBS Solution
Security Technical White Paper
3 Security Assurance
Security Assurance
30
CBS Solution
Security Technical White Paper
3 Security Assurance
MM
charter
IPD
PCR
Concept
TR1
Plan
Development
TR2
TR3
Design
HLD
TR4 TR4A
Qualify
TR5
TR6
Launch Lifecycle
GA
Long-term security
requirements
Offering
OR
Short-term security
requirements
Baseline
requirements
specification
LSD
SDV
SIT
SVT
Coding
BBFV
Legal,
regulatory
standard
specifications
Security CBB
(Encryption algorithms library,
PKI platform)
Customer
security
requirements
Implementation guide of
security baseline
Security
baseline
Security development
standard
Security test
report
Beta test
report
Patch
management
Security
Documents
Certification
Penetration
test
report
Vulnerability
management
31
CBS Solution
Security Technical White Paper
3 Security Assurance
C
CBS
CSRF
E
E2E
end-to-end
F
FTP
H
HTTP
HTTPS
Secure HTTP
N
NFS
NTP
O
OSI
Q
QoS
Quality of Service
R
RBAC
S
SNMP
SSH
Secure Shell
32
CBS Solution
Security Technical White Paper
3 Security Assurance
TFTP
TLS
V
VM
Virtual Machine
VMI
VLAN
33