Huawei CBS V500R005 Security Technical White Paper

CBS Solution
Security Technical White Paper
Issue
V2.0
Date
20140831
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Tel:
0755-28560000 4008302118
Fax:
0755-28560111
Issue V2.0 (2014-08-31)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd
ii
CBS Solution
Contents
Contents
1 Start .................................................................................................................................................. 1
1.1 Document Scope .............................................................................................................................................. 1
1.2 Document Structure .......................................................................................................................................... 1
1.3 Usage Instruction ............................................................................................................................................. 2
1.4 CBS Solution Overview ................................................................................................................................... 2
1.4.1 Software Architecture ............................................................................................................................. 2
1.5 Security Threats................................................................................................................................................ 7
2 CBS Security Solution ................................................................................................................ 11

2.1 Security Solution Overview ........................................................................................................................... 11
2.2 Common Security Policies ............................................................................................................................. 11
2.3 Security Architecture ...................................................................................................................................... 13
2.4 Security Features ............................................................................................................................................ 15
2.4.1 Management Layer Security ................................................................................................................. 15
2.4.2 Application Layer Security ................................................................................................................... 18
2.4.3 Privacy Protection ................................................................................................................................. 23
2.4.4 System Layer Security .......................................................................................................................... 26
2.4.5 Network Layer Security ........................................................................................................................ 27
2.4.6 Virtualization Layer Security ................................................................................................................ 29
3 Security Assurance ...................................................................................................................... 30

3.1 Security Statements and Qualification ........................................................................................................... 30
3.2 Security Assurance Procedures ...................................................................................................................... 30
Issue V2.0 (2014-08-31)

iii
Error! Use the Home tab to apply 1 to the text

that you want to appear here.Error! Use the Home tab
to apply 1 to the text that you want to appear
here.
CBS Solution
Start
1.1 Document Scope
By analyzing the security threats to the network architecture and service application of
the convergent billing system (CBS) solution, this document describes the security
architecture of the CBS solution and the security policies and measures that are adopted
to ensure the stable and secure running of the CBS solution.
This document assumes that the CBS product is deployed in an environment where the
physical security is ensured. Physical security threats (such as fire disaster, flood, and
theft) of the CBS product are not described in detail. The physical security of the CBS
product depends on carriers' equipment rooms and device deployment.
This document describes the following aspects:
Network security of core function entities (such as operating systems, databases, and
application components)
Security threats and measures from the technical dimension (The network security is
an aggregation of the management, processes, technologies, and security
countermeasures.)
Network security of boundary network elements (NEs), such as the firewall
Security of carriers' internal network devices is not described in detail in this document.
1.2 Document Structure

This document first introduces the mapping between the ITU-T X.805 security model and the
CBS security architecture model. Based on the security architecture model that is divided into
the management, application, system, network, and virtualization layers, this document
describes the security threats to the CBS at each layer and provides corresponding security
policies and measures. These security measures ensure that the CBS runs in a secure and
stable manner.
For details about the end-to-end (E2E) CBS security material, see the security document.
Issue V2.0 (2014-08-31)


here.
CBS Solution
1.3 Usage Instruction

This document lists only the commonly known security threats and provides corresponding
security measures.
During the actual application process on the live network, the adopted security policies may
be different from those described in this document to comply with the international
telecommunication standards and the security regulations in the local country and region. You
need to determine or supplement the security schemes based on the specific scenario.
Important notes about the CBS security are as follows:
The CBS is not static, which means that not all security problems can be resolved by
implementing fixed deployment policies. Instead, an optimal deployment scheme needs
to be selected based on conditions in the live network environment.
The CBS security is ensured in a continuous process and is subject to the changes and
development of the CBS network, customers, applications, technologies, and intrusion
ways.
The CBS security is an aggregation of the management, processes, technologies, and

security countermeasures. These parts are associated and the changes of each part affect
each other.
1.4 CBS Solution Overview

This section provides an overview of the CBS solution, including the system architecture and
network structure. Readers can have a brief understanding about the target product or solution
before reading the associated security description.
1.4.1 Software Architecture

This section describes the functional architecture and technical architecture of the CBS.
Functional Architecture
Figure 1-1 shows the CBS's functional architecture.
Issue V2.0 (2014-08-31)


here.
CBS Solution
Figure 1-1 CBS's functional architecture
Yellow cells: NEs that are required by the CBS.
White cells: third-party NEs.
Gray area: the CBS's core functional modules and subsystems.
Accounts Receivable
The Accounts Receivable (AR) module provides the following transaction services in a
postpaid service solution or hybrid service solution:
Single services: recharge and payment, recharge and payment reversal, refunding,
account adjustment, account transfer, payment application, write-off, and advance
deposit.
Batch services: payment application, account adjustment, advance deposit, write-off,

prepayment, and payment reversal in batches.
Query services: query for invoices, account balance, outstanding fees, payment records,
deposit details, adjustment logs, and transfer logs.
Billing Configurator
The Billing Configurator module sets the following public parameters and rules for Rating &
Charging and Invoicing:
Basic system data, such as bill cycle, network layer access data, and number analysis
data.
Rules for standard events, charging preprocessing, authentication, payment application,

and call detail record (CDR) extension.
Self-service management services.
Voice, SMS message, multimedia messaging service (MMS) message, notification,

recharge, bill run, and error CDR.
Data synchronization.
Issue V2.0 (2014-08-31)


here.
CBS Solution
Convergent Balance Service

The Convergent Balance Service module is a background functional module in the CBS for
unified balance management. This module provides the following functions:
Balance adjustment and reversal
Prepayment and reversal
Balance transfer and reversal
Account settlement and query
Recharge by recharge card
Balance refunding
Bill Management
The Bill Management (BM) module exports formatted bills, including generating bills in a
special format, converting bill formats, and reprinting bills.
This module provides the following functions:
Bill design
Bill creation
Bill distribution
Currently, BM uses the purchased PrintNet Designer as an outsourced component to

implement the bill design function.
Customer Care
The Customer Care module provides a GUI for customer management operations, including
operations for single services and batch services. This module also provides maintenance
functions, such as viewing operation logs and managing orders.
Customer Management
The Customer Management module performs background tasks for the Customer Care
module. The Customer Management module connects to the CRM system and provides a
reverse work order interface.
Debt Collection
The Debt Collection (DC) module collects payment from subscribers or accounts that have
not paid fees by the due date. DC obtains debt information from AR.
The collection methods include:
Automatic dunning.
Manual dunning. The DC provides a GUI for an operator to upload files, analyze file
content, and perform dunning on subscribers accordingly.
General Ledger
The General Ledger (GL) module provides daily transaction data, generates journals, and
sends post files to external financial systems.
Invoicing
The Invoicing module provides the core functions of bill run calculation, including real billing,
billing redo, test billing, hot billing, and CDR accumulation.
Issue V2.0 (2014-08-31)


here.
CBS Solution
Recharge & Balance Handling

The Recharge & Balance Handling module provides the following transaction services in a
prepaid service solution:
Single services: recharge and payment, recharge and payment reversal, refunding,
account adjustment, and account transfer.
Query services: query for account balance, payment records, adjustment logs, and
transfer logs.
Product Management
The Product Management (PM) module manages offerings, products, plans (such as pricing
plan and notification plan), policies, and reference data (such as brands, free resources, and
time schemes).
Rating & Charging
The Rating & Charging module provides the following functions:
Online rating, offline rating, rerating, billing undoing, error CDR recycling, recurring
charging, and bypass.
Charging for voice, data, content, and messaging services.
Technical Architecture
Technical Features
The technical platform of the CBS has the following features:
Distributed service framework (DSF)

In DSF, services comply with standard specifications and can be loaded and run by
containers. This framework provides the service registration, locating, routing, and
distributed access functions.
Distributed data access framework (DAF)

DAF shields both the data location and access mode differences when applications
access data.
Extensible rules
The various extensible charging rules can meet different requirements of customers on
charging policies in different charging scenarios.
Extensible service and data structure

IDE supports the flexible extension and customization of service and data structure.
Functional Modules of the Technical Platform

Functional modules of the technical platform have the following layers:
Access layer: This layer is the entry for external systems. It manages the connection with
external systems and protocol adaption capabilities and uses BSBus to invoke back-end
services. Adapters and controllers are on this layer.
Service processing layer: This layer provides containers for executing services. It
supports the distributed data access framework and allows one service to access another
service. Containers are on this layer.
Issue V2.0 (2014-08-31)


here.
CBS Solution
Data access layer: This layer provides the distributed data access capability and shields
the data location and data source type from services. DAF, BoCache, GMDB, and PDB
are on this layer.
Table 1-1 lists the key functional modules on the technical platform.
Table 1-1 Key functional modules
Module
Description
Adapter
Manages the connection with external systems, protocol adaption

capabilities, and overload control. It is the entry for external systems.
Processes external messages and uses BSBus to invoke back-end
services. The CBS provides the following adapters:
DCCAdapter: processes external Diameter messages. For example,

it processes the data communication channel (DCC) charging
message sent by online charging gateway (OCG) when connecting
to OCG.
RCOMMAdapter: processes external RCOMM messages. For

example, it uses the protocol customization capability of the front
end processor (FEP) to adapt to the special protocol requirements
on the site.
BatchController
Receives and manages the scheduled tasks delivered by the

management server, and schedules background services in batches.
BSBus
Functions as a distributed service bus that connects to multiple nodes,

and separates service access from service deployment. BSBus can be
used to create a message channel between adapters and containers.
Based on BSBus, the module that invokes a service does not need to
know the physical location of the service provider or how the service is
deployed.
Container
Functions as the smallest manageable physical unit used for executing

services in DSF. One container instance can load one or more services.
For example, balance management and credit control run in containers.
DAF
Shields both the data location and access mode differences when
applications access data. DAF supports the following data source types:
Rule Engine
BoCache
GMDB
Oracle PDB
Executes the Charging Rule Language (CRL) provided by the CBS.
Improves the customization capability and flexibility of the CBS.
Increases the speed of responses to customization requirements.
The CBS GUI such as PM and AR allows an operator to use the CRL
to define their own rules, such as authentication rule, rating rule,
notification rule, credit control rule, bill combination rule, and audit
rule.
Rule Engine encapsulates the charging virtual machine (CVM). As the
engine to execute the CRL, CVM executes the bytecode exported by
the CRL compiler.
Issue V2.0 (2014-08-31)


here.
CBS Solution
Module
Description
IDE
Extends the data model, services, and APIs.
1.5 Security Threats

In this section, the ITU-T X.805 security model describes the security threats that the CBS
solution is confronted with, including the possible security vulnerability, risks, and severe
impact caused when no associated measure is taken.
Security Threats at the Management Layer
There is a lack of security management regulations, or the regulations are not strictly
complied with.
Associated personnel lack security awareness.
Security patches are not installed for systems and applications in a timely manner, which
brings security vulnerability.
Multiple persons share an account, and events are not retrospective.
Incomplete security documentation fails to provide sufficient guidance for production

security.
Security Threats at the Application Layer
Input validation
Buffer overflow, cross-site scripting, and structured query language (SQL) injection
Authentication
Network eavesdropping, brute force attacks, dictionary attacks, cookie replay, and
credential theft
Authorization
Elevation of privilege, disclosure of confidential data, data tampering, and luring attacks
Configuration management
Unauthorized access to administration interfaces, unauthorized access to configuration
stores, retrieval of clear text configuration data, lack of individual accountability, and
over-privileged process and service accounts
Sensitive data
Access to sensitive data in storage, network eavesdropping, and data tampering
Session management
Session hijacking, session replay, and man in the middle
Cryptography
Poor key generation or management, and weak or custom encryption
Parameter manipulation
Query string manipulation, form field manipulation, cookie manipulation, and Hypertext
Transfer Protocol (HTTP) header manipulation
Issue V2.0 (2014-08-31)
Exception management


here.
CBS Solution
Information disclosure and denial of service (DoS)
Auditing and logging

Users denying operations, attackers exploiting applications without trace, and attackers
covering their tracks
Security Threats at the System Layer
Viruses, worms, and Trojan horses

Malicious code comes in several varieties, including:
Viruses: indicate programs that are designed to perform malicious acts and cause
disruption to an operating system or applications.
Worms: indicate programs that are self-replicating and self-sustaining. Worms also
increase traffic and take up bandwidth by using networks to spread copies of
themselves to other computers.
Trojan horses: indicate programs that appear to be useful but actually do damage.
In many cases, malicious code is unnoticed until it consumes system resources and slows
down or halts the execution of other programs. For example, the Code Red worm was
one of the most notorious to afflict Internet information services (IISs), and it relied upon
a buffer overflow vulnerability in an Internet server application programming interface
(ISAPI) filter.
Profiling
Profiling, or host enumeration, is an exploratory process used to gather information
about your server. An attacker uses this information to attack known weak points.
Brute force attacks

A brute force attack is the act of trying every possible account and password until the
attacker finds the right one.
DoS
DoS occurs when your server is overwhelmed by service requests. The threat is that your
Web server will be too overwhelmed to respond to legitimate client requests.
Arbitrary code execution

Code execution attacks occur when an attacker runs malicious code on your server either
to compromise server resources or to mount additional attacks against downstream
systems.
Unauthorized access
Unauthorized access occurs when a user without correct permissions gains access to
restricted information or performs a restricted operation.
Security Threats at the Network Layer
Information gathering
Information gathering can reveal detailed information about network topology, system
configuration, and network devices. An attacker uses this information to mount pointed
attacks at the discovered vulnerability.
Sniffing
Sniffing, also called eavesdropping, is the act of monitoring network traffic for data,
such as clear-text passwords or configuration information. With a simple packet sniffer,
all plaintext traffic can be read easily. In addition, lightweight hashing algorithms can be
cracked and the payload that was thought to be safe can be deciphered.
Issue V2.0 (2014-08-31)


here.
CBS Solution
Spoofing
Spoofing, also called identity obfuscation, is a means to hide one's true identity on the
network. A fake source address is used that does not represent the actual packet
originator's address. Spoofing can be used to hide the original source of an attack or to
work around network access control lists (ACLs) that are in place to limit host access
based on source address rules.
Session hijacking
With session hijacking, also known as man in the middle attacks, an attacker uses an
application that masquerades as either a client or a server. This results in either the server
or client being tricked into thinking that the upstream host is the legitimate host.
However, the upstream host is actually the attacker's host that is manipulating the
network so that it appears to be the desired destination. Session hijacking can be used to
obtain login information that can then be used to gain access to a system or to
confidential information.
DoS
A DoS attack is the act of denying legitimate users access to a server or services.
Network-layer DoS attacks usually tries to deny service by flooding the network with
traffic, which consumes the available bandwidth and resources.
Security Threats at the Virtualization Layer
Unauthorized access to the Hypervisor
If the root user of the operating system where the Hypervisor is deployed uses a weak
password and the remote su permission and insecure services such as FTP are allowed, the
Hypervisor is completely exposed on an insecure network and is prone to brute force attacks
and loophole attacks.
Unauthorized access to host resources by malicious VMs
Malicious virtual machines (VMs) illegally access resources (including memory, file, and
storage resources) that belong to other VMs on the host. This will cause serious information
leakage and system faults.
MAC address spoofing, IP address spoofing, and ARP spoofing by malicious VMs
VMs communicate through virtual network devices (such as the TAP and bridge) on the host
and then through physical network devices on the host. During this process, malicious VMs
can hijack all the data packets sent to other VMs through MAC address spoofing, IP address
spoofing, and ARP spoofing. This causes leakage of confidential data and tempering or
destruction of important data.
DoS attacks by malicious VMs
DoS attacks by malicious VMs are similar to network-layer DoS attacks. When launching an
attack, malicious VMs internally run processes to occupy a large number of system resources
until physical resources (such as network I/O, storage I/O, and CPU) on the host are used up.
This affects the normal running of the host and other VMs on the host.
Unauthorized access to VMI storage
Storage resources of VMs are stored on the host as disk images. If the host is being attacked,
the attacker may obtain, tamper with, or destroy information in a virtual machine image
(VMI). This leads to security risks such as VM running failures or confidential data leakage.
Issue V2.0 (2014-08-31)
Threats from remote access

CBS Solution

here.
VMs may be deployed on multiple physical machines that are placed in different physical
locations, and each VM may provide services at different security levels. If VMs are not
effectively isolated on the network or the permission to access the VM network adapter is not
managed, a user who has the remote access permission on a VM at a low security level may
launch stepping-stone attacks, which will reduce the network security.
Issue V2.0 (2014-08-31)

10
CBS Solution
2 CBS Security Solution
CBS Security Solution
2.1 Security Solution Overview

The CBS security solution comprises five layers:
The management layer security aims to manage all security functions in all systems.
The application layer security aims to protect the applications developed by Huawei, and
it includes access security, data security, communication security, and coding security.
The system layer security aims to protect the operating systems, databases, middleware,
and services that the applications use.
The network layer security aims to protect the entire network.
The virtualization layer security aims to protect the virtualization environment, including
resources such as the hosts, VMs, and virtual network, and the operating system and
service applications that are deployed in the environment.
Security mechanisms from all layers coordinate and ensure that the CBS can provide the
carrier with secure, reliable, and stable convergent charging and billing services, and protect
the carrier's assets and telecom users appropriately.
2.2 Common Security Policies

Security hardening is performed for operating systems, databases, and network devices for the
CBS solution to keep production systems secure. Most of the basic rules are applied to
operating systems, databases, and application systems.
Common security policies include but are not limited to the following:
Password Management
Password policies are configurable. Strong passwords are used to prevent password attack.
Length limitation, composition, and weak password check are applied for passwords.
Password change policies are also applied.
A strong password has the following characteristics:
Has a minimum length of eight characters.
Comprises at least one uppercase letter, one lowercase letter, and one number (special
characters are allowed).
Issue V2.0 (2014-08-31)

11
CBS Solution
Will expire after 90 days (configurable).
Be different from the previous 12 passwords (configurable) used.
Can be changed by administrators at any time.
Can be changed by the associated user only once within 24 hours.
Password Change Policies includes:
The applications have changing password function.
The changing form includes the old password, the new password and a confirmation of
the new password.
Password lifespan is applied, where
A user must not be authenticated whose password has expired until the user changes the
expired password.
The administrator can set an expiration threshold for every password of a UserID.
Passwords are securely stored and access control to passwords is limited. Passwords are not
permitted to display or transfer, store in plain mode.
Authentication and Session Control

Access to the CBS must be authenticated and necessary session control is applied. For
sensitive transaction, relative messages must contain corresponding authentication code, for
example, when a trusted client send message to a CBS node, IP can be chosen to validate the
request from SCP or MSC; on the other hand, operator ID and operation ID can be used to
authorize a request from business support system.
One-time verification code is used as the enhancement to password to authenticate user login
from browser-like application.
Encryption Algorithms
The CBS uses encryption for sensitive data such as operator password, mobile user servicing
password. Account and password in configuration file used to connecting to database or other
components are encrypted before stored. Maintenance engineers cannot see plain text
passwords in databases or configurations.
Encryption algorithms for encrypt operator password and service password are configurable.
Major popular encryption algorithms such as DES, AES, MD5, SHA256 are supported and
can be chosen via configuration.
Huawei recommends that SHA256 be used to encrypt these passwords.
Secure Interaction Protocols

Interactions between system components are protected by secure interaction protocols. For
example, interaction between business support system and the CBS uses Web Service and
HTTPS is used to protect channel.
Important operation interaction is enforced message protection, for example, system login
message is protected by encryption while recharging messages are requested to be integrity
protected.
As default, interaction protocols use stronger security protection.
Issue V2.0 (2014-08-31)

12
CBS Solution
Minimized Authorization Rule

Authorization for account, role and group applies minimized authorization rule, that is, an
account / group is assigned necessary roles and privileges and a role is assigned necessary
privileges.
According this rule, system design strictly differentiates account for operating systems,
DBMS and business system, and management roles are separated from working ones.
File Permission Management

File permission must be set explicitly and default is not encouraged.
Different file types are stored into different directory in order to keep direction permission
clear.
Security Logs
System logs security related events (such as logins, user maintenance, authorizations),
important operation events of applications, important running events, resource warning events
into log files.
These security log files are useful to audit.
Auditable Accounts
Operating systems, database, application accounts and their privilege are strictly planned in
order that management accounts are separated from operating ones; on the other hand,
operating accounts are strictly differentiated from application connect account, in order that
flexible and efficient audit strategy can be applied.
Application system can have only inherent super-user account, and common ones must be
created by maintenance. An account cannot be shared by more than one person.
2.3 Security Architecture

Figure 2-1 shows the CBS's security architecture.
Issue V2.0 (2014-08-31)

13
CBS Solution
Figure 2-1 CBS's security architecture
Management Layer
Prevent the risks caused by system vulnerability by using appropriate policies, standards,
procedures, guidelines, patch management processes, and so on.
The administrative control for all administrators is also very important. This must
include management responsibility and "soft" controls. These controls include the
development and publication of policies, standards, procedures, and guidelines, the
screening of personnel, security awareness training, the monitoring of system activity,
and change control procedures.
Application Layer
At the application layer, the security policies and services include but are not limited to the
following:
Authorization and identification mechanism
Authentication mechanism
Cryptography
Log management
Auditing and alarm management
Data protection
SSL/TLS
Ensure the security of applications that are based on UNIX, SUSE Linux, or Windows by
enhancing the corresponding operating system.
System Layer
Issue V2.0 (2014-08-31)

14
CBS Solution
Use Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) to prevent insecure
network traffic.
Network Layer
Separate different network traffic and control different ACLs by using appropriate
security zones that are created based on subnet division and firewall technologies.
Separate different virtual local area networks (VLANs).
Virtualization Layer
At the virtualization layer, the following methods prevent the Hypervisor from being exposed
on an insecure network and from brute force attacks and loophole attacks:
Hypervisor security hardening
VM resource isolation
Virtual network security
Security group management
Protection against DoS attacks
These security methods prevent data loss of and DoS attacks on service applications in the
virtualization environment.
2.4 Security Features

2.4.1 Management Layer Security
Regulations and Organizations
Security management organizations must be established and regulations and laws must be
developed. Proper permission must be assigned to the security management organizations to
monitor the CBS. Security management organizations must include engineers who can
maintain the system and troubleshoot emergency faults. It is recommended that the following
roles be available in security management organizations:
Security administrators: Take responsibility for system security and control important
accounts and passwords. Nobody can access devices including hosts, database servers,
and network devices without the consent of security administrators.
System administrators: Periodically perform system maintenance activities and serve as

the primary owners of system management.
System operators: Perform routine system operations, for example, backing up system
data.
Report operators: Periodically generate and check system reports.
All personnel must have the awareness of preventing external attacks.
Software Release Security
Issue V2.0 (2014-08-31)
Before being released, a software package (including patch packages) is scanned by at

least one mainstream virus scanner. No alarm is generated during the scanning. If alarms

15
CBS Solution
are generated in special scenarios, explanation of the alarms is provided. The scanning
records (including the name and version of the scanner, version of the virus library,
scanning time, and scanning results) are archived and delivered to customers with the
software package.
An integrity verification mechanism is provided for software (including software packages
and patch packages) that is based on general operating systems. The software integrity is
verified during installation and upgrade.
Security Technical Documents

Table 2-1 lists the reference documents for security maintenance.
Table 2-1 Reference documents for security maintenance
Applic
ation
Scenar
io
Documen
t
Description
Intended
Audience
Obtain From
Installa
tion
Software
integrity
check
This document describes how to

check the integrity of software
packages before the installation
or upgrade. Content about the
software package integrity check
can be contained in the
installation guide or upgrade
guide.
Huawei
technical
support
engineers
Released with the

CBS version.
Security
Hardenin
g Guide
This document describes how to

perform security hardening on
operating systems and databases
using the MainAst, including the
hardening content, impact,
precautions, preparations,
operations, and rollback, and
FAQs.
Huawei
technical
support
engineers
Released with the

CBS version.
Backup
and
restore
guide
This document describes the

overall CBS backup and restore
scheme (concepts,
implementation mechanism, and
backup and restore scenarios and
policies), each NE's backup and
restore operations (operation
processes, NE-specific backup
prerequisites and verification,
restoration processes and
procedures), and common
backup and restore operations
(operating system, file, and
database backup).
Huawei
technical
support
engineers
Released with the

CBS version.
Password
change
guide

password change suggestions and
policies, password change guide
for the operating systems,
Released with the

CBS version.
Operat
ion and
mainte
nance
Issue V2.0 (2014-08-31)

Huawei
technic
al
support
16
CBS Solution
databases, application systems,

management access NEs, and
hardware devices, and associated
password change operations.
Security
maintenan
ce guide
Refere
nce
User list
Process
list
Service
list
Communi
cation
matrix
Issue V2.0 (2014-08-31)
This document describes:
Maintenance rule: describes

the security requirements and
suggestions for maintenance
engineers in terms of the
accounts, passwords,
permission, patches, remote
access, data backup, and
script usage.
Routine maintenance:
includes the maintenance
background and purpose,
reference standard,
precautions, procedures, and
troubleshooting.

users of the operating systems,
databases, applications, and other
devices in the CBS solution.
This document describes system

processes used in the CBS
solution, including processes on
the operating systems and those
in the databases and application
systems.
This document describes system

services used in the CBS
solution, including services on
the operating systems and those
in the databases and application
systems.

CBS solution communication
matrix.

enginee
rs
Custom
er
Huawei
technical
support
engineers
Released with the

CBS version.
Huawei
technic
al
support
enginee
rs
Released with the

CBS version.
Custom
er
Huawei
technic
al
support
enginee
rs
Custom
er
Huawei
technic
al
support
enginee
rs
Custom
er
Huawei
technic
al
support
enginee
rs
Released with the

CBS version.
Released with the

CBS version.
Released with the

CBS version.
17
CBS Solution
Custom
er
2.4.2 Application Layer Security

Account Management
An account must be unique in the system.
If a new account has the same name as a deleted account, except the account name, the
new account cannot inherit other attribute information such as personal information,
authentication information, and authorization information from the deleted account.
An account cannot be written into the code, and a mechanism must be provided to make
accounts configurable.
Identity Authentication
The system provides GUIs for the login authentication and logout functions.
Strong web verification codes are used in web application account authentication and
support high-security features such as background interference and distorted characters.
For the scheme of authentication based on user name and password, the strong password
policy is forcibly used.
When a user requests a restricted resource or performs an operation requires

authentication, the user must be authenticated first. The server performs final
authentication.
After the authentication fails, the system can provide users with only the general
message instead of detailed and definite failure causes.
In B/S applications, the "automatic login/remember me" function is forbidden.
Enhanced Password Policies
The minimum password length is configurable and is 6 characters by default
A password must contain at least two types of the following characters:

-lowercase letter
-uppercase letter
-numeral
-space and special character, such as `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
The number of history passwords is configurable.
The maximum validity period of password is configurable.
Before a password expires, the system displays a message indicating that the password
will expire when the user logs in.
Users must provide the old password for verification when changing their passwords.
Only an administrator can change the passwords of others.
When the initial password is the default password or set by the system administrator,
operators/users are forced to change the initial password after successfully logging in by
using the initial password and before accessing the system. They can access the system
only when they change the initial password successfully.
Issue V2.0 (2014-08-31)

18
CBS Solution
A password cannot be displayed on the GUI, printed on terminals, or stored in the logs in
plain text.
Content in the password text box cannot be copied.
A password must be saved as encrypted text rather than plain text. Irreversible
algorithms are used to encrypt passwords that do not need to be restored.
Password files must be controlled for access so that common users cannot read or copy
passwords.
A user can change the password only after being successfully authenticated.
An account list and a password list must be provided with the product.
In B/S applications, the account whose password is to be changed must be obtained from
the session information on the server and cannot be specified by the client.
A password must be different from the user name.
The default password of the built-in account must meet the password complexity
requirements. User documents must ask users to change the default password.
Authentication Failure
When the consecutive login attempts fail within the given time, the account will be
locked.
The given time segment in the policy "locking upon consecutive login failures" is
configurable
The allowed consecutive failure times in the policy "locking upon consecutive login
failures" is configurable.
The locking duration is configurable.
After the policy "locking upon consecutive login failures" is executed and the locking
times out, the system supports automatic unlocking. In addition, the system supports the
manual unlocking by the administrators.
Rights Management
The system uses the role-based account right management model.
When an account is created, no role or a role with the least rights is assigned to the
account by default.
In the B/S applications, for each URL request requiring authorization, the system must
check whether the session ID of the user is valid and whether the user is authorized to
perform the operation.
Control horizontal access to prevent users from accessing sensible data of other users
without authorization.
The authorization and user role data must be stored on the server instead of the client.
The authentication must also be performed on the server.
Session Management
In B/S applications, session cookies are used to maintain sessions.
In B/S applications, after the user name and password are successfully authenticated, the
session ID must be changed to prevent session fixation.
In B/S applications, the information that cannot be modified in a session must be stored
or maintained as a part of the session status on the server.
Issue V2.0 (2014-08-31)

19
CBS Solution
If a user does not perform any operations within a specified period, the system
automatically deletes the user's session. The period is configurable.
All the pages that can be accessed only after login must explicitly provide the logout (or
exit) button or menu.
In B/S applications, when a user exits, the session information about the user must be
deleted.
Sensitive Data Protection
It is prohibited to store sensitive data in plain text in code.
It is prohibited to store sensitive data in plain text format in the database or files.
It is prohibited to store sensitive data in plain text in logs.
It is prohibited to store sensitive data in plain text in alarms.
It is prohibited to store sensitive data in plain text in cookies.
In the B/S application, it is prohibited to store sensitive data in plain text format in
hidden domains.
In the B/S application, it is prohibited to buffer web pages containing sensitive data.
In the B/S application, sensitive data must be submitted by using the HTTP-POST
method.
Sensitive data (including passwords, bank accounts, and batch personal data) is
transmitted between untrusted networks through secure channels or transmitted after
encryption, unless otherwise specified by standard protocols.
In web applications, only the HTTPS protocol (namely, SSL with the server certificate)
can be used to transfer sensitive data between the client and the server. This function is
applicable only to local access and login but is not used in device management.
In the B/S application, it is prohibited to carry the session ID (such as jessionid) in the
URL.
It is prohibited to transfer the information that should be kept secret to users to clients.
Authentication, authorization, and encryption mechanisms are established to control the

access to sensitive data, such as bank accounts.
Security certificates, bank accounts, service SMS messages are either masked in logs or
not printed in any log.
Service Running Security
Use secure protocols, such as SSH v2, TLS1.0, SSL3.0, IPSec/SFTP, and SNMPv3, but
not insecure protocols, such as FTP and Telnet, for system management and among
terminals maintained.
In B/S applications, the CSRF must be prevented for important operations.
Encryption and Decryption
Use a non-patented, secure, and public encryption algorithm instead of the patented
encryption algorithm.
Use secure function to generate random numbers.
The key for transmitting sensitive data cannot be fixed in the code.
All non-query operations have log recording.
Security Logs
Issue V2.0 (2014-08-31)

20
CBS Solution
The recorded log content can support subsequent audit. Data including user ID, time,
event type, name of the accessed resource, and access result is recorded in the logs.
The log access control mechanism is provided to prevent unauthorized persons from
accessing, modifying, or deleting logs.
Anti-attack Protection for Protocols and Interfaces
All external communication connections are mandatory for system running and
maintenance. If a communication port is used, describe it in the product communication
matrix document.
All communication ports and protocols that manage the system must have the access
authentication mechanism except for the standard protocol without authentication
mechanism.
Verification Code Security
The verification code must be a single image in only JPEG, PNG, or GIF format.
The verification code must be generated randomly, and the generated random number
must be secure.
The font, size, and position of each character in the verification code must change
randomly.
Characters in the verification code are distortable and adhesive.
The content of the verification code cannot be associated with information submitted by
the client.
The random number generated by the verification code module cannot appear in the
source code of the static page of the client.
The verification code must have background interference. The color, position, and
quantity of the background interference elements must change randomly.
The verification code becomes invalid once it is used. New verification codes must be
generated for new requests.
The verification code and information (such as the user name and password) must be
sent to the server at the same time. The information is verified only after the verification
code check succeeds.
Web Service Security
The invocation of the Web Service interface must be verified.
The confidentiality of sensitive data transferred through the Web Service interface must
be ensured.
The input parameters submitted by the Web Service interface must be checked.
Web Code Security
Issue V2.0 (2014-08-31)
Input verification
o
All user input must be verified. When any invalid data is found, inform the user of
the invalid input and ask the user to correct the input. Note: The user input is the
data from the text, password, or textareas fields. All user input is deemed incredible
by default, and the validity of the input must be verified.
All input produced by servers must be verified. When any invalid data is found,
sessions must be made invalid, and alarm logs must be generated. Note: The input
produced by servers indicates all input except for user input, such as URL parameter

21
CBS Solution
data contained in hidden fields, selection boxes, check boxes, option buttons,
cookies, HTTP headers, and hot spot links or client scripts. All input produced by
servers is deemed falsified and malicious by default. The validity of the input must
be verified. If the input is found invalid, data is falsified by malicious users. For
example: Assume that the Gender field is mandatory in the user information form,
use the option button (1 for male and 0 for female) to restrict the user input. If the
value of Gender received by the application is 2, someone falsifies the data
maliciously.
o
It is prohibited to use any non-encrypted information in the HTTP headers as the

security decision basis. Note: The HTTP headers are sent at the beginning stage of
the HTTP request and HTTP response. The web application must not use any
non-encrypted information in HTTP headers as the security decision basis because
attackers easily operate the HTTP headers. For example, the referer field in the
HTTP header contains the URL of the web page from the requester side. Therefore,
do not make any security decision based on the referer field (for example, check
whether the request comes from the page generated by the web application) because
this field is easily falsified.
Do not rely on the client verification. Instead, the server code must be used for final
verification of the input data. Note: The client verification is used only as an
auxiliary measure to reduce the information interactions between the client and the
server.
Verify the input that has been verified on the client with the same rules on the server
again. Once the data is found invalid, the sessions must be made invalid and alarm
logs must be generated. Note: Attacks must exist, and the attackers bypass the input
verification on the client. Therefore, sessions must be made invalid, and alarm logs
must be generated.
If the input can only be certain characters or character combinations, use the
whitelist for input verification. Note: For the input compliant with certain rules,
such as email address, date, and decimal fraction, use the regular expression for
whitelist verification. This method is more effective than using the blacklist for
verification.
Verify the input data length. Note: If the input data is a string, the length of the
string must be verified. The length verification increases the difficulty of attacks.
Verify the input data range. Note: If the input data is a numerical value, the range of
the value must be checked. For example, the age should be a positive integer
ranging from 0 to 150.
The input parameters used for redirection cannot contain carriage returns and
linefeeds to avoid HTTP response splitting attacks. Note: A carriage return has
several expression modes (CR = %0d = \r). A linefeed also has several expression
modes (LF = %0a = \n).
PreparedStatement instead of directly executable statement is used to prevent SQL

injection for non-embedded web applications.
User data must be verified on the server. Data can be transmitted to the client after being
HTML encoded, which avoids the execution of malicious codes and cross-site script
attacks. For untrusted data, the HTML encoding is mandatory before the data is
transmitted to the client.
Code comment
Issue V2.0 (2014-08-31)
Comments cannot contain information about the physical path, database connection,
or SQL statement.
For static pages, comments cannot contain source code information.

22
CBS Solution
For dynamic pages, common comments are not used, and only hidden comments are
used.
When the application is abnormal, capture the exception, filter the information and return
only the common error messages to the client (do not disclose unnecessary information
to the client), and record the detailed error information in the log.
The whitelist must be used on the server to strictly restrict the types of uploaded or
downloaded files.
The CBS provides privacy protection schemes so that carriers can meet local laws and
regulations and customer requirements on privacy protection.
2.4.3 Privacy Protection

I. Overview
Privacy refers to individuals' identifiable information, including information that is
directly or indirectly related to individuals. Privacy protection is to protect individuals'
identifiable information.
The CBS provides privacy protection for personal data, including but not limited to the
following:
Basic customer information, such as the customer name, customer code,

certificate type, certificate ID, home address, gender, date of birth, customer level,
fax number, and email address.
Account information, such as the account name, account address, account
record, and bank account.
Subscriber information, such as contract signing information, subscription
information, service use records, and subscriber invoices.
Accounting information, such as customer invoices and receipts, payment
records, overdue payment records, and dunning records.
The CBS takes the following measures to protect customer privacy.
Process customers' sensitive information (such as numbers, ages, genders, and

account balances) in an anonymous manner.
Provide a security protection mechanism (such as authentication, permission
control, and log recording) during collection and processing of individual data and
make the mechanism open to customers using product information.
II. Data Protection

The CBS protects sensitive data, which includes but is not limited to the password,
cipher key, bank account, important service data, financial data, enterprise data, and
individual data.
Individual data includes the subscriber name, account, calling and called numbers, CDRs,
and call duration. This type of data can identify or works with other information to
identify a natural person.
The CBS uses different modes to process different types of sensitive data, including data
collection, encrypted storage, encrypted transmission, data display, and backup and
restore.
o
Issue V2.0 (2014-08-31)
Data collection

23
CBS Solution
To enable subscribers to use services and receive system notifications, the CBS collects
individual data based on service information. Carriers and subscribers must sign the data
collection contract so that the system can process subscriber data to generate production
data required by the service system. Without being authorized by subscribers, the CBS
does not collect, store, or process subscriber data.
Registration
During registration, the system collects service-related data including the customer's
name, certificate number, date of birth, phone number, password for query, home address,
email address, and invoice address. The system does not collect service-irrelevant
information, such as, family members and their health status. In the self-registration and
self-service scenarios, the system displays the data collection purpose and notifies the
subscriber of data to be collected. When connecting to a third-party system interface, the
CBS notifies the interface of the mandatory and optional data to be collected.
o
Deregistration
The CBS starts a scheduled task to automatically clear all individual data X days after
deregistration.
NOTE: The value of X is configurable and is 30 by default.

o
CDR
CDRs record the calling number, called number, communication time, location
information, and other information. The CBS can store CDR files without importing
them to a database or start a scheduled task to automatically clear CDR files a specified
time period after they are stored. The CBS does not import the location and peer number
in CDRs to the database.
NEs in the CBS use SFTP to transfer CDR files. Permission on the files is set as follows:
The owner has read, write, and delete permission, and users in the same group as the
owner has the read permission. Other non-root users have no permission on CDR files.
The CBS records an operation log each time a CDR file is queried.
CDR files in the CBS are used by the Invoicing to accumulate accounts, used by the
report system to collect and analyze statistics, used by the RA to audit and rerate CDRs,
used by the GL for accounting, and used by a third-party system (for example, PRM) to
execute settlement.
Invoice
Invoices record the customer name, invoice address, calling number, called number,
consumption information, balance, total outstanding amount, and other information. The
information can be customized by carriers, and called numbers are anonymized.
Receipt
Receipts record information such as the customer name and phone number.
Receipts are compressed before being stored in a database.
o
Issue V2.0 (2014-08-31)
Recharge and payment

24
CBS Solution
The recharge and payment log table records information related to the bank account,
such as, the credit card number, card expiration time, credit card authorization code,
bank account, check number, and check data.
The CBS deducts fees based on the information related to the bank account. Therefore,
the system uses the reversible algorithm AES128 to encrypt and decrypt the information
and then stores it in the database.
o
Encrypted storage
The system encrypts sensitive data such as the password, bank account, cipher key, PIN1,
PIN2, PUK1, and PUK2 so that the sensitive data is not displayed in plaintext.
The system uses the irreversible algorithm Hmac-SHA256 to encrypt the login password.
The user name is used as the salt for password encryption, which ensures that different
ciphertexts are obtained for the same password. The ciphertext is stored in the CBS
database and is used for verifying the login password that a subscriber enters.
The system uses AES128 to encrypt and decrypt the authentication passwords transferred
between the client and server. The two ends use the same algorithm and cipher key to
ensure that the peer end can decrypt the received passwords. The passwords are
generally stored in configuration files in ciphertext for applications to query. Cipher keys
are generally stored in configuration files in ciphertext to protect key security.
The system generally uses AES128 to encrypt and decrypt bank accounts.
Encrypted transmission
Sensitive data is transferred in ciphertext or through an encryption channel such as
HTTPS, VPN, or SFTP. Passwords, bank accounts, and other information requiring
high-level security must be transferred through an encryption channel in ciphertext.
Data display
Sensitive data is not displayed on web pages, log files, and configuration files in
plaintext. To protect the security of sensitive data such as bank accounts, the system
saves the data in the database in ciphertext, displays the first six or last four digits of
each record on web pages for tracing services or transactions, and displays the
encryption status in log files. If the system does not displays the encryption status in log
files, it displays the first six or last four digits and uses asterisks (*) to mask other digits.
Passwords are masked with asterisks (*) on web pages or text boxes and recorded in
ciphertext in log files and configuration files. Cipher keys are displayed in ciphertext in
configuration files.
Other sensitive data such as PIN1, PIN2, PUK1, and PUK2 is displayed in ciphertext.
Individual data of subscribers such as their names, phone numbers, invoices, and
transaction data is displayed in plaintext on web pages and log files. However, individual
data exported to other systems out of the production system or imported to the
development and test system is anonymized. That is, the system performs transcoding for
individual data such as the name and mobile number to protect subscribers' privacy.
Issue V2.0 (2014-08-31)
Backup and restore

25
CBS Solution
Service-related data is backed up based on a backup policy. The backup scope, time, and
interval can be configured in the backup policy. Generally, data generated within a
specified time period is backed up as online backup data for fast restore. By default, the
CBS stores data backed up in the last month as online backup data on disks and stores
data backed up earlier as offline backup data.
Data restore tests must be performed on a regular basis to test the validity of the backup
policy and backup data.
2.4.4 System Layer Security

Operating System Security
Security hardening will be performed for all operating systems.
During operating system installation, the latest security patches need to be installed. The
list of verified patches must be released regularly, and these patches must be installed on
the operating system.
After scanned by Nessus without user and password, there must not be any high-risk
security loopholes.
The remote login supports the SSH protocol.
Antivirus solution will be performed for windows-based server.
Highest privilege account such as 'root', ' Administrator' shall not be used for
software/application operating and daily maintenance
Software/application operating account shall not be used for daily maintenance. A

maintenance account will be used for daily maintenance.
The file/path used for application operating or keeping critical data of related shall have
limit permission upon 770Database Security
Security hardening will be performed for all DBs.
During database installation, the latest security patches need to be installed. The list of
verified patches must be released regularly, and these patches must be installed in the
database.
After scanned by Nessus, there must not be any high-risk security loopholes.
Do not use the default password provided by the supplier for the database account cannot.
The password complexity must meet the requirements.
If multiple accounts exist in the database, disable or delete idle accounts.
Use a single operating system account to run the database.
For the database with the listener function (such as listener.ora of Oracle), configure the
listener password or configure the listener to make it verified by the local operating
system.
Highest privilege account such as sys, 'sa' shall not be used for software/application
connecting and daily maintenance
Software/application connecting account shall not be used for daily maintenance. A

maintenance account will be used for daily maintenance.
Administrative privileges shall not be granted to software/application connecting account
Issue V2.0 (2014-08-31)

26
CBS Solution
Web Container Security
Security configuration must be performed on web containers by deleting unnecessary

resources, disabling unnecessary connectors, preventing the leakage of web container
information, minimizing the file directory permission, enabling the shutdown function
for protection, and disabling the content list function. In this way, web containers can
achieve the optimal security status.
After scanned by Appscan, there must not be any high-risk security loopholes.
2.4.5 Network Layer Security

Virtual Network Security Isolation
The design core of the virtual network security isolation lies in the port group and VLAN
configurations. VM ports need to be classified to implement security isolation for various
types of service traffic. VM ports that are assigned to port groups vary according to the traffic
type. Also, VLAN IDs are configured to implement the layer-two isolation for various types
of traffic in the VMs. In addition, VMs bound to different physical network adapters can
access different planes.
Physical Security Isolation

Based on communication features of the CBS services, networks in the standardized network
scheme are divided to the service plane, management plane, and storage plane. All NEs at the
service plane use independent physical ports. On ATAE servers, Fabric network adapters are
used for services, Base network adapters for management, and FC network adapters for
storage. These independent physical ports are isolated from physical ports in other planes.
However, the physical ports are publicly available on devices.
Logical Security Isolation

The CBS adopts various technologies to implement security isolation in various logical levels
to ensure the network security.
Plane division
Based on communication features of the CBS services, networks are divided to the service
plane, management plane, and storage plane.
VLAN isolation
Service servers assigned to VLANs vary according to the service server type. Through the
VLAN plan, broadcast domains reduce and layer-two access between VLANs can be
effectively isolated.
Security zone division
Based on the CBS service security features, the system is divided into the following security
zones:
o Untrust: The security level is 5. The network adapters connected to external

systems are deployed. Multiple security domains of this type can be created based
on the connected system.
o MT: The security level is 40. Maintenance terminals (such as the I2000 client) are
Issue V2.0 (2014-08-31)

27
CBS Solution
deployed. The management network can be connected only through this zone to
manage system networks.
o DMZ: The security level is 50. Applications (such as the BMP Gateway, EVC
Portal, and SLB) that directly interact with Internet users are deployed to
implement the Internet access and request distribution.
o OIT: The security level is 55. The LBI is deployed and is provided only for
customers' system administrators. The administrators can use the system
reconciliation and report audit functions.
o HA: The security level is 60. The connection heartbeat interfaces for firewalls are
deployed.
o TEST: The security level is 80. NEs for test, training, and environment
development are deployed.
o Trust: The security level is 85. Service NEs including the CBP, BMP, EVC, UVC,
and UAP are deployed to implement core system functions such as charging,
recharge, and service management.
o OM: The security level is 90. The management plane (including network
management systems, management ports of hardware devices, and service
management plane) is located in the OM zone. To access and control the
management plane, an external network management center needs to connect to the
OM zone of the firewall.
Access control between zones
Security isolation is implemented through the firewall for the connection between external
networks and different zones on the network of the CBS.
Access control inside zones
Connection between internal security zones is controlled using the ACL of switches. Also, the
connection relationship between each module needs to be described in detail in the service
communication matrix.
Management Channel Control

The network and devices are maintained and managed in the management plane. Therefore,
strict isolation of the management plane is very important. The following measures are
adopted in the CBS:
Remote management of and login to network devices are supported only in the
management plane. The IP address of only the management plane can be used for remote
management and login. This can effectively prevent invasion and attacks from users.
If network devices need to be managed remotely in the management plane, source IP

addresses that operate the SNMP need to be restricted on the devices.
Network devices access the management network through out-of-band management

ports. SSH is used for remote maintenance and management of devices.
Issue V2.0 (2014-08-31)

28
CBS Solution
The management plane is a common plane that involves NEs in various security zones.
Security isolation must be implemented in the management plane to prevent NEs in various
security zones from connecting to each other in the management plane.
Network Device Security Hardening

Before service deployment, security hardening is required for network devices based on the
corresponding security hardening guide.
Network Protocol Security

Maintenance engineers can operate servers and databases through remote connection.
Ciphertext protocols for remote logins are used to replace plaintext protocols. The
recommended protocols are as follows:
SSH used to replace Telnet
SFTP used to replace FTP
HTTPS used to replace HTTP
SNMP V3 used to replace SNMPV1/V2
In addition, maintenance engineers are advised to use the VPN to connect to core services and
boundary firewalls of the data domain during remote maintenance. The VPN service can be
enabled in the firewalls. The VPN type is IPSec VPN. The VPN client IP address pool can be
configured in the firewalls, and the VPN service assigns IP addresses to maintenance
engineers' clients. Also, filter policies are configured in the firewalls to enable only IP
addresses in the VPN client IP address pool to connect to servers through the firewalls.
2.4.6 Virtualization Layer Security
The security hardening of the Hypervisor prevents the Hypervisor from being exposed
on an insecure network and from brute force attacks and loophole attacks. In this way,
unauthorized access to the Hypervisor is prevented.
VMs' access to resources on the host is restricted, to prevent a VM from accessing

resources that belong to other VMs on the host.
On the virtualization platform, a layer-two packet filtering scheme is configured to

prevent MAC address spoofing by malicious users.
Using the computing resource uniform allocation module, the virtualization platform
uniformly allocates computing resources and memory resources for the VMs on the host,
to prevent DoS attacks from malicious VMs.
On the virtualization platform, a layer-three packet filtering scheme is configured to

prevent IP address spoofing and ARP spoofing by malicious users.
Under the VMware, the VM provides a private storage security mechanism. Using this
mechanism, the VMI cannot be obtained, tempered with, or destroyed even though the
host is attacked and the attacker has gained control over the host.
The security group management mechanism prevents malicious users from obtaining the
remote access permission on a VM of a low security level and using the VM as a
stepping stone to attack the network.
Issue V2.0 (2014-08-31)

29
CBS Solution
3 Security Assurance
Security Assurance
3.1 Security Statements and Qualification

Huawei has recognized that security issues are important to our customers and products, and
continuously researches and developments better security functionality and quality.
Huawei got BSS7799 certification in July 2004, and the certification was renewed as
ISO/IEC27001 in August 2007.
Product security assurance procedures have been integrated into Huawei's product
development process, that is, integrated product development (IPD). Security-related issues
including functionality and quality are considered at each phase such as conception, design
and verification, and security-related procedures are applied to installation and onsite support.
The Security Technical Management Group (TMG) has been set up to supervise and guide
security activities during the product development process, and to provide consultancy,
development, and assessment of product security solutions.
Huawei and its development teams and products strictly follow industrial standards, laws and
regulations, and respect carriers' and their customers' business and technology secrecy and
privacy. We respect and comprehend carriers' security policies, and we are ready to help
carriers to enforce their security policies.
3.2 Security Assurance Procedures

Product security has become an important topic on which telecom carriers focus. Even a
security accident percentage of 0.01% implies a complete failure. The most efficient way of
ensuring product security is to follow good methodology.
Figure 3-1 shows the security assurance procedures in Huawei's IPD.
Issue V2.0 (2014-08-31)

30
CBS Solution
Figure 3-1 Security assurance procedures in Huawei's IPD

Business plan
charter
MM
charter
IPD
PCR
Concept
TR1
Plan
Development
TR2
TR3
Design
HLD
TR4 TR4A
Qualify
TR5
TR6
Launch Lifecycle
GA
Long-term security
requirements
Offering
OR
Short-term security
requirements
Baseline
requirements
specification
LSD
SDV
SIT
SVT
Coding
BBFV
Legal,
regulatory
standard
specifications
Security CBB
(Encryption algorithms library,
PKI platform)
Customer
security
requirements
Implementation guide of
security baseline
Security
baseline
Security development
standard
Security test
report
Beta test
report
Patch
management
Security
Documents
Certification
Penetration
test
report
Vulnerability
management
Cooperate information security policy and standard

OR: offering requirement
MM: market management
IPD: integrated product development
PCR: product change request
CBB: common building block
PKI: Public Key Infrastructure
IPMT: Integrated Portfolio Management Team

PDT: Product Development Team
DCP: decision checkpoint
TR: technical review
EOM: end of marketing
EOP: end of production
EOS: end of support and service

BBFV: build block functional verification
SIT: system integrated test
SVT: system verification test
GA: general availability
UCD: user centered design
Huawei has established a professional security solution department to provide advanced

security solutions for telecom carriers, and to support, guide, and monitor security issues
around all products and solutions. Product line teams and product development teams have
created special teams or roles to take charge of security issues and to ensure security quality
during product development. Each product line team will adjust its short-term and long-term
security plans after reviewing the recent advances in technology and business evolution each
year. The quality assurance (QA) department has set up a special team to monitor and audit
product security plans and progress.
Appropriate organization along with strict and efficient process assurance constructs security
quality for products, satisfies carriers' security requirements, and provides carriers with
high-quality service assurance on a long-term basis.
Issue V2.0 (2014-08-31)

31
CBS Solution
Acronyms and Abbreviations
C
CBS
convergent billing system
CSRF
cross-site request forgery
E
E2E
end-to-end
F
FTP
File Transfer Protocol
H
HTTP
Hypertext Transport Protocol
HTTPS
Secure HTTP
N
NFS
Network File System
NTP
Network Time Protocol
O
OSI
open systems interconnection
Q
QoS
Quality of Service
R
RBAC
Role-Based Access Control
S
SNMP
Simple Network Management

Protocol
SSH
Secure Shell
Issue V2.0 (2014-08-31)

32
CBS Solution
TFTP
Trivial File Transfer Protocol
TLS
Transport Layer Security
V
VM
Virtual Machine
VMI
Virtual Machine Image
VLAN
Virtual Local Area Network
Issue V2.0 (2014-08-31)

33

Huawei CBS V500R005 Security Technical White Paper

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Huawei CBS V500R005 Security Technical White Paper

Загружено:

Авторское право:

Доступные форматы

CBS Solution

Security Technical White Paper

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

2 CBS Security Solution ................................................................................................................ 11

3 Security Assurance ...................................................................................................................... 30

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

Error! Use the Home tab to apply 1 to the text

1.1 Document Scope

This document describes the following aspects:

Network security of boundary network elements (NEs), such as the firewall

1.2 Document Structure

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

Error! Use the Home tab to apply 1 to the text

1.3 Usage Instruction

The CBS security is an aggregation of the management, processes, technologies, and

1.4 CBS Solution Overview

1.4.1 Software Architecture

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

Error! Use the Home tab to apply 1 to the text

Figure 1-1 CBS's functional architecture

Yellow cells: NEs that are required by the CBS.

White cells: third-party NEs.

Gray area: the CBS's core functional modules and subsystems.

Batch services: payment application, account adjustment, advance deposit, write-off,

Rules for standard events, charging preprocessing, authentication, payment application,

Self-service management services.

Voice, SMS message, multimedia messaging service (MMS) message, notification,

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

Error! Use the Home tab to apply 1 to the text

Convergent Balance Service

Balance adjustment and reversal

Prepayment and reversal

Balance transfer and reversal

Account settlement and query

Recharge by recharge card

Currently, BM uses the purchased PrintNet Designer as an outsourced component to

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

Error! Use the Home tab to apply 1 to the text

Recharge & Balance Handling

Charging for voice, data, content, and messaging services.

Distributed service framework (DSF)

Distributed data access framework (DAF)

Extensible service and data structure

Functional Modules of the Technical Platform

Issue V2.0 (2014-08-31)

Huawei Proprietary and Confidential

Error! Use the Home tab to apply 1 to the text

Manages the connection with external systems, protocol adaption

DCCAdapter: processes external Diameter messages. For example,

RCOMMAdapter: processes external RCOMM messages. For

Receives and manages the scheduled tasks delivered by the

Functions as a distributed service bus that connects to multiple nodes,

Functions as the smallest manageable physical unit used for executing