Академический Документы
Профессиональный Документы
Культура Документы
Draft A
Date
2014-01-20
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
SingleRAN
OM Security Feature Parameter Description
Contents
Contents
1 About This Document..................................................................................................................1
1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................1
1.3 Change History...............................................................................................................................................................1
2 Overview.........................................................................................................................................3
3 Technical Description...................................................................................................................4
3.1 OMCH Security..............................................................................................................................................................4
3.2 Web Security..................................................................................................................................................................5
3.2.1 Overview.....................................................................................................................................................................5
3.2.2 User Authentication.....................................................................................................................................................5
3.2.3 HTTPS-based Data Transmission...............................................................................................................................6
3.2.4 Anti-attack...................................................................................................................................................................7
3.2.5 Rights Control..............................................................................................................................................................8
3.3 User Management...........................................................................................................................................................8
3.3.1 Overview.....................................................................................................................................................................8
3.3.2 Login Authentication.................................................................................................................................................10
3.3.3 User Rights Control...................................................................................................................................................11
3.3.4 Login Password Policy..............................................................................................................................................12
3.3.5 FTP User Management..............................................................................................................................................14
3.4 User Data Anonymization............................................................................................................................................15
3.5 Digital Signature-based Software Integrity Protection.................................................................................................15
3.5.1 Definition...................................................................................................................................................................15
3.5.2 Application Scenarios................................................................................................................................................15
3.5.3 Digital Signature........................................................................................................................................................16
3.6 Time Security...............................................................................................................................................................18
3.6.1 SNTP Security for Base Station Controllers.............................................................................................................18
3.6.2 NTP Security Authentication for Base Stations........................................................................................................19
3.7 Security Alarms, Events, and Logs..............................................................................................................................20
3.7.1 Overview...................................................................................................................................................................20
3.7.2 Security Alarms and Events......................................................................................................................................20
3.7.3 Security Logs and Security Audit..............................................................................................................................21
3.7.3.1 O&M Event Recording...........................................................................................................................................21
Issue Draft A (2014-01-20)
ii
SingleRAN
OM Security Feature Parameter Description
Contents
4 Engineering Guidelines.............................................................................................................29
4.1 OMCH Security............................................................................................................................................................29
4.2 Web Security................................................................................................................................................................29
4.2.1 When to Use Web Security.......................................................................................................................................29
4.2.2 Deployment...............................................................................................................................................................29
4.2.2.1 Requirements..........................................................................................................................................................29
4.2.2.2 Activation...............................................................................................................................................................29
4.2.2.2.1 Using MML Commands......................................................................................................................................29
4.2.2.2.2 Using the CME....................................................................................................................................................30
4.2.2.3 Activation Observation...........................................................................................................................................32
4.3 User Management.........................................................................................................................................................32
4.3.1 When to Use User Management................................................................................................................................32
4.3.2 Deployment...............................................................................................................................................................32
4.3.2.1 Requirements..........................................................................................................................................................32
4.3.2.2 Activation...............................................................................................................................................................32
4.3.2.2.1 Using the MML Commands................................................................................................................................32
4.3.2.2.2 Using the CME....................................................................................................................................................34
4.3.2.3 Activation Observation...........................................................................................................................................35
4.4 User Data Anonymization............................................................................................................................................35
4.5 Digital Signature-based Software Integrity Protection.................................................................................................35
4.6 Time Security...............................................................................................................................................................35
4.6.1 Deployment of SNTP Security for Base Station Controllers....................................................................................35
4.6.1.1 Requirements..........................................................................................................................................................35
4.6.1.2 Activation...............................................................................................................................................................35
4.6.1.3 Activation Observation...........................................................................................................................................35
4.6.2 Deployment of NTP Security Authentication for Base Stations...............................................................................36
4.6.2.1 Requirements..........................................................................................................................................................36
4.6.2.2 Data Preparation.....................................................................................................................................................36
4.6.2.3 Activation...............................................................................................................................................................36
4.6.2.3.1 Using MML Commands......................................................................................................................................37
4.6.2.3.2 MML Command Examples.................................................................................................................................37
4.6.2.3.3 Using the CME....................................................................................................................................................37
4.6.2.4 Activation Observation...........................................................................................................................................39
4.6.2.5 Reconfiguration......................................................................................................................................................39
4.6.2.6 Deactivation............................................................................................................................................................39
4.7 Security Alarms, Events, and Logs..............................................................................................................................39
4.8 OMU Anti-attack..........................................................................................................................................................39
Issue Draft A (2014-01-20)
iii
SingleRAN
OM Security Feature Parameter Description
Contents
5 Parameters.....................................................................................................................................42
6 Counters........................................................................................................................................65
7 Glossary.........................................................................................................................................66
8 Reference Documents.................................................................................................................67
iv
SingleRAN
OM Security Feature Parameter Description
1.1 Scope
This document describes operation and maintenance (O&M) security, including its technical
descriptions, engineering guidelines, and parameters.
This document covers the following features:
l
Feature change
Changes in features of a specific product version
Editorial change
Changes in wording or addition of information that was not described in the earlier version
Draft A (2014-01-20)
This document is created for SRAN9.0.
Issue Draft A (2014-01-20)
SingleRAN
OM Security Feature Parameter Description
This document originates from Base Station and OM Security Feature Parameter Description
and Base Station Controller and OM Security Feature Parameter Description of SRAN8.0.
Compared with SRAN8.0, SRAN9.0 adds security policy level configuration described in 3.9
Security Policy Level Configuration. For details about the engineering guidelines, see 4.2 Web
Security.
SingleRAN
OM Security Feature Parameter Description
2 Overview
Overview
Table 2-1 lists the O&M security measures supported by Huawei network elements (NEs) in
SRAN9.0.
Table 2-1 Supported security measures
Security Measures
MBSC
eGBTS
NodeB
eNodeB
MBTS
Web security
User management
Digital signature-based
software integrity protection
Time security
OMU anti-attack
NOTE
indicates that the NE supports this security measure.
- indicates that the NE does not support this security measure.
NOTE
In his document, MBSC is called the base station controller, and eGBTS, NodeB, eNodeB and MBTS are
collectively referred to as the base station. For details about O&M security measures for the GBTS, see
GBSS Security Overview Feature Parameter Description.
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Technical Description
SSL protects transmitted data against eavesdropping, tampering, and forging using encryption,
integrity protection, and identity authentication.
l
Encryption
With SSL, the sender encrypts data at the application layer before transmission and the
receiver decrypts the received data. In this manner, data is transmitted as ciphertext,
preventing eavesdropping.
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
SSL supports multiple standard encryption algorithms, such as Triple Data Encryption
Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4).
l
Integrity protection
SSL uses the Hash function to generate a digital signature for the data to be transmitted.
The receiver then checks the digital signature to determine whether the data was tampered
with during transmission.
SSL supports multiple standard Hash algorithms, such as Secure Hash Algorithm 1
(SHA-1).
Identity authentication
SSL supports certificate-based authentication. The communicating parties authenticate the
digital certificates of each other before establishing an SSL connection.
Huawei equipment supports SSL versions SSL3.0, TLS1.0, TLS1.1, and TLS1.2. The SSL
version to be used can be negotiated with the peer party. The SSL version used is always TLS1.2
in SRAN8.0 or later and TLS1.1 in SRAN7.0 or earlier. During SSL negotiation, NEs choose a
supported SSL version from the list provided by the U2000.
For details about SSL, see SSL Feature Parameter Description.
The FTP connection between a base station or base station controller and the U2000 is based on
SSL. FTP files on the U2000 can be encrypted using SSL and then transmitted in ciphertext
format. For details about SSL application to FTP, see SSL Feature Parameter Description.
NOTE
Currently, SSL 2.0 cannot be used. In addition, encryption and plaintext algorithms whose lengths are
shorter than 64 bits cannot be used.
User authentication
Anti-attack
Rights control
Local users: User information is stored and authenticated on the base station controller.
Domain users: Managed by the U2000. User information is stored and authenticated on the
U2000.
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
A user must input a verification code after inputting the user name and password. The
verification code is an image randomly generated by the web server.
If a user fails to log in to the WebLMT after several consecutive attempts, the account will
be locked and then automatically unlocked after a certain period of time. The
MaxMissTimes(BSC6900,BSC6910,NodeB) parameter specifies the maximum number of
login attempts allowed and the AutoUnlockTime(BSC6900,BSC6910,NodeB) parameter
specifies the duration for which the account is locked. The two parameters can be
configured using the SET PWDPOLICY command. If no operation is performed within
a specified period of time, the WebLMT GUI will be automatically locked. GUI unlock
authentication is implemented on the base station controller. If the user cannot unlock the
GUI after multiple attempts, the current session will be locked for another 30 minutes.
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Protocol Used
in the Internet
Explorer
Address Box
Protocol Used
in Login Web
Page
Protocol Used
in the
WebLMT
GUI
Policy
Description
Scenario 1
HTTP
HTTPS
HTTPS
Scenario 2
HTTPS
HTTPS
HTTPS
Forcible
HTTPS:
HTTPS
connection must
be used for the
login web page
and the
WebLMT GUI.
Scenario 3
HTTP
HTTPS
HTTP
Scenario 4
HTTPS
HTTPS
HTTP
Scenario 5
HTTP
HTTP
HTTP
Scenario 6
HTTPS
HTTPS
HTTPS
HTTPS for
login only:
HTTPS
connection must
be used for the
login web page.
Compatibility
mode: Either
HTTP or
HTTPS is used.
NOTE
As of SRAN8.0, the default policy for logging in to the WebLMT changed from compatibility mode to
forcible HTTPS mode.
In compatibility mode, the policy for logging in to the WebLMT is determined by the protocol (HTTP or
HTTPS) entered in the Internet Explorer address box.
3.2.4 Anti-attack
The web server has been reinforced to prevent the impacts of various attacks. The following
types of attacks have been taken into consideration before delivery:
l
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Description
Login management
SingleRAN
OM Security Feature Parameter Description
Function
3 Technical Description
Description
NOTE
l Local users perform O&M in the event of site deployment and transmission faults.
l Domain users perform routine O&M and are managed by the U2000 in centralized mode. The
centralized mode indicates that all the domain user accounts are created, modified, authenticated, and
authorized by the U2000.
l In addition to local and domain users, the base station controller provides the default OS root account
for logging in to the OMU to perform O&M.
l U2000 users can run the MOD OP command to remotely change the password for the admin account.
A domain user can also log in to the WebLMT to access an NE. In this case, the NE forwards
login authentication information to the U2000, which then authenticates the user.
As of SRAN8.0, user login security is enhanced through challenge-response authentication.
However, in versions earlier than SRAN8.0, user names and passwords are transmitted in
symmetric encryption mode, which is incompatible with the enhanced user login mechanism.
Therefore, a new MML command SET AUTHPOLICY is added and the AUTHPOLICY
(BSC6900,BSC6910,NodeB) parameter in this command is used to control the login mode. By
default, this parameter is set to COMPATIBLE_MODE(Compatible Mode), to allow both
the original and enhanced user login mechanisms. This parameter can be set to
ENHANCED_MODE(Enhanced Mode) only if no tool (or service) is directly connected to
the base station controller on the live network or if such a tool (or service) uses the enhanced
user login mechanism. Value ENHANCED_MODE(Enhanced Mode) is preferred, depending
on actual site requirements.
The machine-machine interface between the base station controller and the U2000 uses user
name EMSCOMM by default for mutual authentication. As of SRAN8.0, the password for the
default user can be changed either by performing operations on the U2000 or by running the
MOD OP command on the WebLMT.
NOTE
If both the U2000 and NEs support the enhanced user login mechanism, it is good practice to set
AUTHPOLICY(BSC6900,BSC6910,NodeB) to ENHANCED_MODE(Enhanced Mode) for security
purposes.
In challenge-response authentication mode, the authentication server sends a different question
("challenge") to the client, which must provide a valid answer ("response").
10
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
NOTE
When deployed or upgraded using USB flash drives, base stations verify the validity of the software
packages in USB flash drives by the digital signatures.
A validity period can be set for a user account. After the period elapses, login using the
account is not allowed. Administrators can modify validity periods of accounts.
Permissible access time ranges can be set for a user account. The ranges include validity
date ranges, time ranges, and week restrictions. Login is not allowed beyond the permissible
access time ranges.
Login success information includes information about the last login success.
Monitoring Users
The U2000 allows users to query information about online local and domain users and monitor
their status (login or logout). The U2000 can monitor all operations of specified online users.
When detecting that users are forcibly logged out, the U2000 disconnects the management
connections from the users.
Base stations and base station controllers determine the users to be monitored according to the
commands from the U2000 and report the results to the U2000.
The rights of Administrators, Operators, Users, and Guests to use command groups are
fixed.
The rights of Custom users to use command groups are defined depending on actual
requirements.
A command group is a group of commands that have the same attributes. For example, the G_8
command group consists of commands used to query equipment data, including the DSP
DSPUSAGE and DSP E1T1 commands. The LST CCG command can be used to query the
specific commands in a command group.
Table 3-3 lists the mapping between user levels and command groups.
Issue Draft A (2014-01-20)
11
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Command Group
Administrator
G_0&G_1&G_2&G_3&G_4&G_5&G_6&G_7&G_8&
G_9&G_10&G_11&G_12&G_13&G_14
Operator
G_0&G_2&G_3&G_4&G_5&G_6&G_7&G_8&G_9&
G_10&G_11&G_12&G_13&G_14
User
G_0&G_2&G_4&G_6&G_7&G_8&G_9&G_10&G_1
1&G_12&G_13&G_14
Guest
G_0&G_2&G_4&G_6&G_8&G_13
Custom
Users can perform operations only after a successful login. All user operations are monitored
and operation permission is controlled. All operations must be classified according to permission
levels.
User operation permission is controlled by using MML commands or performing WebLMT
menu operations. Each MML command or menu can be associated with a command group. Base
station controllers support authorizing users to use command groups. If a user is authorized for
a command group, the user can run all commands in the command group.
After a user logs in to the WebLMT, the WebLMT hides the controls (such as menus and buttons)
that the user is not authorized to operate.
Before users operate NEs and objects, or run commands, the system checks their operation
permission levels to determine whether the operations are allowed.
When users attempt to perform operations for which they have no permission, the system
displays a message indicating that the operations are not allowed.
User permission information is stored on servers. After users successfully log in to the clients,
the servers send user permission lists to the clients. The user permission lists are always stored
on clients before users log out.
The system does not allow users to run any commands beyond permissible time ranges.
If required, administrators can grant permission to a specific user. If users attempt to access base
station controllers beyond the permissible time range, the base station controllers refuse to
perform user authentication. If users use expired passwords for login, the system forces users to
change their passwords. Administrators can cancel password expiration policies.
12
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
High Priority
Medium Priority
Low Priority
password minimal
length
30 minutes
30 minutes
10 minutes
Resetting Interval of
Account Lock
Counter
10 minutes
5 minutes
2 minutes
Maximum Valid
Days
30 days
60 days
90 days
5 days
5 days
5 days
Password History
Records Number
Maximum Single
Char Repeat Times
ON(Open)
ON(Open)
OFF(Close)
Weak Password
Dictionary Checking
Switch
ON(Open)
ON(Open)
OFF(Close)
(6 to 32 characters)
password
complicacy
(uppercase letter,
lowercase letter,
digit, special
character)
13
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Users must enter passwords twice when creating passwords, and the passwords entered
cannot be copied.
Users can change their passwords. The old password must be verified during a password
change.
Administrators can change their own passwords or other users' passwords. However,
administrators can only reset (not view) other user passwords during a password change.
User accounts are locked when the number of consecutive password attempts reached a
specified threshold.
Administrators cannot retrieve passwords in the form of plaintext or query other user
passwords.
The system forces users to change their passwords when passwords expire.
When users first use default or factory passwords, which are automatically allocated by the
system, the system forces users to change the passwords.
The system prompts users to change their passwords before the passwords expire. If
passwords are not changed after expiration, users cannot log in to the system, but the
passwords can be modified or changed on the U2000. Administrators can disable password
expiration policies on the U2000.
14
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
FtpUsr: Uses a third-party FTP client to log in to the FTP server on the base station controller
and then upload or download information about the base station controller.
U2000 user: Uploads or downloads data between the base station controller and the U2000.
FtpUsr: The MOD FTPPWD command can be used to change the password, but the
password policy does not take effect on this user.
U2000 user: The password can be changed on the U2000 GUI, but the password policy
does not take effect on this user.
SRAN8.0 and later versions have the following enhancements to user management:
l
When an FtpUsr changes the password, the base station controller checks the password
complexity according to the configured password policy. The base station does not check
the complexity of the password input by the user during software installation. Instead, the
user, when logging in to the FTP server, is prompted with a message indicating that the
password complexity is lower than the current configuration and must be changed.
However, the user can still use the password to log in to the FTP server without interrupting
the current FTP connection. The user will be forced to change the password to meet the
password complexity requirements after a specified period of time. When a U2000 user
changes the password, the base station controller checks the password complexity
according to the configured password policy. However, if a U2000 user fails to log in to
the FTP server, the base station controller does not lock the account but reports a security
alarm. This is because the password is used to secure data transmission over the southbound
interface, which connects the U2000 to the base station controller.
Software installation
15
SingleRAN
OM Security Feature Parameter Description
Software upgrade
3 Technical Description
Hash algorithm: A one-way Hash function. A Hash algorithm converts an arbitrary data
block into a fixed-size bit string. The most commonly used Hash algorithms are MessageDigest algorithm 5 (MD5) and SHA-1.
Public key cryptography: A pair of public and private keys is used for encryption and
decryption. The two keys relate to each other and belong to the same holder. The public
key is published for use, whereas the private key is confidential.
Principles
Figure 3-2 illustrates the principles of digital signatures.
Figure 3-2 Digital signature principles
A Hash algorithm calculates the message digest for the files to be signed in the software
package.
2.
3.
The digitally signed file is then released with the software package.
After an NE or a U2000 receives the software package, it verifies the contained digital signature.
The procedure for verifying the digital signature is as follows:
Issue Draft A (2014-01-20)
16
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
1.
The same Hash algorithm calculates the message digest for the files to be verified in the
software package.
2.
The public key is used to decrypt the digitally signed file to restore the message digest.
3.
The restored message digest is compared with the original message digest.
l If they are identical, the software was not tampered with.
l If they are different, the software was tampered with.
17
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
1.
In the software package generation phase, SHA256 check codes are calculated for each
software component in the software package and saved to check code files. The check code
files are then digitally signed with the private key.
The check code files indicate files that are encrypted and added with verification
information and the algorithms that are used.
2.
In the software version release phase, all software files and digitally signed files are
packaged and then uploaded to a version server, for example, http://support.huawei.com.
3.
In the software version upgrade phase, when the U2000, WebLMT, or upgrade tool
downloads the software package from the version server, the U2000, WebLMT, or upgrade
tool authenticates the software package by using the public key. This is to verify the
software package authenticity.
4.
Also in the upgrade phase, when the NE downloads the software package from the U2000,
WebLMT, or upgrade tool, the NE authenticates the software package by using the public
key to verify that the software has not been maliciously tampered with.
External attackers or unauthorized internal users may tamper with the software after the OMU
software is installed. Therefore, the base station controller checks the integrity of the software
on the OMU and reports only one ALM-20723 File Loss or Damage if one or more files are
damaged or lost. This alarm is cleared after all the damaged or lost files are restored.
For an OS upgrade, the U2000 or upgrade tool checks the integrity of the OS upgrade package.
For an OS driver upgrade, the driver upgrade tool checks the integrity of the OS drive package.
18
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
The base station controller supports the SNTP V3 protocol and is compatible with the SNTP
server and NTP server. However, the time synchronization precision of the base station controller
is the same as that supported by SNTP.
If the AUTHMODE parameter in the NTPCP MO is not set to PLAIN(Plain), NTP security
authentication is performed in encryption mode. The authentication procedure is as follows:
1.
After calculating the checksum of NTP packets, the NTP server sends the checksum and
NTP packets to the base station.
2.
The base station calculates the checksum of the received NTP packets, and compares the
calculated checksum with that in the NTP packets.
l If the checksums are identical, the NTP packets were not tampered with during
transmission and pass the NTP security authentication.
l If the checksums are different, the NTP packets were tampered with and fail the NTP
security authentication.
If the AUTHMODE parameter in the NTPCP MO is set to PLAIN(Plain), the NTP server sends
NTP packets directly to the base station without encryption, and therefore the base station does
not need to decrypt the received NTP packets.
NOTE
19
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
ALM-20723
EVT-22813
EVT-22814
EVT-22815
EVT-22805
ALM-20732
ALM-20850
ALM-20851
ALM-20852
ALM-20714
Table 3-6 lists the security alarms that may be reported by the base station when the related
security faults occur.
Issue Draft A (2014-01-20)
20
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Alarm Name
ALM-26204
ALM-25670
Water Alarm
ALM-25671
Smoke Alarm
ALM-25672
Burglar Alarm
ALM-26830
ALM-25950
ALM-26266
Recording information about its own running status, security events, and operations. The
information can be queried and audited.
Users can audit the security logs collected by the U2000 to evaluate O&M security.
Operation Logs
When commands are sent to NEs from the WebLMT or U2000, the command execution results
are saved in operation logs. The operation logs include those of the U2000 and NEs.
Issue Draft A (2014-01-20)
21
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Operation logs record the operations to create, modify, query, modify, load, switch over NEs
and so on. The operations can be manually performed by O&M personnel or automatically
started by scheduled tasks on the WebLMT or U2000.
System Logs
System logs mainly record the system running status of NEs or the U2000. System logs help
users to learn the system running status and identify causes of security faults. The system herein
refers only to Huawei-developed application systems and system logs include those of the U2000
and NEs.
System logs record the following information:
l
Abnormal status and actions while the system is running, such as active/standby
switchovers, storage failures, and timer expiration
Key events during system running, such as system startup and shutdown
Running status, such as startup, exit, and suspension, of the system process
Running status, such as startup, suspension, exit, and breakdown of key system threads
Usage of system resources, such as central processing unit (CPU), memory, and hard disk
Security Logs
Security logs record information about security events.
Security logs of base stations record the following:
l
Events related to account login, such as user login, user logout, account locking, and account
unlocking
Security logs include those of the U2000 and NEs. Users can evaluate system security by auditing
security logs. For details, see Security Log Auditing.
Table 3-7 describes security events recorded in security logs that a base station controller can
provide.
Table 3-7 Security logs of a base station controller
Security Event Type
Security Log
22
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Security Log
The system locks a local user account whose
failed login attempts exceed the maximum
number.
The system automatically unlocks a local user
account after the locking time expires.
A local user account is manually unlocked.
A local user account is locked by the
administrator.
An account is automatically locked when the
password expires.
23
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Security Log
Active and standby OMUs have been
configured.
Table 3-8 lists security-related operation logs that a base station controller can provide.
Table 3-8 Security-related operation logs
Security Event Type
Operation Log
The LST SECLOG and LST OPTLOG commands can be used to query security logs and
operation logs, respectively.
Log collection
Users can set log collection tasks and specify task periods to enable the U2000 to
periodically collect NE logs. Users can also set dumping and export of U2000 logs and NE
logs.
Log analysis
Based on U2000 logs and NE logs collected, users can analyze such information as system
running status, security events, and operations.
24
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Log Collection
Users can collect and dump all operation logs, security logs, and system logs of the U2000 as
well as operation logs and security logs of NEs. NEs generate and save their own system logs
and automatically report the logs to the U2000. For details, see Log Management in the U2000
product documentation.
User login success and failure events: Including information about user names, login time,
workstation (such as its IP addresses), and causes of login failures (such as incorrect
passwords and invalid accounts)
User logout success and failure events: Including information about user names, logout
time, workstation (such as its IP addresses), and causes of logout failures
All O&M and configuration events: Including information about user names, O&M time,
workstation (such as its IP addresses), operations, and responses
Operations concerning user accounts and permission levels: Including addition, deletion,
and modification
Events to be recorded in security logs are configurable, and the configuration process must be
recorded in security events that can be audited. For details about how to audit security logs, see
Log Management in the U2000 product documentation.
25
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
NOTE
The maximum number of logs that can be saved can be configured by using the SET LOGLIMIT command
on a base station controller, but not on a base station.
IP address filtering, which enables the OMU to only accept IP data streams from authorized
IP addresses and network segments
Defending against attacks, such as ICMP ping, IP fragmentation, low time to live (TTL),
Smurf, and distributed denial-of-service (DDoS) attacks
Defending against TCP sequence prediction attacks and synchronization (SYN) flood
attacks
Isolating the internal network from the external network on the base station controller side:
The base station controller discards packets whose destination IP addresses are internal IP
addresses or belong to an internal network segment.
For a properly running network, specifying whitelisted and blacklisted IP addresses is generally
not required and the base station controller does not restrict the IP addresses used for access.
Specifying whitelisted and blacklisted IP addresses can be used to improve the security of the
base station controller:
l
Whitelist: Only the specified IP address or IP addresses in the specified network segment
can be used to access the base station controller. The IP addresses can be specified for a
particular port or for all ports. Once some IP addresses are whitelisted, all the other IP
addresses are blacklisted and cannot be used for access.
Blacklist: The specified IP address or IP addresses in the specified network segment cannot
be used to access the base station controller. The IP addresses can be specified for a
particular port or for all ports. All IP addresses that are not blacklisted are whitelisted.
NOTE
26
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Level 2 enables strongest security policies but may cause compatibility problems.
Table 3-9 provides a default example of the security policy configuration level template.
Table 3-9 Security policy configuration template
#
Property
Level 1
Level 2
Belonging to
OS Password
Complicacy
LOWERCASE-1&
DIGIT-1
LOWERCASE-1
&DIGIT-1&UPP
ERCASE-1
O&M security/
user
management
OS Password Minimal
Length
10
O&M security/
user
management
ON
OFF
O&M security/
user
management
OFF
ON
O&M security/
user
management
OAM Password
Complicacy
LOWERCASE-1&
DIGIT-1
LOWERCASE-1
&DIGIT-1&UPP
ERCASE-1
O&M security/
user
management
OAM Password
Minimal Length
10
O&M security/
user
management
120
90
O&M security/
user
management
27
SingleRAN
OM Security Feature Parameter Description
3 Technical Description
Property
Level 1
Level 2
Belonging to
AUTO
ONLY_HARD
O&M security/
OMCH
security
ALL
ONLY_SSL
O&M security/
OMCH
security
10
NONE
PEER
O&M security/
OMCH
security
11
Auto
Encrypted
O&M security/
OMCH
security
12
NO
YES
O&M security/
OMCH
security
13
LOGIN_HTTPS_
ONLY
HTTPS_ONLY
O&M security/
Web security
14
ENABLE
ENABLE
Device
security/
integrated
firewall
15
ENABLE
ENABLE
Device
security/
integrated
firewall
16
DISABLE
ENABLE
Device
security/
integrated
firewall
NOTE
Security policy level configuration invokes the batch configuration interface of an NE. Therefore, the
configuration restoration function on the CME can be used to roll back batch configuration or restore the
configurations of an NE.
28
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
Engineering Guidelines
4.2.2 Deployment
4.2.2.1 Requirements
None
4.2.2.2 Activation
4.2.2.2.1 Using MML Commands
To set the password security policy, perform the following step:
Step 1 Run the SET PWDPOLICY command to set the password security policy for local WebLMT
users.
----End
To set the WebLMT login policy, perform the following step:
Issue Draft A (2014-01-20)
29
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
Step 1 Run the SET WEBLOGINPOLICY commandto set the policy for logging in to the WebLMT.
In this step, set Policy for login to LMT and transmission to an appropriate value.
Step 2 Run the RST OMUMODULE command to restart the WebLMT server for the configured
WebLMT login policy to take effect. In this step, set Target OMU to ACTIVE(Active
OMU) and Module Name to weblmt.
----End
NOTE
Running the RST OMUMODULE command disconnects all users from the WebLMT but does not affect
OMU services. The WebLMT server can be restarted within 5 seconds if no exception occurs during the
restart.
While the WebLMT server restarts, WebLMT clients are disconnected and therefore cannot receive the
restart command response from the WebLMT server. In addition, an error message indicating that the
command fails to be sent is displayed. Ignore this error prompt because the command was successfully
sent.
The configured WebLMT login policy takes effect only after you log out and then log back in to the
WebLMT.
You can run the LST WEBLOGINPOLICY command to query the current policy for logging in to the
WebLMT.
To configure the rights of the Custom user to access the File Manager, perform the following
steps:
Step 1 On the WebLMT GUI, click User-defined command Group to add commands and function
items to a specific command group.
Step 2 Run the ADD OP or MOD OP command with Operator Level set to Customs(Custom) and
Command Group set to the same value as that specified in Step 1.
----End
NOTE
The configured rights to access the File Manager take effect only after you log out and then log back in
to the WebLMT.
30
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
NOTE
Users can define parameters for security policies as required based on the default level settings. For contextsensitive help on a current task in the client, press F1.
Step 2 Select the NEs for which consistency check is to be performed, execute the check to generate a
check report.
31
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
Step 3 Based on the check report, correct the configurations on NEs in batches in the event of
inconsistency.
----End
Login authentication
4.3.2 Deployment
4.3.2.1 Requirements
None
4.3.2.2 Activation
4.3.2.2.1 Using the MML Commands
Login Authentication
Currently, login authentication is performed in the following scenarios:
l
The U2000 is used for connection to a base station or base station controller.
In this scenario, the challenge-response mechanism is used for mutual authentication
between the U2000 and the NE. The user name EMSCOMM is used during the
authentication. The password for the user can be changed either by performing operations
on the U2000 or by running the MOD OP command on the WebLMT. The passwords
recorded must be the same on the U2000 and the NE to ensure a successful connection.
32
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
To add a Custom user, configure the user's rights to use command groups.
To add a user of a predefined level (for example, Operator), perform the following step:
Step 1 Run the ADD OP command to add an Operator user. In this step, set User Group to OPERATOR
(Operator).
----End
NOTE
The command group lists that an Operator user has the rights to use are always
G_0&G_2&G_3&G_4&G_5&G_6&G_7&G_8&G_9&G_10&G_11&G_12&G_13&G_14 and cannot
be changed.
To add a Custom user who has the rights to use the G_22 command group including the COL
LOG command so that the user can collect log files, perform the following steps:
Step 1 Run the SET CCGN command to configure G_22 as the command group.
Step 2 Run the ADD CCG command to add commands to the G_22 command group. In this step, add
the COL LOG command to the command group.
Step 3 Add a Custom user and configure the rights to use the G_22 command group for the user.
----End
33
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
NOTE
An FTP client refers to a module that has the FTP client function on the OMU. The SET FTPSCLT
command takes effect on all FTP clients.
After SSL encrypted transmission is configured for an FTP client, the FTP server must also be configured
with SSL encrypted transmission before running FTP-related MML commands, Otherwise, the MML
commands fail to be executed.
If the Support SSL Certificate Authentication(BSC6900,BSC6910) parameter is set to YES(Yes), a
digital certificate must be configured for the connected server. Otherwise, file upload and download fail.
For instructions on how to configure digital certificates when the U2000 functions as the FTP server, choose
Security Management > Data Management > Configuring Digital Certificates > Importing Cross
Digital Certificates > Installing a Device Digital Certificate > Activating a Device Digital
Certificate > Follow-up Procedure in the U2000 online help.
You can run the LST FTPSCLT command to query the transmission encryption mode of FTP clients.
To configure the FTP server to use encrypted transmission, perform the following steps:
Step 1 Run the SET FTPSSRV command with Transport Encrypted Mode set to ENCRYPTED
(SSL Encrypted).
NOTE
If the FTP server is configured with the SSL encrypted transmission mode, the same mode must also be
configured for all FTP clients that access the FTP server. The detailed configuration method varies
depending on the third-party FTP client software.
Step 2 Reset the ftp_server module for the encrypted transmission mode to take effect.
1.
Run the DSP OMU command to query the OMU mode. If only one result for Operational
state is displayed, the OMU works in standalone mode. If two results for Operational
state are displayed, the OMUs work in active/standby mode.
2.
Run the RST OMUMODULE command to reset the ftp_server module on the active
OMU. In this step, set Module Name to ftp_server.
If the OMU works in standalone mode, the encrypted transmission mode takes effect after
you perform this step. If the OMU works in active/standby mode, go to 3.
3.
Run the RST OMUMODULE command to reset the ftp_server module on the standby
OMU. In this step, set Module Name to ftp_server.
----End
To configure the port for transmitting data over FTP, perform the following step:
Step 1 Run the SET FTPSSRV command to the value range of ports for transmitting data over FTP.
In this step, set Passive mode data port lower limit and Passive mode data port upper
limit to appropriate values.
----End
NOTE
You can run the LST FTPSSRV command to query the encryption mode of the FTP server and the value
range of ports for transmitting data over FTP.
34
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
4.6.1.2 Activation
To configure the SNTP security for a base station controller, perform the following step:
Step 1 Run the ADD SNTPSRVINFO command to add the IP address and port number for the SNTP
server on the base station controller and set the SNTP time synchronization security policy.
----End
NOTE
Set Key ID, Encryption Algorithm, and Key if SNTP security is used. Based on the values of these
parameters, the base station controller sends encrypted and authenticated time synchronization requests to
the SNTP server and authenticates the time synchronization responses from the SNTP server.
You can run the LST SNTPCLTPARA command to query information about the SNTP server.
35
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
Parameter
Name
Parameter
ID
Setting Notes
Data Source
NTPCP
IPv4 Address
of NTP Server
IP
Network plan
(negotiation
not required)
Port Number
PORT
Network plan
(negotiation
not required)
Synchronizati
on Period
SYNCCYCL
E
Network plan
(negotiation
not required)
Authenticatio
n Mode
AUTHMOD
EP
Network plan
(negotiation
not required)
Authenticatio
n Key
KEY
Network plan
(negotiation
not required)
Authenticatio
n Key Index
KEYID
Network plan
(negotiation
not required)
4.6.2.3 Activation
36
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
Using the CME to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 4-2 in a summary data file, which also contains
other data for the new base stations to be deployed. Then, import the summary data file into the
CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:
l
The MO in Table 4-2 is contained in a scenario-specific summary data file. In this situation,
set the parameters in the MOs, and then verify and save the file.
The MO in Table 4-2 is not contained in a scenario-specific summary data file. In this
situation, customize a summary data file to include the MO before you can set the
parameters.
Table 4-2 MO related to NTP security
MO
Sheet in the
Summary Data
File
Parameter Group
Remarks
NTP
Common Data
For instructions about how to perform batch configuration for each type of base stations, see the
following sections in 3900 Series Base Station Initial Configuration Guide.
Issue Draft A (2014-01-20)
37
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
For a separate-MPT multimode base station, see "Creating Separate-MPT Multimode Base
Stations in Batches."
For an eGBTS and a co-MPT multimode base station, see "Creating Co-MPT Base Stations
in Batches."
Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure. The procedure is as follows:
Step 1 After creating a planned data area, choose CME > Advanced > Customize Summary Data
File (U2000 client mode), or choose Advanced > Customize Summary Data File (CME client
mode), to customize a summary data file for batch reconfiguration.
NOTE
Step 2 Export the base station data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Export Data > Export
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > Export eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Export Data > Export eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data (U2000 client mode), or choose UMTS Application > Export Data > Export Base
Station Bulk Configuration Data (CME client mode).
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Export Data > Export Base Station Bulk Configuration Data
(U2000 client mode), or choose LTE Application > Export Data > Export Base Station
Bulk Configuration Data (CME client mode).
Step 3 In the summary data file, set the parameters in the MOs listed in Table 4-2 and close the file.
Step 4 Import the summary data file into the CME
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Data > Import Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Import Data > Import eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration
Issue Draft A (2014-01-20)
38
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
Data (U2000 client mode), or choose UMTS Application > Import Data > Import Base
Station Bulk Configuration Data (CME client mode).
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Import Data > Import Base Station Bulk Configuration
Data (U2000 client mode), or choose LTE Application > Import Data > Import Base
Station Bulk Configuration Data (CME client mode).
----End
4.6.2.5 Reconfiguration
To change the authentication mode for a base station, run the MOD NTPC command and change
the encryption algorithm on the NTP server to be consistent as that on the base station.
4.6.2.6 Deactivation
N/A
39
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
4.8.3 Deployment
4.8.3.1 Requirements
None
4.8.3.2 Activation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -A INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
----End
l
Set transport protocol to TCP or UDP. This parameter is used with restricted port.
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
The following is a command example used to allow only users in the 10.141.148.0 network
segment to access the WebLMT:
iptables -A INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP
NOTE
----End
Execute caution when disabling port 22, because this operation prohibits users from remotely logging in
to the OMU.
40
SingleRAN
OM Security Feature Parameter Description
4 Engineering Guidelines
l If access over port 21 is denied, you cannot access the ftp_server module on the OMU. In
this situation, check whether you can access the ftp_server module on the OMU using an
FTP client on the PC.
----End
4.8.3.4 Deactivation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -D INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
l Set restricted IP to an IP address to be denied or allowed access. The IP address can be a
single IP address or IP addresses in a network segment.
l Set Ethernet adapter to the external network adapter of the OMU.
l Set transport protocol to TCP or UDP. This parameter is used with restricted port.
l Set restricted port to the port over which access is denied.
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
Step 3 Run the DOPRA Linux command iptables L to query all filtering criteria on the OMU. Verify
that the new criteria have been removed successfully.
----End
The following command example is used to deactivate OMU anti-attack.
iptables -D INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP
41
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameters
NE
MML
Command
Feature ID
Feature Name
Description
MaxMissTimes
BSC6900
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
password retries
when a user logs
in. When
password retries
by a user exceed
this number, this
user is locked.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3
42
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MaxMissTimes
BSC6910
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
password retries
when a user logs
in. When
password retries
by a user exceed
this number, this
user is locked.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3
MAXMISSTIM
ES
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
SET
PWDPOLICY
None
None
LST
PWDPOLICY
Meaning:Indicates the
maximum times
of attempts with
incorrectly
entered
passwords.If the
times of
attempts with
incorrectly
entered
passwords
exceed this
parameter,the
NE will lock the
operator
account.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3
43
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AutoUnlockTim
e
BSC6900
SET
PWDPOLICY
None
None
Meaning:Durati
on after which a
locked user is
unlocked
automatically.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30
AutoUnlockTim
e
BSC6910
SET
PWDPOLICY
None
None
Meaning:Durati
on after which a
locked user is
unlocked
automatically.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30
AUTOUNLOC
KTIME
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
SET
PWDPOLICY
None
None
LST
PWDPOLICY
Meaning:Indicates the
unlocking time
after the account
is locked
because of
incorrect
password inputs.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30
44
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PwdMinLen
BSC6900
SET
PWDPOLICY
None
None
Meaning:Minim
um length of an
LMT login
password. When
a password is
shorter than this
length, the
password is
invalid.
GUI Value
Range:6~32
Unit:None
Actual Value
Range:6~32
Default Value:8
PwdMinLen
BSC6910
SET
PWDPOLICY
None
None
Meaning:Minim
um length of an
LMT login
password. When
a password is
shorter than this
length, the
password is
invalid.
GUI Value
Range:6~32
Unit:None
Actual Value
Range:6~32
Default Value:8
45
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
Complicacy
BSC6900
SET
PWDPOLICY
None
None
Meaning:Compl
exity of a
password.
LOWERCASE
(Lowercase)
indicates that the
password must
include
lowercase
letters.
UPPERCASE
(Uppercase)
indicates that the
password must
include
uppercase
letters. DIGIT
(Digit) indicates
that the
password must
include digits.
SPECHAR
(Special
character)
indicates that the
password must
include special
characters.
Special
characters are ~!
@#$%^&*()_+{}|[]:<>?./.
GUI Value
Range:LOWER
CASE
(Lowercase),
UPPERCASE
(Uppercase),
DIGIT(Digit),
SPECHAR
(Special
character)
Unit:None
Actual Value
Range:LOWER
CASE,
UPPERCASE,
46
SingleRAN
OM Security Feature Parameter Description
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
DIGIT,
SPECHAR
Default
Value:LOWER
CASE:
1,UPPERCASE
:1,DIGIT:
1,SPECHAR:0
47
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
Complicacy
BSC6910
SET
PWDPOLICY
None
None
Meaning:Compl
exity of a
password.
LOWERCASE
(Lowercase)
indicates that the
password must
include
lowercase
letters.
UPPERCASE
(Uppercase)
indicates that the
password must
include
uppercase
letters. DIGIT
(Digit) indicates
that the
password must
include digits.
SPECHAR
(Special
character)
indicates that the
password must
include special
characters.
Special
characters are ~!
@#$%^&*()_+{}|[]:<>?./.
GUI Value
Range:LOWER
CASE
(Lowercase),
UPPERCASE
(Uppercase),
DIGIT(Digit),
SPECHAR
(Special
character)
Unit:None
Actual Value
Range:LOWER
CASE,
UPPERCASE,
48
SingleRAN
OM Security Feature Parameter Description
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
DIGIT,
SPECHAR
Default
Value:LOWER
CASE:
1,UPPERCASE
:1,DIGIT:
1,SPECHAR:0
MaxRepeatChar
Times
BSC6900
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
single character
repeats allowed
in an LMT login
password. When
a single
character in a
password
repeats for more
times than this
number, the
password is
invalid.
GUI Value
Range:2~32
Unit:None
Actual Value
Range:2~32
Default Value:2
49
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MaxRepeatChar
Times
BSC6910
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
single character
repeats allowed
in an LMT login
password. When
a single
character in a
password
repeats for more
times than this
number, the
password is
invalid.
GUI Value
Range:2~32
Unit:None
Actual Value
Range:2~32
Default Value:2
MAXVALIDD
ATES
BSC6900
SET
PWDPOLICY
None
None
Meaning:Days
between the day
when a
password takes
effect and the
day when the
password
expires. The
password
becomes invalid
after being valid
for the days.
GUI Value
Range:1~999
Unit:day
Actual Value
Range:1~999
Default Value:
90
50
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MAXVALIDD
ATES
BSC6910
SET
PWDPOLICY
None
None
Meaning:Days
between the day
when a
password takes
effect and the
day when the
password
expires. The
password
becomes invalid
after being valid
for the days.
GUI Value
Range:1~999
Unit:day
Actual Value
Range:1~999
Default Value:
90
MAXPROMPT
DATES
BSC6900
SET
PWDPOLICY
None
None
Meaning:Longe
st days for which
users are
prompted in
advance to
notice that the
password is
going to expire.
When this day
arrives, users
will be
prompted with
the remaining
days.
GUI Value
Range:1~255
Unit:day
Actual Value
Range:1~255
Default Value:5
51
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MAXPROMPT
DATES
BSC6910
SET
PWDPOLICY
None
None
Meaning:Longe
st days for which
users are
prompted in
advance to
notice that the
password is
going to expire.
When this day
arrives, users
will be
prompted with
the remaining
days.
GUI Value
Range:1~255
Unit:day
Actual Value
Range:1~255
Default Value:5
HISTORYPWD
NUM
BSC6900
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
historical
passwords that
can be saved.
When this
number is
reached, the
earliest
historical
password will be
deleted at the
arrival of a new
one.
GUI Value
Range:1~10
Unit:None
Actual Value
Range:1~10
Default Value:5
52
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
HISTORYPWD
NUM
BSC6910
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
historical
passwords that
can be saved.
When this
number is
reached, the
earliest
historical
password will be
deleted at the
arrival of a new
one.
GUI Value
Range:1~10
Unit:None
Actual Value
Range:1~10
Default Value:5
FirstLoginMustModPWD
BSC6900
SET
PWDPOLICY
None
None
Meaning:Switch
for forcing users
to change the
password upon
their first login
to the LMT.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)
53
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
FirstLoginMustModPWD
BSC6910
SET
PWDPOLICY
None
None
Meaning:Switch
for forcing users
to change the
password upon
their first login
to the LMT.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)
54
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DICTCHKSW
BSC6900
SET
PWDPOLICY
None
None
Meaning:Switch
for checking
whether the
password is in
the weak
password
dictionary when
users add or
modify user's
password. Weak
passwords are
inlcuded in the
weak password
dictionary. After
this switch is
turned on, you
must not use
common words
or combinations
of simple letters
and digits as
passwords, such
as 111111,
aaaaaa, abc123,
linda, and
snoopy.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)
55
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DICTCHKSW
BSC6910
SET
PWDPOLICY
None
None
Meaning:Switch
for checking
whether the
password is in
the weak
password
dictionary when
users add or
modify user's
password. Weak
passwords are
inlcuded in the
weak password
dictionary. After
this switch is
turned on, you
must not use
common words
or combinations
of simple letters
and digits as
passwords, such
as 111111,
aaaaaa, abc123,
linda, and
snoopy.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)
56
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AUTHMODE
BSC6900
ADD
SNTPSRVINF
O
None
None
Meaning:Authe
ntication mode
used when the
active OMU
(NTP client)
synchronizes
with the NTP
server.
GUI Value
Range:PLAIN
(PLAIN),
NTPV3
(NTPV3)
Unit:None
Actual Value
Range:PLAIN,
NTPV3
Default
Value:PLAIN
(PLAIN)
AUTHMODE
BSC6910
ADD
SNTPSRVINF
O
None
None
Meaning:Authe
ntication mode
used when the
active OMU
(NTP client)
synchronizes
with the NTP
server.
GUI Value
Range:PLAIN
(PLAIN),
NTPV3
(NTPV3)
Unit:None
Actual Value
Range:PLAIN,
NTPV3
Default
Value:PLAIN
(PLAIN)
57
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AUTHMODE
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
Meaning:Indicates the
encryption
mode. If this
parameter is set
to PLAIN, data
is transmitted in
plaintext.
MOD NTPC
LST NTPC
GUI Value
Range:PLAIN
(Plain), DES_S
(DES_S),
DES_N
(DES_N),
DES_A
(DES_A), MD5
(MD5)
Unit:None
Actual Value
Range:PLAIN,
DES_S,
DES_N,
DES_A, MD5
Default
Value:PLAIN
(Plain)
58
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
KEY
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
MOD NTPC
LST NTPC
59
SingleRAN
OM Security Feature Parameter Description
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
ASCII string of
one to eight
characters. The
seven least
significant digits
of the ASCII
value
corresponding
to each character
are used to
construct 56-bit
key data. For
any ASCII
string of less
than eight
characters, 0s
are appended to
the string to
ensure that the
key data is
composed of 56
bits. The key
used in the MD5
algorithm is an
encrypted
ASCII string of
one to eight
characters.
GUI Value
Range:1~16
characters
Unit:None
Actual Value
Range:1~16
characters
Default
Value:None
60
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
KEYID
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
MOD NTPC
LST NTPC
GUI Value
Range:
1~4294967295
Unit:None
Actual Value
Range:
1~4294967295
Default
Value:None
IP
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
MOD NTPC
RMV NTPC
SET
MASTERNTPS
61
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PORT
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
MOD NTPC
LST NTPC
GUI Value
Range:
123~5999,6100
~65534
Unit:None
Actual Value
Range:
123~5999,6100
~65534
Default Value:
123
62
SingleRAN
OM Security Feature Parameter Description
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SYNCCYCLE
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
MOD NTPC
LST NTPC
63
SingleRAN
OM Security Feature Parameter Description
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
synchronization
leads to higher
loads for the
NTP server and
transport
network. A
larger period
leads to lower
loads.
GUI Value
Range:
1~525600
Unit:min
Actual Value
Range:
1~525600
Default
Value:None
64
SingleRAN
OM Security Feature Parameter Description
6 Counters
Counters
65
SingleRAN
OM Security Feature Parameter Description
7 Glossary
Glossary
66
SingleRAN
OM Security Feature Parameter Description
8 Reference Documents
Reference Documents
1.
2.
3.
67