Node Name Internet Router __________________________________________________________________________________________________________________

Minimum Baseline Security Standard Internet Router

Make: Huawei NE 40

Unitech Wireless Tamilnadu (P) Ltd.

Uninor Internal

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Copyright All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The information contained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used or disclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Uninor Internal

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Table of Contents

Introduction .........................................................................................................................................................................................4 Use of the Document ...........................................................................................................................................................................4 Warning .................................................................................................................................................................................................4 Purpose ..................................................................................................................................................................................................5 General Security Controls..................................................................................................................................................................6 Control Categories ...............................................................................................................................................................................7 Detailed security controls:.................................................................................................................................................................8

Uninor Internal

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Introduction This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration standard, detail many important items such as user account management, password management, interfaces, ports, audit logging, monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system security issues and configurations, this document should be considered a general guideline and starting point.

Use of the Document The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the Original Equipment Manufacturers and/or to Managed Service Partners.

Warning This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these services performed for an organization should contact the designated security support staff within their office or territory. Partners or managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.

Uninor Internal

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Purpose This MBSS document relates to the Huawei NE 40 Internet Router. It is intended for use by technical security practitioners for implementation of minimum General Security Controls. A technical environment is comprised of a number of inter-related elements that include: Applications; Databases; Communications infrastructure elements; and Hardware.

The primary focus of this technical practice aid is to provide minimum baseline security standard for Internet Router that includes properties, features and operating system of the respective product.

Uninor Internal

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
General Security Controls General Security Controls work requires the examination of both technology-specific and technology independent controls. For example, configuration parameter, program and data file security controls will normally be specific to the underlying technical environment, whereas, security process review controls will largely be independent of the technical environment in use. Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure exists for reviewing and acting upon the logged information, the technical control is ineffective. To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an understanding of the following platform independent areas: Uninor Information security policy and procedures; Change and Problem Management; Incident Management; System Development; Disaster Recovery and Contingency Planning; and Physical Security.

Uninor Internal

Node Name: Internet Router

Control Categories

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
The following control categories are included in the MBSS document. Control Category 1: User Accounts and Groups A control that restricts user access to the technology. This includes account permissions, sensitive system user interfaces, and related items. Control Category 2: Password Management A control that must be enabled/implemented to ensure true and authorized users to gain access on a system. This includes password complexity, aging, account locking, etc. parameters. Interface, Ports and Services A control that must be performed either manually or automated on a regular basis to disable or delete unused ports and services and restrict services that transfer data in clear text. System Updates A control that must be performed either manually or automated on a regular basis. This includes any procedure that a security administrator or system administrator would continually or periodically perform such as installation of hot fixes, security patches, etc. File Access Control A control that restricts access to critical configuration files, operating systems, etc. Audit logging and Monitoring Any control that logs user, administrative or system activity. Any control that assists in, or performs, system event logging or the monitoring of the security of the system. Node properties and feature configurationsA control that must be enabled/implemented via a system-level parameter, or upon installation of the node/device that affects the technology at an overall system level. This includes network services enabling/disabling, boot sequence parameters, system interface, etc.

Control Category 3:

Control Category 4:

Control Category 5:

Control Category 6:

Control Category 7:

Uninor Internal

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________
Detailed security controls: SN Control Area Control Description Control Objective/Rationale Implementation Guidance Mitigating Control, If any Implementation Status

1. User Accounts and Groups 1.1 Unique Individual users User ID should be assigned with a separate user-id for router authentication in accordance with Uninor Information Security Policy.

1.2

Privileged accounts

User IDs which disclose the privileges associated with it should not be created. (For e.g. ADMINISTRATOR , monitor, config, etc.)

Generic accounts provide no accountability for actions taken using the account. This could result in abuse of access and potential malfunction of the network. In addition, if the default login account is used, it becomes very easy to use a brute force crack utility to get the password. A username/password pair makes brute force techniques harder, but not impossible. Knowing the name of an account on a machine can be valuable information to an attacker. Enforcing this security control makes it more difficult for unauthorized users to guess and gain access to the accounts such as ADMINISTRATOR, monitor, config, etc. and ultimately the system.

Implemented, but we are also using common Read0nly user ID for monitoring purpose. Exceptions to be approved by Uninor IS team.

Implemented

Uninor Internal

Node Name: Internet Router

SN 1.3 Control Area Default Accounts Control Description Factory default user accounts and guest user accounts on routers such as Huawei, etc. must be removed. Control Objective/Rationale Disabling the factory default user accounts will prevent unknown users being authenticated as Huawei, etc. Disabling these accounts will reduce the system's remote unauthenticated attack surface and ensure that only specific security principals can access resources on the system. Dormant user accounts increase the risk that unauthorized users could potentially use these accounts to gain access to the system.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status Implemented

_______________________________________________________________________________________________________

1.4

Dormant user accounts should be deactivated after the number of days that is specified in the Uninor Information Security Policy guidelines for inactive accounts. 2. Password Management 2.1 Complexity Internet router should enforce that passwords must meet the complexity requirements in accordance to Uninor Information

Dormant Accounts

Implemented

Enforcing password complexity requirements reduces the probability of an attacker determining a valid credential. Easily derived passwords undermine system security by making user account easy to access. Once an intruder gains access to a user account, they

Implemented but Router does not enforce any restriction it is defined by administrator.

Uninor Internal

Node Name: Internet Router

SN Control Area Control Description Security Policy. 2.2 Default passwords Strong system passwords should be used for the EXEC and PRIV EXEC levels. Assign system passwords that are in accordance with Uninor Information Security Policy for the EXEC and PRIV EXEC levels. Encrypt all passwords for login access (i.e., CON, VTY). Control Objective/Rationale can modify or delete files or processes owned by that user. If a weak password is used, unauthorized users may be able to guess the router's password and obtain access to the router.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

When issuing the password command on the appropriate port, enter a strong password that complies with Client Security policy at the password prompt. Securing Console (CON) #local-user user-name password { simple | cipher } password Securing VTY #user-interface vty first-uinumber [ last-ui-number ] In configuration mode, issue the command: #local-user user-name password { simple | cipher } password

Implemented

2.3

Password Encryption

If passwords are not encrypted they are visible in clear text in the router configuration file.

Implemented

2.4

Administra tor password encryption

The Administrative password should be protected using an encryption algorithm in accordance with

Weak password encryption increases the risk that unauthorized individuals may comprise the router and sensitive network information may be revealed.

Verify that the enable secret command exists in the config. For example: super password level 15 cipher X7>3N-

Implemented

Uninor Internal

10

Node Name: Internet Router

SN Control Area Control Description Uninor Information Security Policy. Encrypt the administrative password using hashing algorithms such as MD5. 2.5 Account Lock The account lockout feature, disabling an account after a number of failed login attempts, should be enabled and the related parameters should be set in accordance with the Uninor security policy and guidelines. Default passwords on the Router should be changed upon installation. In addition these passwords should be complex and conform to Uninor Unauthorized users may gain access to a system by running a program which guesses user passwords through brute force attacks. Without the lockout feature enabled the chance of successful compromise of system resources through brute force password guessing attacks increases. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance ,10,YB,.\#C3YB91!! If the digit following the super password level command is a 0, the password has been encrypted using a weak algorithm. If the digit is a 15, the password has been hashed using the stronger MD5 algorithm. Not Supported. Exceptions to be approved by Uninor IS team. Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

2.6

Default Passwords

Application default passwords are widely known and typically initial targets for attacks. The risk that unauthorized access will be obtained is increased if these passwords are not changed.

Implemented

Uninor Internal

11

Node Name: Internet Router

SN Control Area Control Description Security Policy. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

3. Interfaces, Ports and Services 3.1 Physical All routers in the interfaces environment should require users to login for terminal access in accordance with Uninor Information Security Policy. Enable user login for all terminal line ports including: VTY a virtual line connection. Huawei routers typically have five (5) VTY connections (0-4). CON the default port for performing administration and maintenance on the router. The

By default, access to these ports is not password protected. If the login directive is not given in the Huawei configuration, anyone with network visibility to the router can gain command prompt access.

To require users to login VTY, CON before accessing the router, issue the following commands: Securing Console (CON) #user-interface console uinumber #idle-timeout minutes [ seconds ] #local-user user-name password { simple | cipher } password #user-interface console uinumber #set authentication password { cipher | simple } password #commit Securing VTY #system-view #user-interface vty first-uinumber [ last-ui-number ] #shell #idle-timeout minutes [

Implemented

Uninor Internal

12

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance seconds ] Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

CON port is a physical port located on the router. 3.2 System Disable Services unauthorized services/daemon from the router based on Uninor Information security policy. Identify authorized services running on the device via vulnerability assessment and disable unauthorized services. Only those services that serve a documented operational or business need should be listening on the node. 4. System Updates 4.1 Patch Upgrade the router upgrade patch to a supported stable

Unauthorized services/daemon allows unauthenticated access to a system and lets users to transfer files, manipulate with the system functioning, etc. A system with services such as ftp enabled can be used as a depot for the unauthorized transfer of information. A system with Telnet service enabled can be used to run a spurious process (e.g.) in the system leading to dead weight on processor load.

Implemented

Operating system security vulnerabilities are found on a regular basis. These security

Implemented

Uninor Internal

13

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale holes may pose a significant risk to the internal network. Enforcing this security control will help ensure the system always has the most recent critical operating system updates and service packs installed.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

version recommended by OEM after proper testing has been performed. Follow Routers firmware upgrade procedures for the model being upgraded. It must be updated with the latest stable patches (bug fixes) specifically related to security. 5. File Access Control 5.1 Restrict Accesses file access (Read/Write/Modi fy) to sensitive Router configuration file should be restricted from unauthorized personnel. 5.2 Configurati Perform backups on backup of the running configuration to the routers Flash/NVRAM

An unrestricted access may let the unauthorized users to modify/delete the sensitive system and configuration files which may further lead to an unstable performance of the Internet router. Fault tolerance, backup, and recovery procedures promote network availability and recoverability. Without such procedures, unexpected Issue the command configfile { flash | nvram } download config when a change to the router is made. Alternatively,

Implemented

Implemented

Uninor Internal

14

Node Name: Internet Router

SN Control Area Control Description memory Fault tolerance, backup, and recovery procedures should be documented in accordance with Uninor Information Security Policy. Network file servers containing router configuration files should be properly restricted from unauthorized personnel. Restrict network file servers so that only authorized personnel can access router configuration files. A legal notice and warning should be implemented in order to provide adequate protection and Control Objective/Rationale downtime could have a severe impact on the business. Create fault tolerance, backup, and recovery procedures in accordance with Uninor Information Security Policy

Minimum Baseline Security Standard

Implementation Guidance administrators can type save memory to avoid being prompted for default filenames. Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

5.3

Configurati on backup

An unrestricted access to the backup servers may let the unauthorized users to gain the critical information from configuration files which may be further used to gain an unauthorized access to the router, impersonify the router, etc

Implemented

5.4

Legal notice banner

Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets.

Implemented

Uninor Internal

15

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

awareness of legal issues. Configure Uninor authorized login banner on the router as specified in the Uninor Information Security Policy. 6. Audit Logging and Monitoring 6.1 Audit Enable system logging logging in accordance with Uninor Information Security Policy to capture O&M activities, system failures, policy violation, unauthorized access attempts, system events, faults, etc.

Enforcing audit logging allows security incidents to be detected and enough evidence to be available for analysis of those incidents. Insufficient logging will result in a lack of an audit trail in the event of an unauthorized access. With good logging and monitoring, administrators are often given early warnings for hardware and software errors or problems.

Implemented

Uninor Internal

16

Node Name: Internet Router

SN 6.2 Control Area Command logging Control Description Configuration file changes should be monitored and logged in accordance with Uninor information security policy. Sensitive files such as configuration parameters, logs should not be allowed for modification or deletion. Router Logs should be sent to a central syslog server. Archive all security relevant logs for a period stipulated as per applicable laws and regulations. The activity logs needs to be retained online for 12 months and offline Control Objective/Rationale Any authorized/unauthorized or known/unknown access to critical commands used to change either the database or the configuration parameters should be logged so that none of the access to these sensitive files goes unnoticed. It also ensures that all the evidences are available for reverse tracking the source of change. Rolling back from unstable network due to improper command fire is possible. A central logging server can act as a central repository for log messages. Without this, log messages may be lost in the event the router is disabled by technical glitches or a directed attack. Having all audit logs archived ensures that they are available when needed. At the same time it ensures compliance with the requirements of the regulator.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status Implemented

_______________________________________________________________________________________________________

6.3

Logs Archive

In global configuration mode, enter the following command: Logging <ip address> Enter the following to enable timestamps for each log entry: service timestamps type datetime [msec] [localtime] [showtimezone] (Huawei command to be included)

Implemented

Uninor Internal

17

Node Name: Internet Router

SN Control Area Control Description for 24 months. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

6.4

Monitoring

SNMP configured on routers connected to networks should be configured in a secure manner that is consistent with Uninor Information Security Policy.

SNMP traps that are not configured using a secured method transmit information in clear-text. SNMPv2C and SNMPv3 also take advantage of GET BULK transactions, in which multiple pieces of information can be queried and retrieved without having to make additional requests.

To configure a host to receive SNMP traps, enter the following command in global configuration mode: snmp-agent sys-info version { v1 | v2c | v3 | all } snmp-agent trap enable [ trap-type ] Do not make a read-only string the same as a read-write string

Implemented

6.5

Hardware Support

Mission critical routers should utilize hardware support programs. Security and Audit logs should be reviewed in accordance with Uninor Information Security Policy.

6.6

Review of security and audit logs

Support programs can provide immediate assistance in case of a hardware disaster. For example, in case of a fire, an emergency router may need to be shipped to the premises. Audit logs should be maintained and kept for legal and audit purposes. Removal of these logs could expose the company to unnecessary liability and loss of litigation authorities.

Implemented

Implemented

Uninor Internal

18

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7. Router properties and features configuration 7.1 Default All routers being Read-only and read-write community monitored via SNMP access to a Huawei string SNMP should have router can allow an intruder to non-default SNMP gain unauthorized access to the community Huawei router. Default SNMP strings. In strings, such as public and addition, only private or read and write, are specific easily guessed by potential management intruders. stations should be allowed to poll the device through SNMP.

To assign community strings to the SNMP server, issue the display snmp-agent community snmp-agent community { read | write } community_name [ mib-view view-name ] [ acl number ] command in configuration mode. (acl number refers to an access list of IP addresses that are permitted to use the community strings to access the SNMP agent.) To remove the public and private communities: undo snmp-agent community community_name Read-write strings should be specified ONLY if remote configuration changes will be

Implemented

Uninor Internal

19

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance made over SNMP. Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.2

Router fail- Mission critical over routers should take advantage of Huaweis fail-over capabilities.

Huawei FIRMWARE and hardware offers advanced failover capabilities, in case of hardware or software failure. Implement Huaweis fail-over (i.e., VRRP) to ensure a high level of network availability on critical routers. Mission critical routers (typically core routers) may be good candidates to take advantage of the Huawei failover capabilities. Enabling TCP keepalives on incoming connections will provide reasonable assurance that any sessions left hanging by a remote system crash or disconnection will not block or use up the available router vty ports. This can also help to guard against malicious attacks.

Configure VRRP on critical external routers. This can be done by specifying the following on each routers external and internal interfaces respectively: #vrrp vrid <vrrp-id> virtualip <ip-address> #vrrp vrid <vrrp-id> priority <number> #vrrp vrid <vrrp-id> preempt-mode timer delay <sec> Issue the following command in global configuration mode to detect and delete "dead" interactive vty sessions: #idle-timeout minutes [ seconds ]

Implemented

7.3

Idletimeout

Routers should be configured to abort vty interactive sessions that were terminated in an abnormal way.

Implemented

Uninor Internal

20

Node Name: Internet Router

SN 7.4 Control Area Encryption Control Description IPSec should be implemented where sensitive data traverses untrusted or semitrusted internal networks in accordance with Uninor Information Security Policy. Control Objective/Rationale Sensitive information may be the target of sniffing attacks by intruders. If transactions are occurring that contain highly confidential information, it may be vulnerable to sniffing if it is not encrypted. Hash algorithms will help mitigate against a loss of data integrity should the data be manipulated in transit.

Minimum Baseline Security Standard

Implementation Guidance Implement IPSec or router-torouter DES encryption to protect confidential information. To create a crypto map entry, use the crypto map command in global configuration mode. The syntax of this command is as follows: crypto map <map-name> <seqnum> [Huawei] crypto map <map-name> <seqnum> ipsec-manual crypto map <map-name> <seqnum> ipsec-isakmp [dynamic <dynamic-map-name>] In interface configuration mode, crypto maps can then be applied to specific interfaces. Do this by using the crypto map command: Crypto map map-name Several other requirements exist for IPSec on Huawei devices. Consult with Huawei or a subject matter expert for further information. Mitigating Control, If any Implementation Status Not Required. Uninor IS team to decide if it is required or not.

_______________________________________________________________________________________________________

Uninor Internal

21

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

(needs to be updated with Huawei commands)

7.5

Privileged password

7.6

Encryption

Different levels of PRIV EXEC access should be defined to restrict administrators with varying responsibilities in accordance with Uninor Information Security Policy. SSH should be used to remotely access a router. If telnet access is required, it should be allowed via a secure IPSec tunnel between the remote system and the module. For devices that support SSH feature, enable the SSH protocol and

It may not be necessary for all administrators or users to have full privileged access to the router. Administrators that do not require this functionality may make unauthorized changes to the configuration. Telnet sessions transmit information, including usernames and passwords, in clear text. If an unauthorized user were to capture this information, it may place critical network devices at risk of compromise.

Huawei FIRMWARE provides for 16 different privileged levels and comes predefined with: user EXEC (which runs at level 1) and enabled mode (which runs at level 15).

Implemented

Before enabling SSH on the router, it will be necessary to generate RSA key pairs. In global configuration mode, enter the command: crypto key generate rsa User authentication will be required, either locally or through AAA. Define the SSH parameters:

Implemented

Uninor Internal

22

Node Name: Internet Router

SN Control Area Control Description remove telnet access to the router. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

ip ssh {[timeout seconds]} | [authentication-retries integer]}

7.7

TCP SYN attacks

Routers should be configured to reduce the likelihood of a TCP SYN attacks.

TCP SYN attacks are used to fill router queues degrading performance, and potentially creating a Denial of Service.

Configuration involves blocking external data packets that contain an internal source IP address. This configuration is outlined below: #rule [ rule-id ] { deny | permit } [ fragment | fragment-type fragmenttype-name | logging | source { source-ipaddress source-wildcard | any } | time-range timename | vpn-instance vpn-instancename ] In interface configuration mode, type the command description followed by a description of the interfaces purpose.

To be checked.

7.8

Port description

Interfaces should have an appropriate description assigned to them.

Detailed descriptions of connections will make it easier for administrators to review what types of connections are being made to the router.

Implemented

Uninor Internal

23

Node Name: Internet Router

SN Control Area Control Description Assign a description to each interface. Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance Example: interface { interface-type interface-number | interfacename } Auto-Loading allows a Huawei router configuration to be loaded at startup from either local memory or from the network. Loading the router configuration from a network source is not secure and should be avoided as an attacker could load alternative router configurations. Not restricting IP Mask Reply messages, can aid an attacker in mapping the physical topology of the targeted network. To disable Auto-Loading from a network source issue the following commands: Implemented Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.9

Auto load configurati on

7.10

ICMP restriction

Routers should load configuration information from local memory only. Disable AutoLoading thereby requiring that the router configuration is loaded from local memory and not the network. Routers should not respond to ICMP mask requests on interfaces connected to untrusted networks. Web-based router administration (HTTP) should not

(needs to be updated with Huawei router details)

To disable IP Mask Reply messages issue the following command on desired interface: (not applicable in Uninor Internet router)

To be checked.

7.11

Disable HTTP

An attacker can launch focused web-based attacks over ports 80 and 443

Implemented

Uninor Internal

24

Node Name: Internet Router

SN Control Area Control Description be allowed. Disable the HTTP service on the router. If remote administration is required, administration should only be allowed from approved IP addresses. Routers should not perform route caching. Disable the router's ability to cache routes. Control Objective/Rationale For example, a vulnerability exists that allows an attacker to view the router configuration using an HTTP exploit. If an attacker is able to view this configuration he/she will also be able to view encrypted passwords for enable and vty, aux and con sessions. Routers should not perform route caching.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.12

Static route

To disable Huawei route-caching issue the following command on desired interface: undo ip route-static ipaddress { mask | masklen } [ interface-type interfacce-name | nexthop-address ] [ preference value ] undo ip route-static {all | ipaddress { mask | masklen } [ interface-type interfacce-name | nexthop-address ] [ preference value ] }

Not relevant as Static routing is required.

7.13

Idle timeout

Set timeout values for an unattended console. All routers in the

Timeout sessions provide additional security against consoles that are left unattended. If a user can gain

In configuration mode issue the following command: #idle-timeout minutes [ seconds ]

Implemented

Uninor Internal

25

Node Name: Internet Router

SN Control Area Control Description environment should have appropriate session timeout values assigned. Control Objective/Rationale access to a console left unattended they can modify the routers configuration. Additionally, it prevents an idle session from tying up a terminal line port indefinitely. If IP spoofing is allowed it is possible that unauthorized traffic may bypass access control lists on the router by claiming that the traffic came from the internal network.

Minimum Baseline Security Standard

Implementation Guidance Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.14

IP spoofing

Routers should be configured to prevent IP spoofing. Create an access list that drops incoming traffic with a source address of that of the internal network to prevent IP spoofing.

Use the following command to help mitigate the risk of IP spoofing attacks: acl acl-number rule [ rule-id ] { deny | permit } [ [ fragment | fragment-type fragment-typename ] | logging | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpninstance-name ] * (Where <ip network class> is the address of the internal network and <reverse subnet mask> is the wild card for a class B network.) Apply this access list on all inbound requests on all external

To be checked.

Uninor Internal

26

Node Name: Internet Router

SN Control Area Control Description Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance interfaces. Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.15

Remote terminals access

Routers should restrict which hosts can access remote terminal sessions. Assign an appropriate Access List that restricts access to all VTY sessions.

Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router.

In the configuration mode, first create an appropriate access-list using the access-list command. rule 10 permit vpn-instance om source 10.34.0.0 0.0.255.255 Once the access list has been created, apply it to the appropriate terminal (typically vty 0 4) using the access-group <basic access list number> in command. #acl acl-number | name acl-name { inbound | outbound }

Implemented

7.16

Time synchroniz ation

Synchronize the routers time with a central timeserver. Enable Network Time Protocol (NTP) with authentication on the router and

Using a centralized timeserver will help lower the risk of an intruder corrupting the devices internal clocks, which may further corrupt log timestamps and weaken forensic capabilities.

Enable NTP on the router by issuing the following commands: system-view display clock-config Designate an internal NTP host and configure the router to be able to synchronize only to that

Implemented

Uninor Internal

27

Node Name: Internet Router

SN Control Area Control Description limit which host(s) the router will utilize for time synchronization Control Objective/Rationale

Minimum Baseline Security Standard

Implementation Guidance host by issuing: clock manual source sourcevalue Disable NTP on external interfaces through which NTP information does not flow. This will help prevent attacks directed at the network time protocol. NTP can be disabled on an interface using the following command: ntp disable. Mitigating Control, If any Implementation Status

_______________________________________________________________________________________________________

7.17

Source routing

Routers should discard any IP datagram containing a source-route option. Prevent IP source routing options from being used to spoof traffic.

If IP Source Routing is enabled, the router will merely act as a store and forward device. When a router receives a data packet, it will simply forward it on to its destination. This feature is rarely used and can be used for network attacks.

To disable IP Source Routing issue the following commands: config t undo ip source-route

Implemented

Uninor Internal

28

Node Name: Internet Router

SN 7.18 Control Area Unused port Control Description Interfaces not being used should be disabled. Shut down unused interfaces. Control Objective/Rationale Unused interfaces may leave a network open to attack.

Minimum Baseline Security Standard

Implementation Guidance Issue the interface command, 'shutdwon', for each interface that needs to be shut down. Example: system-view interface serial 1/1 [shutdown Mitigating Control, If any Implementation Status Implemented

_______________________________________________________________________________________________________

Uninor Internal

29

Node Name: Internet Router

Minimum Baseline Security Standard

_______________________________________________________________________________________________________ Author & Reviewer

Created by Information Security Team

Date 27th Jan 2013

Reviewed by Mahipal Singh

Date 29th Jan 2013

Approvals

Head - Operations
Date

Head NOC
Date

Head - Managed Services

Date

Head - Information Security: Saurabh Agarwal

Date 29th Jan 2013

Uninor Internal

30