Professional Documents
Culture Documents
Uninor Internal
_______________________________________________________________________________________________________
Copyright All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The information contained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used or disclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Uninor Internal
_______________________________________________________________________________________________________
Table of Contents
Introduction .........................................................................................................................................................................................4 Use of the Document ...........................................................................................................................................................................4 Warning .................................................................................................................................................................................................4 Purpose ..................................................................................................................................................................................................5 General Security Controls..................................................................................................................................................................6 Control Categories ...............................................................................................................................................................................7 Detailed security controls:.................................................................................................................................................................8
Uninor Internal
_______________________________________________________________________________________________________
Introduction This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration standard, detail many important items such as user account management, password management, interfaces, ports, audit logging, monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system security issues and configurations, this document should be considered a general guideline and starting point.
Use of the Document The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the Original Equipment Manufacturers and/or to Managed Service Partners.
Warning This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these services performed for an organization should contact the designated security support staff within their office or territory. Partners or managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.
Uninor Internal
_______________________________________________________________________________________________________
Purpose This MBSS document relates to the Huawei NE 40 Internet Router. It is intended for use by technical security practitioners for implementation of minimum General Security Controls. A technical environment is comprised of a number of inter-related elements that include: Applications; Databases; Communications infrastructure elements; and Hardware.
The primary focus of this technical practice aid is to provide minimum baseline security standard for Internet Router that includes properties, features and operating system of the respective product.
Uninor Internal
_______________________________________________________________________________________________________
General Security Controls General Security Controls work requires the examination of both technology-specific and technology independent controls. For example, configuration parameter, program and data file security controls will normally be specific to the underlying technical environment, whereas, security process review controls will largely be independent of the technical environment in use. Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure exists for reviewing and acting upon the logged information, the technical control is ineffective. To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an understanding of the following platform independent areas: Uninor Information security policy and procedures; Change and Problem Management; Incident Management; System Development; Disaster Recovery and Contingency Planning; and Physical Security.
Uninor Internal
_______________________________________________________________________________________________________
The following control categories are included in the MBSS document. Control Category 1: User Accounts and Groups A control that restricts user access to the technology. This includes account permissions, sensitive system user interfaces, and related items. Control Category 2: Password Management A control that must be enabled/implemented to ensure true and authorized users to gain access on a system. This includes password complexity, aging, account locking, etc. parameters. Interface, Ports and Services A control that must be performed either manually or automated on a regular basis to disable or delete unused ports and services and restrict services that transfer data in clear text. System Updates A control that must be performed either manually or automated on a regular basis. This includes any procedure that a security administrator or system administrator would continually or periodically perform such as installation of hot fixes, security patches, etc. File Access Control A control that restricts access to critical configuration files, operating systems, etc. Audit logging and Monitoring Any control that logs user, administrative or system activity. Any control that assists in, or performs, system event logging or the monitoring of the security of the system. Node properties and feature configurationsA control that must be enabled/implemented via a system-level parameter, or upon installation of the node/device that affects the technology at an overall system level. This includes network services enabling/disabling, boot sequence parameters, system interface, etc.
Control Category 3:
Control Category 4:
Control Category 5:
Control Category 6:
Control Category 7:
Uninor Internal
_______________________________________________________________________________________________________
Detailed security controls: SN Control Area Control Description Control Objective/Rationale Implementation Guidance Mitigating Control, If any Implementation Status
1. User Accounts and Groups 1.1 Unique Individual users User ID should be assigned with a separate user-id for router authentication in accordance with Uninor Information Security Policy.
1.2
Privileged accounts
User IDs which disclose the privileges associated with it should not be created. (For e.g. ADMINISTRATOR , monitor, config, etc.)
Generic accounts provide no accountability for actions taken using the account. This could result in abuse of access and potential malfunction of the network. In addition, if the default login account is used, it becomes very easy to use a brute force crack utility to get the password. A username/password pair makes brute force techniques harder, but not impossible. Knowing the name of an account on a machine can be valuable information to an attacker. Enforcing this security control makes it more difficult for unauthorized users to guess and gain access to the accounts such as ADMINISTRATOR, monitor, config, etc. and ultimately the system.
Implemented, but we are also using common Read0nly user ID for monitoring purpose. Exceptions to be approved by Uninor IS team.
Implemented
Uninor Internal
_______________________________________________________________________________________________________
1.4
Dormant user accounts should be deactivated after the number of days that is specified in the Uninor Information Security Policy guidelines for inactive accounts. 2. Password Management 2.1 Complexity Internet router should enforce that passwords must meet the complexity requirements in accordance to Uninor Information
Dormant Accounts
Implemented
Enforcing password complexity requirements reduces the probability of an attacker determining a valid credential. Easily derived passwords undermine system security by making user account easy to access. Once an intruder gains access to a user account, they
Implemented but Router does not enforce any restriction it is defined by administrator.
Uninor Internal
_______________________________________________________________________________________________________
When issuing the password command on the appropriate port, enter a strong password that complies with Client Security policy at the password prompt. Securing Console (CON) #local-user user-name password { simple | cipher } password Securing VTY #user-interface vty first-uinumber [ last-ui-number ] In configuration mode, issue the command: #local-user user-name password { simple | cipher } password
Implemented
2.3
Password Encryption
If passwords are not encrypted they are visible in clear text in the router configuration file.
Implemented
2.4
The Administrative password should be protected using an encryption algorithm in accordance with
Weak password encryption increases the risk that unauthorized individuals may comprise the router and sensitive network information may be revealed.
Verify that the enable secret command exists in the config. For example: super password level 15 cipher X7>3N-
Implemented
Uninor Internal
10
_______________________________________________________________________________________________________
2.6
Default Passwords
Application default passwords are widely known and typically initial targets for attacks. The risk that unauthorized access will be obtained is increased if these passwords are not changed.
Implemented
Uninor Internal
11
_______________________________________________________________________________________________________
3. Interfaces, Ports and Services 3.1 Physical All routers in the interfaces environment should require users to login for terminal access in accordance with Uninor Information Security Policy. Enable user login for all terminal line ports including: VTY a virtual line connection. Huawei routers typically have five (5) VTY connections (0-4). CON the default port for performing administration and maintenance on the router. The
By default, access to these ports is not password protected. If the login directive is not given in the Huawei configuration, anyone with network visibility to the router can gain command prompt access.
To require users to login VTY, CON before accessing the router, issue the following commands: Securing Console (CON) #user-interface console uinumber #idle-timeout minutes [ seconds ] #local-user user-name password { simple | cipher } password #user-interface console uinumber #set authentication password { cipher | simple } password #commit Securing VTY #system-view #user-interface vty first-uinumber [ last-ui-number ] #shell #idle-timeout minutes [
Implemented
Uninor Internal
12
_______________________________________________________________________________________________________
CON port is a physical port located on the router. 3.2 System Disable Services unauthorized services/daemon from the router based on Uninor Information security policy. Identify authorized services running on the device via vulnerability assessment and disable unauthorized services. Only those services that serve a documented operational or business need should be listening on the node. 4. System Updates 4.1 Patch Upgrade the router upgrade patch to a supported stable
Unauthorized services/daemon allows unauthenticated access to a system and lets users to transfer files, manipulate with the system functioning, etc. A system with services such as ftp enabled can be used as a depot for the unauthorized transfer of information. A system with Telnet service enabled can be used to run a spurious process (e.g.) in the system leading to dead weight on processor load.
Implemented
Operating system security vulnerabilities are found on a regular basis. These security
Implemented
Uninor Internal
13
_______________________________________________________________________________________________________
version recommended by OEM after proper testing has been performed. Follow Routers firmware upgrade procedures for the model being upgraded. It must be updated with the latest stable patches (bug fixes) specifically related to security. 5. File Access Control 5.1 Restrict Accesses file access (Read/Write/Modi fy) to sensitive Router configuration file should be restricted from unauthorized personnel. 5.2 Configurati Perform backups on backup of the running configuration to the routers Flash/NVRAM
An unrestricted access may let the unauthorized users to modify/delete the sensitive system and configuration files which may further lead to an unstable performance of the Internet router. Fault tolerance, backup, and recovery procedures promote network availability and recoverability. Without such procedures, unexpected Issue the command configfile { flash | nvram } download config when a change to the router is made. Alternatively,
Implemented
Implemented
Uninor Internal
14
_______________________________________________________________________________________________________
5.3
Configurati on backup
An unrestricted access to the backup servers may let the unauthorized users to gain the critical information from configuration files which may be further used to gain an unauthorized access to the router, impersonify the router, etc
Implemented
5.4
Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets.
Implemented
Uninor Internal
15
_______________________________________________________________________________________________________
awareness of legal issues. Configure Uninor authorized login banner on the router as specified in the Uninor Information Security Policy. 6. Audit Logging and Monitoring 6.1 Audit Enable system logging logging in accordance with Uninor Information Security Policy to capture O&M activities, system failures, policy violation, unauthorized access attempts, system events, faults, etc.
Enforcing audit logging allows security incidents to be detected and enough evidence to be available for analysis of those incidents. Insufficient logging will result in a lack of an audit trail in the event of an unauthorized access. With good logging and monitoring, administrators are often given early warnings for hardware and software errors or problems.
Implemented
Uninor Internal
16
_______________________________________________________________________________________________________
6.3
Logs Archive
In global configuration mode, enter the following command: Logging <ip address> Enter the following to enable timestamps for each log entry: service timestamps type datetime [msec] [localtime] [showtimezone] (Huawei command to be included)
Implemented
Uninor Internal
17
_______________________________________________________________________________________________________
6.4
Monitoring
SNMP configured on routers connected to networks should be configured in a secure manner that is consistent with Uninor Information Security Policy.
SNMP traps that are not configured using a secured method transmit information in clear-text. SNMPv2C and SNMPv3 also take advantage of GET BULK transactions, in which multiple pieces of information can be queried and retrieved without having to make additional requests.
To configure a host to receive SNMP traps, enter the following command in global configuration mode: snmp-agent sys-info version { v1 | v2c | v3 | all } snmp-agent trap enable [ trap-type ] Do not make a read-only string the same as a read-write string
Implemented
6.5
Hardware Support
Mission critical routers should utilize hardware support programs. Security and Audit logs should be reviewed in accordance with Uninor Information Security Policy.
6.6
Support programs can provide immediate assistance in case of a hardware disaster. For example, in case of a fire, an emergency router may need to be shipped to the premises. Audit logs should be maintained and kept for legal and audit purposes. Removal of these logs could expose the company to unnecessary liability and loss of litigation authorities.
Implemented
Implemented
Uninor Internal
18
_______________________________________________________________________________________________________
7. Router properties and features configuration 7.1 Default All routers being Read-only and read-write community monitored via SNMP access to a Huawei string SNMP should have router can allow an intruder to non-default SNMP gain unauthorized access to the community Huawei router. Default SNMP strings. In strings, such as public and addition, only private or read and write, are specific easily guessed by potential management intruders. stations should be allowed to poll the device through SNMP.
To assign community strings to the SNMP server, issue the display snmp-agent community snmp-agent community { read | write } community_name [ mib-view view-name ] [ acl number ] command in configuration mode. (acl number refers to an access list of IP addresses that are permitted to use the community strings to access the SNMP agent.) To remove the public and private communities: undo snmp-agent community community_name Read-write strings should be specified ONLY if remote configuration changes will be
Implemented
Uninor Internal
19
_______________________________________________________________________________________________________
7.2
Router fail- Mission critical over routers should take advantage of Huaweis fail-over capabilities.
Huawei FIRMWARE and hardware offers advanced failover capabilities, in case of hardware or software failure. Implement Huaweis fail-over (i.e., VRRP) to ensure a high level of network availability on critical routers. Mission critical routers (typically core routers) may be good candidates to take advantage of the Huawei failover capabilities. Enabling TCP keepalives on incoming connections will provide reasonable assurance that any sessions left hanging by a remote system crash or disconnection will not block or use up the available router vty ports. This can also help to guard against malicious attacks.
Configure VRRP on critical external routers. This can be done by specifying the following on each routers external and internal interfaces respectively: #vrrp vrid <vrrp-id> virtualip <ip-address> #vrrp vrid <vrrp-id> priority <number> #vrrp vrid <vrrp-id> preempt-mode timer delay <sec> Issue the following command in global configuration mode to detect and delete "dead" interactive vty sessions: #idle-timeout minutes [ seconds ]
Implemented
7.3
Idletimeout
Routers should be configured to abort vty interactive sessions that were terminated in an abnormal way.
Implemented
Uninor Internal
20
_______________________________________________________________________________________________________
Uninor Internal
21
_______________________________________________________________________________________________________
7.5
Privileged password
7.6
Encryption
Different levels of PRIV EXEC access should be defined to restrict administrators with varying responsibilities in accordance with Uninor Information Security Policy. SSH should be used to remotely access a router. If telnet access is required, it should be allowed via a secure IPSec tunnel between the remote system and the module. For devices that support SSH feature, enable the SSH protocol and
It may not be necessary for all administrators or users to have full privileged access to the router. Administrators that do not require this functionality may make unauthorized changes to the configuration. Telnet sessions transmit information, including usernames and passwords, in clear text. If an unauthorized user were to capture this information, it may place critical network devices at risk of compromise.
Huawei FIRMWARE provides for 16 different privileged levels and comes predefined with: user EXEC (which runs at level 1) and enabled mode (which runs at level 15).
Implemented
Before enabling SSH on the router, it will be necessary to generate RSA key pairs. In global configuration mode, enter the command: crypto key generate rsa User authentication will be required, either locally or through AAA. Define the SSH parameters:
Implemented
Uninor Internal
22
_______________________________________________________________________________________________________
7.7
TCP SYN attacks are used to fill router queues degrading performance, and potentially creating a Denial of Service.
Configuration involves blocking external data packets that contain an internal source IP address. This configuration is outlined below: #rule [ rule-id ] { deny | permit } [ fragment | fragment-type fragmenttype-name | logging | source { source-ipaddress source-wildcard | any } | time-range timename | vpn-instance vpn-instancename ] In interface configuration mode, type the command description followed by a description of the interfaces purpose.
To be checked.
7.8
Port description
Detailed descriptions of connections will make it easier for administrators to review what types of connections are being made to the router.
Implemented
Uninor Internal
23
_______________________________________________________________________________________________________
7.9
7.10
ICMP restriction
Routers should load configuration information from local memory only. Disable AutoLoading thereby requiring that the router configuration is loaded from local memory and not the network. Routers should not respond to ICMP mask requests on interfaces connected to untrusted networks. Web-based router administration (HTTP) should not
To disable IP Mask Reply messages issue the following command on desired interface: (not applicable in Uninor Internet router)
To be checked.
7.11
Disable HTTP
An attacker can launch focused web-based attacks over ports 80 and 443
Implemented
Uninor Internal
24
_______________________________________________________________________________________________________
7.12
Static route
To disable Huawei route-caching issue the following command on desired interface: undo ip route-static ipaddress { mask | masklen } [ interface-type interfacce-name | nexthop-address ] [ preference value ] undo ip route-static {all | ipaddress { mask | masklen } [ interface-type interfacce-name | nexthop-address ] [ preference value ] }
7.13
Idle timeout
Timeout sessions provide additional security against consoles that are left unattended. If a user can gain
Implemented
Uninor Internal
25
_______________________________________________________________________________________________________
7.14
IP spoofing
Routers should be configured to prevent IP spoofing. Create an access list that drops incoming traffic with a source address of that of the internal network to prevent IP spoofing.
Use the following command to help mitigate the risk of IP spoofing attacks: acl acl-number rule [ rule-id ] { deny | permit } [ [ fragment | fragment-type fragment-typename ] | logging | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpninstance-name ] * (Where <ip network class> is the address of the internal network and <reverse subnet mask> is the wild card for a class B network.) Apply this access list on all inbound requests on all external
To be checked.
Uninor Internal
26
_______________________________________________________________________________________________________
7.15
Routers should restrict which hosts can access remote terminal sessions. Assign an appropriate Access List that restricts access to all VTY sessions.
Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router.
In the configuration mode, first create an appropriate access-list using the access-list command. rule 10 permit vpn-instance om source 10.34.0.0 0.0.255.255 Once the access list has been created, apply it to the appropriate terminal (typically vty 0 4) using the access-group <basic access list number> in command. #acl acl-number | name acl-name { inbound | outbound }
Implemented
7.16
Synchronize the routers time with a central timeserver. Enable Network Time Protocol (NTP) with authentication on the router and
Using a centralized timeserver will help lower the risk of an intruder corrupting the devices internal clocks, which may further corrupt log timestamps and weaken forensic capabilities.
Enable NTP on the router by issuing the following commands: system-view display clock-config Designate an internal NTP host and configure the router to be able to synchronize only to that
Implemented
Uninor Internal
27
_______________________________________________________________________________________________________
7.17
Source routing
Routers should discard any IP datagram containing a source-route option. Prevent IP source routing options from being used to spoof traffic.
If IP Source Routing is enabled, the router will merely act as a store and forward device. When a router receives a data packet, it will simply forward it on to its destination. This feature is rarely used and can be used for network attacks.
To disable IP Source Routing issue the following commands: config t undo ip source-route
Implemented
Uninor Internal
28
_______________________________________________________________________________________________________
Uninor Internal
29
Approvals
Head - Operations
Date
Head NOC
Date
Uninor Internal
30