Huawei NE 40 Internet Router MBSS PDF

Node Name
Internet Router
__________________________________________________________________________________________________________________
Minimum Baseline Security Standard

Internet Router
Make: Huawei NE 40
Unitech Wireless Tamilnadu (P) Ltd.
Uninor Internal
Node Name: Internet Router
_______________________________________________________________________________________________________
Copyright
All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The information
contained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used or
disclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd.
Trademarks
Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies
and are hereby acknowledged.
Uninor Internal
_______________________________________________________________________________________________________
Table of Contents
Introduction .........................................................................................................................................................................................4
Use of the Document ...........................................................................................................................................................................4
Warning .................................................................................................................................................................................................4
Purpose ..................................................................................................................................................................................................5
General Security Controls..................................................................................................................................................................6
Control Categories ...............................................................................................................................................................................7
Detailed security controls:.................................................................................................................................................................8
Uninor Internal
_______________________________________________________________________________________________________
Introduction
This document is to assist operations team to deploy minimum baseline security configuration on the node. These configuration
standard, detail many important items such as user account management, password management, interfaces, ports, audit logging,
monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating system
security issues and configurations, this document should be considered a general guideline and starting point.
Use of the Document

The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internal
as per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the
Original Equipment Manufacturers and/or to Managed Service Partners.
Warning
This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained security
specialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have these
services performed for an organization should contact the designated security support staff within their office or territory. Partners or
managers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriate
technical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.
Uninor Internal
_______________________________________________________________________________________________________
Purpose
This MBSS document relates to the Huawei NE 40 Internet Router. It is intended for use by technical security practitioners for
implementation of minimum General Security Controls.
A technical environment is comprised of a number of inter-related elements that include:
Applications;
Databases;
Communications infrastructure elements; and
Hardware.
The primary focus of this technical practice aid is to provide minimum baseline security standard for Internet Router that includes
properties, features and operating system of the respective product.
Uninor Internal
_______________________________________________________________________________________________________
General Security Controls
General Security Controls work requires the examination of both technology-specific and technology independent controls. For
example, configuration parameter, program and data file security controls will normally be specific to the underlying technical
environment, whereas, security process review controls will largely be independent of the technical environment in use.
Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effective
control environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedure
exists for reviewing and acting upon the logged information, the technical control is ineffective.
To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require an
understanding of the following platform independent areas:
Uninor Information security policy and procedures;

Change and Problem Management;
Incident Management;
System Development;
Disaster Recovery and Contingency Planning; and
Physical Security.
Uninor Internal
_______________________________________________________________________________________________________
Control Categories
The following control categories are included in the MBSS document.
Control Category 1: User Accounts and Groups
A control that restricts user access to the technology. This includes account permissions, sensitive system
user interfaces, and related items.
Control Category 2:
Password Management
A control that must be enabled/implemented to ensure true and authorized users to gain access on a
system. This includes password complexity, aging, account locking, etc. parameters.
Control Category 3:
Interface, Ports and Services

A control that must be performed either manually or automated on a regular basis to disable or delete
unused ports and services and restrict services that transfer data in clear text.
Control Category 4:
System Updates
A control that must be performed either manually or automated on a regular basis. This includes any
procedure that a security administrator or system administrator would continually or periodically
perform such as installation of hot fixes, security patches, etc.
Control Category 5:
File Access Control

A control that restricts access to critical configuration files, operating systems, etc.
Control Category 6:
Audit logging and Monitoring

Any control that logs user, administrative or system activity. Any control that assists in, or performs,
system event logging or the monitoring of the security of the system.
Control Category 7:
Node properties and feature configurationsA control that must be enabled/implemented via a system-level parameter, or upon installation of the
node/device that affects the technology at an overall system level. This includes network services
enabling/disabling, boot sequence parameters, system interface, etc.
Uninor Internal
_______________________________________________________________________________________________________
Detailed security controls:
SN
Control
Area
Control
Description
1. User Accounts and Groups

1.1
Unique
Individual users
User ID
should be assigned
with a separate
user-id for router
authentication in
accordance with
Uninor
Information
Security Policy.
1.2
Privileged
accounts
Uninor Internal
User IDs which

disclose the
privileges
associated with it
should not be
created. (For e.g.
ADMINISTRATOR
, monitor, config,
etc.)
Control
Objective/Rationale
Implementation Guidance
Generic accounts provide no

accountability for actions taken
using the account. This could
result in abuse of access and
potential malfunction of the
network. In addition, if the
default login account is used, it
becomes very easy to use a
brute force crack utility to get
the password. A
username/password pair makes
brute force techniques harder,
but not impossible.
Knowing the name of an
account on a machine can be
valuable information to an
attacker. Enforcing this security
control makes it more difficult
for unauthorized users to guess
and gain access to the accounts
such as ADMINISTRATOR,
monitor, config, etc. and
ultimately the system.
Mitigating
Control, If
any
Implementation
Status
Implemented, but
we are also using
common Read0nly user ID for
monitoring
purpose.
Exceptions to be
approved by
Uninor IS team.
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
1.3
Default
Accounts
Factory default
user accounts and
guest user
accounts on
routers such as
Huawei, etc. must
be removed.
Implemented
1.4
Dormant
Accounts
Disabling the factory default

user accounts will prevent
unknown users being
authenticated as Huawei, etc.
Disabling these accounts will
reduce the system's remote
unauthenticated attack surface
and ensure that only specific
security principals can access
resources on the system.
Dormant user accounts increase
the risk that unauthorized users
could potentially use these
accounts to gain access to the
system.
Enforcing password complexity

requirements reduces the
probability of an attacker
determining a valid credential.
Easily derived passwords
undermine system security by
making user account easy to
access. Once an intruder gains
access to a user account, they
Implemented but
Router does not
enforce any
restriction it is
defined by
administrator.
Dormant user
accounts should be
deactivated after
the number of days
that is specified in
the Uninor
Information
Security Policy
guidelines for
inactive accounts.
2. Password Management
2.1
Complexity Internet router
should enforce that
passwords must
meet the
complexity
requirements in
accordance to
Uninor
Information
Uninor Internal
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
SN
2.2
2.3
2.4
Control
Area
Default
passwords
Password
Encryption
Administra
tor
password
encryption
Uninor Internal
Control
Description
Control
Objective/Rationale
Security Policy.
can modify or delete files or

processes owned by that user.
Strong system
passwords should
be used for the
EXEC and PRIV
EXEC levels.
Assign system
passwords that are
in accordance with
Uninor
Information
Security Policy for
the EXEC and
PRIV EXEC levels.
If a weak password is used,

unauthorized users may be able
to guess the router's password
and obtain access to the router.
Encrypt all
passwords for
login access (i.e.,
CON, VTY).
If passwords are not encrypted

they are visible in clear text in
the router configuration file.
The Administrative
password should
be protected using
an encryption
algorithm in
accordance with
Weak password encryption

increases the risk that
unauthorized individuals may
comprise the router and
sensitive network information
may be revealed.
When issuing the password

command on the appropriate
port, enter a strong password that
complies with Client Security
policy at the password prompt.
Mitigating
Control, If
any
Implementation
Status
Implemented
Securing Console (CON)

#local-user user-name
password { simple | cipher }
password
Securing VTY
#user-interface vty first-uinumber [ last-ui-number ]
In configuration mode, issue the
command:
Implemented
password
10
Verify that the enable secret

command exists in the config. For
example:
super password level 15
cipher X7>3N-
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Uninor
Information
Security Policy.
Encrypt the
administrative
password using
hashing algorithms
such as MD5.
2.5
Account
Lock
2.6
Default
Passwords
Uninor Internal
The account
lockout feature,
disabling an
account after a
number of failed
login attempts,
should be enabled
and the related
parameters should
be set in
accordance with
the Uninor
security policy and
guidelines.
Default passwords
on the Router
should be changed
upon installation.
In addition these
passwords should
be complex and
conform to Uninor
Mitigating
Control, If
any
Implementation
Status
,10,YB,.\#C3YB91!!
If the digit following the super
password level command is a 0,
the password has been encrypted
using a weak algorithm. If the
digit is a 15, the password has
been hashed using the stronger
MD5 algorithm.
Unauthorized users may gain
access to a system by running a
program which guesses user
passwords through brute force
attacks. Without the lockout
feature enabled the chance of
successful compromise of
system resources through brute
force password guessing attacks
increases.
Not Supported.
Exceptions to be
approved by
Uninor IS team.
Application default passwords

are widely known and typically
initial targets for attacks. The
risk that unauthorized access
will be obtained is increased if
these passwords are not
changed.
Implemented
11
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
By default, access to these ports

is not password protected. If the
login directive is not given in
the Huawei configuration,
anyone with network visibility
to the router can gain command
prompt access.
To require users to login VTY,

CON before accessing the router,
issue the following commands:
Mitigating
Control, If
any
Implementation
Status
Security Policy.
3. Interfaces, Ports and Services

3.1
Physical
All routers in the
interfaces
environment
should require
users to login for
terminal access in
accordance with
Uninor
Information
Security Policy.
Enable user login
for all terminal line
ports including:
VTY a virtual
line connection.
Huawei routers
typically have five
(5) VTY
connections (0-4).
Securing VTY
CON the default

port for
performing
administration and
maintenance on
the router. The
Uninor Internal
Securing Console (CON)

#user-interface console uinumber
#idle-timeout minutes [
seconds ]
password
#user-interface console uinumber
#set authentication
password { cipher | simple }
password
#commit
#system-view
#user-interface vty first-uinumber [ last-ui-number ]
#shell
12
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
CON port is a
physical port
located on the
router.
3.2
System
Disable
Services
unauthorized
services/daemon
from the router
based on Uninor
Information
security policy.
Identify authorized
services running
on the device via
vulnerability
assessment and
disable
unauthorized
services. Only
those services that
serve a
documented
operational or
business need
should be listening
on the node.
4. System Updates
4.1
Patch
Upgrade the router
upgrade
patch to a
supported stable
Uninor Internal
Control
Objective/Rationale
Mitigating
Control, If
any
Implementation
Status
seconds ]
Unauthorized services/daemon
allows unauthenticated access
to a system and lets users to
transfer files, manipulate with
the system functioning, etc. A
system with services such as ftp
enabled can be used as a depot
for the unauthorized transfer of
information. A system with
Telnet service enabled can be
used to run a spurious process
(e.g.) in the system leading to
dead weight on processor load.
Implemented
Operating system security

vulnerabilities are found on a
regular basis. These security
Implemented
13
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
version
recommended by
OEM after proper
testing has been
performed.
Follow Routers
firmware upgrade
procedures for the
model being
upgraded. It must
be updated with
the latest stable
patches (bug fixes)
specifically related
to security.
5. File Access Control
5.1
Restrict
Accesses
file access
(Read/Write/Modi
fy) to sensitive
Router
configuration file
should be
restricted from
unauthorized
personnel.
5.2
Configurati Perform backups
on backup of the running
configuration to
the routers
Flash/NVRAM
Uninor Internal
Control
Objective/Rationale
Mitigating
Control, If
any
Implementation
Status
holes may pose a significant risk

to the internal network.
Enforcing this security control
will help ensure the system
always has the most recent
critical operating system
updates and service packs
installed.
An unrestricted access may let

the unauthorized users to
modify/delete the sensitive
system and configuration files
which may further lead to an
unstable performance of the
Internet router.
Fault tolerance, backup, and
recovery procedures promote
network availability and
recoverability. Without such
procedures, unexpected
Implemented
Issue the command

configfile { flash | nvram }
download config
when a change to the router is
made. Alternatively,
14
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
5.3
Configurati
on backup
5.4
Legal
notice
banner
Uninor Internal
Control
Description
Control
Objective/Rationale
memory Fault
tolerance, backup,
and recovery
procedures should
be documented in
accordance with
Uninor
Information
Security Policy.
Network file
servers containing
router
configuration files
should be properly
restricted from
unauthorized
personnel.
Restrict network
file servers so that
only authorized
personnel can
access router
configuration files.
downtime could have a severe

impact on the business.
Create fault tolerance, backup,
and recovery procedures in
accordance with Uninor
Information Security Policy
administrators can type

save memory
to avoid being prompted for
default filenames.
An unrestricted access to the

backup servers may let the
unauthorized users to gain the
critical information from
configuration files which may
be further used to gain an
unauthorized access to the
router, impersonify the router,
etc
Implemented
A legal notice and

warning should be
implemented in
order to provide
adequate
protection and
Displaying a legal warning

ensures that users are aware of
the consequences of
unauthorized access and assists
in conveying the protection of
corporate assets.
Implemented
15
Mitigating
Control, If
any
Implementation
Status
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
awareness of legal
issues. Configure
Uninor authorized
login banner on
the router as
specified in the
Uninor
Information
Security Policy.
6. Audit Logging and Monitoring
6.1
Audit
Enable system
logging
logging in
accordance with
Uninor
Information
Security Policy to
capture O&M
activities, system
failures, policy
violation,
unauthorized
access attempts,
system events,
faults, etc.
Uninor Internal
Control
Objective/Rationale
Enforcing audit logging allows

security incidents to be detected
and enough evidence to be
available for analysis of those
incidents.
Insufficient logging will result
in a lack of an audit trail in the
event of an unauthorized access.
With good logging and
monitoring, administrators are
often given early warnings for
hardware and software errors or
problems.
16
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
6.2
Command
logging
Any authorized/unauthorized
or known/unknown access to
critical commands used to
change either the database or
the configuration parameters
should be logged so that none of
the access to these sensitive files
goes unnoticed. It also ensures
that all the evidences are
available for reverse tracking
the source of change. Rolling
back from unstable network due
to improper command fire is
possible.
6.3
Logs
Archive
Configuration file
changes should be
monitored and
logged in
accordance with
Uninor
information
security policy.
Sensitive files such
as configuration
parameters, logs
should not be
allowed for
modification or
deletion.
Router Logs
should be sent to a
central syslog
server.
Archive all security
relevant logs for a
period stipulated
as per applicable
laws and
regulations. The
activity logs needs
to be retained
online for 12
months and offline
Uninor Internal
A central logging server can act

as a central repository for log
messages. Without this, log
messages may be lost in the
event the router is disabled by
technical glitches or a directed
attack.
Having all audit logs archived
ensures that they are available
when needed. At the same time
it ensures compliance with the
requirements of the regulator.
Implementation
Status
Implemented
In global configuration mode,

enter the following command:
Logging <ip address>
Enter the following to enable
timestamps for each log entry:
service timestamps type datetime
[msec] [localtime] [showtimezone]
(Huawei command to be
included)
17
Mitigating
Control, If
any
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
SNMP configured
on routers
connected to
networks should
be configured in a
secure manner
that is consistent
with Uninor
Information
Security Policy.
SNMP traps that are not

configured using a secured
method transmit information in
clear-text. SNMPv2C and
SNMPv3 also take advantage of
GET BULK transactions, in
which multiple pieces of
information can be queried and
retrieved without having to
make additional requests.
To configure a host to receive

SNMP traps, enter the following
command in global configuration
mode:
Support programs can provide

immediate assistance in case of
a hardware disaster. For
example, in case of a fire, an
emergency router may need to
be shipped to the premises.
Audit logs should be maintained
and kept for legal and audit
purposes. Removal of these logs
could expose the company to
unnecessary liability and loss of
litigation authorities.
Mitigating
Control, If
any
Implementation
Status
for 24 months.
6.4
Monitoring
6.5
Hardware
Support
Mission critical
routers should
utilize hardware
support programs.
6.6
Review of
security
and audit
logs
Security and Audit

logs should be
reviewed in
accordance with
Uninor
Information
Security Policy.
Uninor Internal
18
Implemented
snmp-agent sys-info version

{ v1 | v2c | v3 | all }
snmp-agent trap enable [
trap-type ]
Do not make a read-only string
the same as a read-write string
Implemented
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
7. Router properties and features configuration

7.1
Default
All routers being
Read-only and read-write
community monitored via
SNMP access to a Huawei
string
SNMP should have router can allow an intruder to
non-default SNMP gain unauthorized access to the
community
Huawei router. Default SNMP
strings. In
strings, such as public and
addition, only
private or read and write, are
specific
easily guessed by potential
management
intruders.
stations should be
allowed to poll the
device through
SNMP.
To assign community strings to

the SNMP server, issue the
display snmp-agent
community
snmp-agent community {
read | write }
community_name [ mib-view
view-name ] [ acl
number ]
command in configuration mode.
(acl number refers to an access
list of IP addresses that are
permitted to use the community
strings to access the SNMP
agent.)
To remove the public and private
communities:
undo snmp-agent
community community_name
Read-write strings should be
specified ONLY if remote
configuration changes will be
Uninor Internal
19
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Mitigating
Control, If
any
Implementation
Status
made over SNMP.
7.2
7.3
Router fail- Mission critical

over
routers should take
advantage of
Huaweis fail-over
capabilities.
Idletimeout
Uninor Internal
Routers should be
configured to abort
vty interactive
sessions that were
terminated in an
abnormal way.
Huawei FIRMWARE and

hardware offers advanced failover capabilities, in case of
hardware or software failure.
Implement Huaweis fail-over
(i.e., VRRP) to ensure a high
level of network availability on
critical routers. Mission critical
routers (typically core routers)
may be good candidates to take
advantage of the Huawei failover capabilities.
Enabling TCP keepalives on
incoming connections will
provide reasonable assurance
that any sessions left hanging by
a remote system crash or
disconnection will not block or
use up the available router vty
ports.
This can also help to guard
against malicious attacks.
20
Configure VRRP on critical

external routers. This can be done
by specifying the following on
each routers external and
internal interfaces respectively:
#vrrp vrid <vrrp-id> virtualip <ip-address>
#vrrp vrid <vrrp-id>
priority <number>
#vrrp vrid <vrrp-id>
preempt-mode timer delay
<sec>
Issue the following command in
global configuration mode to
detect and delete "dead"
interactive vty sessions:
seconds ]
Implemented
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
7.4
Encryption
IPSec should be
implemented
where sensitive
data traverses
untrusted or semitrusted internal
networks in
accordance with
Uninor
Information
Security Policy.
Sensitive information may be

the target of sniffing attacks by
intruders. If transactions are
occurring that contain highly
confidential information, it may
be vulnerable to sniffing if it is
not encrypted. Hash algorithms
will help mitigate against a loss
of data integrity should the data
be manipulated in transit.
Implement IPSec or router-torouter DES encryption to protect

confidential information.
To create a crypto map entry, use
the crypto map command in
global configuration mode.
The syntax of this command is as
follows:
crypto map <map-name> <seqnum> [Huawei]
crypto map <map-name> <seqnum> ipsec-manual
crypto map <map-name> <seqnum> ipsec-isakmp [dynamic
<dynamic-map-name>]
In interface configuration mode,
crypto maps can then be applied
to specific interfaces. Do this by
using the crypto map command:
Crypto map map-name
Several other requirements exist
for IPSec on Huawei devices.
Consult with Huawei or a subject
matter expert for further
information.
Uninor Internal
21
Mitigating
Control, If
any
Implementation
Status
Not Required.
Uninor IS team to
decide if it is
required or not.
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Mitigating
Control, If
any
Implementation
Status
(needs to be updated with

Huawei commands)
7.5
7.6
Privileged
password
Encryption
Uninor Internal
Different levels of
PRIV EXEC access
should be defined
to restrict
administrators
with varying
responsibilities in
accordance with
Uninor
Information
Security Policy.
SSH should be
used to remotely
access a router.
If telnet access is
required, it should
be allowed via a
secure IPSec
tunnel between the
remote system and
the module.
For devices that
support SSH
feature, enable the
SSH protocol and
It may not be necessary for all

administrators or users to have
full privileged access to the
router.
Administrators that do not
require this functionality may
make unauthorized changes to
the configuration.
Telnet sessions transmit
information, including
usernames and passwords, in
clear text. If an unauthorized
user were to capture this
information, it may place
critical network devices at risk
of compromise.
Huawei FIRMWARE provides for

16 different privileged levels and
comes predefined with: user
EXEC (which runs at level 1) and
enabled mode (which runs at level
15).
Implemented
Before enabling SSH on the

router, it will be necessary to
generate RSA key pairs.
Implemented
In global configuration mode,

enter the command:
crypto key generate rsa
User authentication will be
required, either locally or through
AAA.
Define the SSH parameters:
22
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
remove telnet
access to the
router.
7.7
7.8
TCP SYN
attacks
Port
description
Uninor Internal
Routers should be
configured to
reduce the
likelihood of a TCP
SYN attacks.
Interfaces should
have an
appropriate
description
assigned to them.
Mitigating
Control, If
any
Implementation
Status
ip ssh {[timeout seconds]} |

[authentication-retries integer]}
TCP SYN attacks are used to fill

router queues degrading
performance, and potentially
creating a Denial of Service.
Configuration involves blocking

external data packets that contain
an internal source IP address.
To be checked.
This configuration is outlined

below:
Detailed descriptions of
connections will make it easier
for administrators to review
what types of connections are
being made to the router.
23
#rule [ rule-id ] { deny |

permit } [ fragment |
fragment-type fragmenttype-name |
logging | source { source-ipaddress source-wildcard |
any } | time-range timename
| vpn-instance vpn-instancename ]
In interface configuration mode,
type the command description
followed by a description of the
interfaces purpose.
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Assign a
description to each
interface.
7.9
7.10
7.11
Auto load
configurati
on
ICMP
restriction
Disable
HTTP
Uninor Internal
Mitigating
Control, If
any
Implementation
Status
Example:
interface { interface-type
interface-number |
interfacename
}
Routers should
load configuration
information from
local memory only.
Disable AutoLoading thereby
requiring that the
router
configuration is
loaded from local
memory and not
the network.
Routers should not
respond to ICMP
mask requests on
interfaces
connected to
untrusted
networks.
Auto-Loading allows a Huawei

router configuration to be
loaded at startup from either
local memory or from the
network.
Loading the router
configuration from a network
source is not secure and should
be avoided as an attacker could
load alternative router
configurations.
To disable Auto-Loading from a

network source issue the
following commands:
Not restricting IP Mask Reply

messages, can aid an attacker in
mapping the physical topology
of the targeted network.
To disable IP Mask Reply

messages issue the following
command on desired interface:
Web-based router
administration
(HTTP) should not
An attacker can launch focused

web-based attacks over ports 80
and 443
Implemented
(needs to be updated with

Huawei router details)
To be checked.
(not applicable in Uninor

Internet router)
24
Implemented
_______________________________________________________________________________________________________
SN
7.12
7.13
Control
Area
Static
route
Idle
timeout
Uninor Internal
Control
Description
be allowed. Disable
the HTTP service
on the router.
If remote
administration is
required,
administration
should only be
allowed from
approved IP
addresses.
Routers should not
perform route
caching. Disable
the router's ability
to cache routes.
Set timeout values

for an unattended
console.
All routers in the
Control
Objective/Rationale
Mitigating
Control, If
any
Implementation
Status
For example, a vulnerability

exists that allows an attacker to
view the router configuration
using an HTTP exploit. If an
attacker is able to view this
configuration he/she will also
be able to view encrypted
passwords for enable and vty,
aux and con sessions.
Routers should not perform
route caching.
To disable Huawei route-caching

issue the following command on
desired interface:
Not relevant as
Static routing is
required.
undo ip route-static ipaddress { mask | masklen } [

interface-type interfacce-name |
nexthop-address ] [
preference value ]
undo ip route-static {all | ipaddress { mask | masklen } [
interface-type interfacce-name |
nexthop-address ] [
preference value ] }
Timeout sessions provide
additional security against
consoles that are left
unattended. If a user can gain
In configuration mode issue the

following command:
#idle-timeout minutes [ seconds ]
25
Implemented
_______________________________________________________________________________________________________
SN
7.14
Control
Area
IP spoofing
Control
Description
Control
Objective/Rationale
environment
should have
appropriate
session timeout
values assigned.
access to a console left

unattended they can modify the
routers configuration.
Routers should be
configured to
prevent IP
spoofing.
Create an access
list that drops
incoming traffic
with a source
address of that of
the internal
network to prevent
IP spoofing.
If IP spoofing is allowed it is
possible that unauthorized
traffic may bypass access
control lists on the router by
claiming that the traffic came
from the internal network.
Implementation
Status
Additionally, it prevents an idle

session from tying up a terminal
line port indefinitely.
Use the following command to
help mitigate the risk of IP
spoofing attacks:
acl acl-number
rule [ rule-id ] { deny | permit }
[ [ fragment | fragment-type
fragment-typename
] | logging | source { source-ipaddress source-wildcard | any }
| time-range
time-name | vpn-instance vpninstance-name ] *
(Where <ip network class> is the
address of the internal network
and <reverse subnet mask> is the
wild card for a class B network.)
Apply this access list on all
inbound requests on all external
Uninor Internal
Mitigating
Control, If
any
26
To be checked.
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
Mitigating
Control, If
any
Implementation
Status
interfaces.
7.15
Remote
terminals
access
Routers should
restrict which
hosts can access
remote terminal
sessions. Assign an
appropriate Access
List that restricts
access to all VTY
sessions.
Allowing anyone on the network

access to the login prompt
increases the risk of
unauthorized access to the
router.
In the configuration mode, first

create an appropriate access-list
using the access-list command.
Implemented
rule 10 permit vpn-instance om

source 10.34.0.0 0.0.255.255
Once the access list has been
created, apply it to the
appropriate terminal (typically
vty 0 4) using the access-group
<basic access list number> in
command.
#acl acl-number | name acl-name
{ inbound | outbound }
7.16
Time
synchroniz
ation
Uninor Internal
Synchronize the
routers time with
a central
timeserver.
Enable Network
Time Protocol
(NTP) with
authentication on
the router and
Using a centralized timeserver

will help lower the risk of an
intruder corrupting the devices
internal clocks, which may
further corrupt log timestamps
and weaken forensic
capabilities.
27
Enable NTP on the router by

issuing the following commands:
system-view
display clock-config
Designate an internal NTP host
and configure the router to be
able to synchronize only to that
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
limit which host(s)

the router will
utilize for time
synchronization
Mitigating
Control, If
any
Implementation
Status
host by issuing:
clock manual source sourcevalue
Disable NTP on external
interfaces through which NTP
information does not flow. This
will help prevent attacks directed
at the network time protocol.
NTP can be disabled on an
interface using the following
command:
ntp disable.
7.17
Source
routing
Uninor Internal
Routers should
discard any IP
datagram
containing a
source-route
option.
Prevent IP source
routing options
from being used to
spoof traffic.
If IP Source Routing is enabled,

the router will merely act as a
store and forward device. When
a router receives a data packet,
it will simply forward it on to its
destination. This feature is
rarely used and can be used for
network attacks.
28
To disable IP Source Routing

issue the following commands:
config t
undo ip source-route
Implemented
_______________________________________________________________________________________________________
SN
Control
Area
Control
Description
Control
Objective/Rationale
7.18
Unused
port
Interfaces not
being used should
be disabled.
Shut down unused
interfaces.
Unused interfaces may leave a

network open to attack.
Issue the interface command,

'shutdwon', for each interface that
needs to be shut down.
Uninor Internal
Example:
system-view
interface serial 1/1
[shutdown
29
Mitigating
Control, If
any
Implementation
Status
Implemented
_______________________________________________________________________________________________________
Author & Reviewer
Created by Information Security Team
Reviewed by Mahipal Singh
Date 27th Jan 2013
Date 29th Jan 2013
Approvals
Head - Operations
Head NOC
Date
Date
Head - Managed Services
Head - Information Security: Saurabh Agarwal
Date
Date 29th Jan 2013
Uninor Internal
30

Huawei NE 40 Internet Router MBSS PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei NE 40 Internet Router MBSS PDF

Uploaded by

Copyright:

Available Formats

Node Name

Minimum Baseline Security Standard

Unitech Wireless Tamilnadu (P) Ltd.

Node Name: Internet Router

Minimum Baseline Security Standard

Node Name: Internet Router

Minimum Baseline Security Standard

Node Name: Internet Router

Minimum Baseline Security Standard

Use of the Document

Node Name: Internet Router

Minimum Baseline Security Standard

Node Name: Internet Router

Minimum Baseline Security Standard

Uninor Information security policy and procedures;

Node Name: Internet Router

Minimum Baseline Security Standard

Interface, Ports and Services

File Access Control

Audit logging and Monitoring

Node Name: Internet Router

Minimum Baseline Security Standard

1. User Accounts and Groups

User IDs which

Generic accounts provide no

Node Name: Internet Router

Minimum Baseline Security Standard

Disabling the factory default

Enforcing password complexity

Node Name: Internet Router

Minimum Baseline Security Standard

can modify or delete files or

If a weak password is used,

If passwords are not encrypted

Weak password encryption

When issuing the password

Securing Console (CON)

Verify that the enable secret

Node Name: Internet Router

Minimum Baseline Security Standard

Application default passwords

Node Name: Internet Router

Minimum Baseline Security Standard

By default, access to these ports

To require users to login VTY,

3. Interfaces, Ports and Services

CON the default

Securing Console (CON)

Node Name: Internet Router

Minimum Baseline Security Standard

Operating system security

Node Name: Internet Router

Minimum Baseline Security Standard

holes may pose a significant risk

An unrestricted access may let

Issue the command

Node Name: Internet Router

Minimum Baseline Security Standard

downtime could have a severe

administrators can type

An unrestricted access to the

A legal notice and

Displaying a legal warning