Beruflich Dokumente
Kultur Dokumente
Security Configuration,
Maintenance, and Hardening Manual
Issue 02
Date 2016-10-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
1 Introduction.................................................................................................................................... 1
1.1 Purposes for Security Configuration Maintenance & Hardening...................................................................................2
1.2 Definition of Layer-based Security Configuration, Maintenance, and Hardening.........................................................2
4 Security Maintenance................................................................................................................. 66
4.1 Suggestions on Port Maintenance.................................................................................................................................67
4.1.1 TCP Ports...................................................................................................................................................................67
4.1.2 UDP Ports.................................................................................................................................................................. 70
4.2 NE Account Maintenance.............................................................................................................................................74
4.3 Log Audit......................................................................................................................................................................74
4.4 Weak Password Policy Detection................................................................................................................................. 74
4.5 Security Patch Upgrade................................................................................................................................................ 75
4.6 Software Package Integrity Verification.......................................................................................................................75
5 Security Hardening..................................................................................................................... 76
5.1 Device Layer Security Hardening................................................................................................................................ 77
5.1.1 Account Management Hardening.............................................................................................................................. 77
5.1.2 Security Log Hardening.............................................................................................................................................78
5.1.3 Security Hardening for Database Uploading and Downloading............................................................................... 78
5.1.4 CF Card Data Hardening........................................................................................................................................... 79
5.1.5 Integrity Protection for Data in a USB Flash Drive.................................................................................................. 80
5.1.6 Reverse Software Loading Authorization for Decoupling Boards............................................................................81
5.2 Network Layer Security Hardening..............................................................................................................................83
5.2.1 Managing DCN Network Security Hardening.......................................................................................................... 83
5.2.2 Configuring an ACL to Prevent Unauthorized Access............................................................................................. 85
5.2.3 Using SSL to Prevent Unauthorized Access to Sensitive Data................................................................................. 86
5.2.4 Using Encrypted Channels to Prevent Sensitive Data from Theft............................................................................ 86
5.2.5 Using SFTP to Load Software...................................................................................................................................88
5.2.6 Using Secure SNMPv3 to Manage NEs.................................................................................................................... 88
5.2.7 Data Service Security Hardening.............................................................................................................................. 88
5.2.8 Configuring Extended ECC Authentication to Prevent Unauthorized Access..........................................................89
6 Appendixes................................................................................................................................... 90
6.1 References.................................................................................................................................................................... 91
1 Introduction
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User
Management from the Function Tree.
Step 2 Click Query to check the current NE user information.
Table 2-1 Default user list of devices (1800 V100R005C10 and earlier versions)
User Name Password User Group
The default user name and the default password in BIOS state are szhw and nesoft.
Table 2-2 Default user list of devices (1800 V100R005C20 and later versions)
User Name Password Group
The default user name and the default password in BIOS state are szhw and Changeme_123.
You can use the default account to access the OSN 850 and OSN 810 boards through local
Ethernet ports. The default account is szhw and the password is Changeme_123. The default
account is a super administrator. The rules for managing the board accounts and passwords
are the same as the rules for managing NE accounts and passwords. Nevertheless, the account
and password can only be managed in the command line interface rather than on the NMS.
User passwords are encrypted and stored using either MD5, SHA256 or PBKDF2. For details
about how to change user passwords, see 2.1.11 Managing Encryption Types of NE User
Passwords.After the encryption mode is changed, the encryption and storage mode for a new
user or a changed password is as follows: If the encryption mode is MD5, the MD5, SHA256,
and PBKDF2 information is stored. If the encryption mode is SHA256, the SHA256 and
PBKDF2 information is stored. If the encryption mode is PBKDF2, only the PBKDF2
information is saved. The PBKDF2 encryption mode is recommended. After the
configuration, the user password needs to be changed for the password encryption mode to
take effect.
It is recommended that the encryption type be set to PBKDF2. After setting the encryption
type, change the user password for the encryption type to take effect.
The passwords of the accounts that are used to access the OSN 850 and OSN 810 boards
through local Ethernet ports can be encrypted on the boards only in PBKDF2 mode.
On the F3SCC board, the user password can not be encrypted and saved in MD5 mode.
----End
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User
Management from the Function Tree.
Step 2 In the NE User Management Table pane, click Add and the Add NE User dialog box is
displayed. After setting the user attributes, click OK.
User level Monitor level Monitor Monitor-level users have the lowest rights.
Operation level They are authorized to issue query
level commands and modify their own
attributes.
Maintenance
level Operation-level users are authorized to
query the system information and perform
System level some configuration operations.
Debug level Maintenance-level users are authorized to
perform all maintenance operations.
System-level users are authorized to
perform all query and configuration
operations.
Debug-level users are authorized to
perform all operations in the debugging
process, including security management.
----End
Procedure
Step 1 In NE User Management Table, select a user to be deleted, and click Delete.
Step 2 A dialog box is displayed asking you whether to delete the NE user. After you confirm that
the user is to be deleted, click OK.
----End
Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l The NE user has been created.
l Common users with rights lower than Administrator User Group can modify only their
own attributes.
Procedure
Step 1 In the NE User Management Table pane, select the NE user for attribute modification. Click
Modify. The Modify NE User dialog box is displayed.
Step 2 Modify the user attributes and click OK to save the modifications.
----End
Procedure
Step 1 In the NE User Management Table pane, select the NE user for password modification.
Click Set Password. The Set Password of NE User dialog box is displayed.
Step 2 In the displayed Set Password of NE User dialog box, click "..."In the displayed dialog box,
enter a new password.
Step 3 After modifying the user password, click OK to save the modifications.
----End
Procedure
Step 1 In the NE Explorer, select the desired NE user. Choose Security > NE Login Management
from the Function Tree. Click Set Password of NE User. A dialog box is displayed asking
you whether to change the current password.
Step 2 In the displayed Set Password of NE User dialog box, click "...".In the displayed dialog box,
enter the old password and new password, and click OK.
NOTICE
When you change the password of a user, the user will be locked and forced to log out upon
five consecutive old password attempts.
----End
Prerequisites
l You are an NMS user with Maintainer User Group rights or higher and belong to the
Security Manager Group.
l The logged-in NE user must have system level rights or higher.
l The NE user has been created.
l The NE user to be modified has a lower user level than the user that is logged in.
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE User
Management from the Function Tree.
Step 2 Click Query. Then select the desired user. Click View Additional User Info. The Additional
User Info List dialog box is displayed.
Step 3 Modify required additional user information. Click OK or Apply to save the modifications.
Allowable Login Start Specifies the start date when a registered NE user is allowed
Date to log in to the NE.
Allowable Login Start time Specifies the start time when a registered NE user is allowed
to log in to the NE.
Allowable Login End Date Specifies the end date when a registered NE user is allowed
to log in to the NE.
Parameter Description
Valid Till (time) Specifies the end time when a registered NE user is allowed
to log in to the NE.
Time to Lock User for No Specifies the number of days before a user is locked for no
Activities (Day) activities. The value can ranges from 25 to 999, and the
default value 0 indicates that the password is permanently
valid.
Maximum Password Specifies the maximum number of days for which users'
Validity (Day) password is valid.
----End
Prerequisites
l You are an NMS user with Maintainer User Group rights or higher.
l The logged-in NE user must have system level rights or higher.
Procedure
Step 1 In the NE Explorer, select an NE and choose Security > NE User Group Management from
the Function Tree.
Administrator System
Maintainer Maintenance
Operator Operation
Monitor Monitoring
----End
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE
Security Parameters from the Function Tree.
Step 2 Click Query to query the settings of NE security parameters.
----End
Procedure
Step 1 Select the desired NE in the Main Topology. In the NE Explorer, choose Security > NE User
Management from the Function Tree. The Password Blacklist Management tab is
displayed.
Step 2 Click Set Password Blacklist on the lower right corner. The Set Password Blacklist window
is displayed.
Step 3 Click Add or Delete to add or delete blacklisted passwords, and then click Apply to apply the
settings to the NE.
----End
Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l An NE user is created.
Procedure
Step 1 Click the NE in the NE Explorer and choose Security > NE User Password Encryption
Management from the Function Tree.
----End
Prerequisites
l You are an NMS user with Maintainer User Group rights or higher.
l To ensure the security of NE operations, the NMS maintainers or administrators can use
the U2000 server to view all the online NE users within the management rights and the
way in which the users log in to the NEs.
l When you want to log in to an NE as a user who has a higher level of rights, you can
force a lower-level NE user to log out of the NE. In this way, you can avoid an NE being
configured by multiple NE users at the same time, or prevent unauthorized logins by
other NE users.
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > Online
User Management.
Step 3 Select the NE entry. Click Forced Logout to force the desired NE user to log out of the NE.
----End
Procedure
Step 1 Select the desired NE from the Object Tree in the NE Explorer. Choose Security > NE Login
Management.
Step 3 In the NE Login Management Table, select the NE and click Switch NE User. In the
Switch Current NE User dialog box, enter the user name and password in User and
Password.
During a new deployment, after the NE user root creates an NE, this user can create another
NE user. By switching a logged-in NE user, you can log in to the NE with a new user.
NOTE
During offline switching of an NE user, the system does not check the user name and password on the
NE side. As a result, logging to the NE may always fail, making the NE unreachable.
----End
Prerequisites
l You are an NMS user with Maintainer User Group rights or higher.
l The logged-in NE user must have system level rights or higher.
Procedure
Step 1 Select the desired NE in the NE Explorer. Choose Security > NE Security Parameters from
the Function Tree. The NE Security Parameter List is displayed.
Step 3 Select an NE, double-click Warning Screen Switching and choose Enabled or Disabled.
Step 5 Click Apply. A message is displayed indicating that the operation is successful. Click Close.
NOTE
You can enter a message in the Warning Screen Information field only when Warning Screen
Switching is set to Enabled.
----End
Prerequisites
You are an NMS user with Administrator User Group rights or higher.
Procedure
Step 1 In the NE Explorer, select an NE and choose Communication > Access Control from the
Function Tree.
Step 2 In the Ethernet Access Control area, select or deselect Enable Ethernet Access and click
Apply.
NOTICE
If you select Enable Ethernet Access, the external network port of an NE can be used for
Ethernet communication.
If you deselect Enable Ethernet Access, the external network port of an NE cannot be used
for Ethernet communication.
If Ethernet communication exists on the external network port of an NE and Enable Ethernet
Access is not selected, the NE may be unreachable to the NMS.
If you select Enable Ethernet Access, the equipment can interconnect with other OSPF-
compliant equipment through the external network port of which the OSPF function is
enabled by default. MD5 authentication is supported by the external network port by default.
On the NMS, you can disable the management Ethernet port of a non-GNE to prevent
unauthorized local access. The management Ethernet port supports the security Ethernet
survival function. Specifically, if Enable Ethernet Access is not selected and no NMS user
logs in to the NE for 30 consecutive minutes, the local management Ethernet port will be
automatically enabled to ensure local access. When an NMS user logs in to the NE later, the
local management Ethernet will be automatically disabled.
----End
Procedure
Step 1 On the Main Topology, select an NE. Then, in the NE Explorer, choose Communication >
Access Control from the navigation tree.
Step 2 In the displayed Serial Port Access Control interface, set the Enable Serial Port Access and
click Apply.
NOTE
Only F1SCC equipment surportting the Serial Port Access Control function, F3SCC equipment does not
support.
----End
Parameter description
l The Enable Serial Port Access parameter specifies whether the serial port is used for
equipment management. If Enable Serial Port Access is selected, equipment can be
managed using serial ports.
l If Access Command Line is selected, equipment can be accessed using commands for
management.
l If Access NM is selected, equipment can be managed through the NMS.
l The Baud Rate parameter specifies the access rate of a serial port.
Prerequisites
You must be an NM user with " Operator User Group " authority or higher.
Procedure
Step 1 Select an NE. Then, in the NE Explorer, choose Communication > Access Control from the
function tree.
Step 2 In the displayed right window, choose the USB Access Control interface, select the desired
main control board and enable USB Port Access and click Apply.
NOTE
Only the F3SCC02 1800I/II equipment supports the USB Access Control function.
----End
Context
Security logs are saved in the U2000 database, where you can check the information about
security operations.
When the security logs are sent forward the syslog server, they are not saved in U2000
database, so they can be checked only on the syslog server.
Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l The logged-in NE user must have system level rights or higher.
Security Logs
1. In the NE Explorer, select an NE and choose Security > NE Security Log from the
Function Tree.
Operation Logs
1. In the NE Explorer, select an NE and choose Security > NE Operation Log from the
Function Tree.
2. Query logs.
In the window that is displayed, click Query at the lower right corner. Then all
operation logs are displayed.
Click Filter at the lower right corner to filter information based on user names and
operation types.
3. Click Save as to save NE operation logs to files.
Context
Operation Prerequisites
Syslog Certificates Management You are an NMS user with Operator User
Group rights or higher.
Configuring the Syslog Server for an NE You are an NMS user with "Maintenance
Loading an NE Syslog Certificate Group" authority or higher.
An NE Syslog certificate has been
successfully imported to the U2000.
2. Configure the syslog server. Click the Syslog Server tab. The list of syslog servers is
displayed. Click New.
The Add Syslog Server dialog box is displayed. Set the IP Address, Send Mode, and
Port based on the network settings.
3. Configure the Syslog GNE. Click the Syslog GNE tab. The list of syslog GNEs is
displayed. Click New.
From the displayed Object Select dialog box, select a proper NE as a syslog GNE. (Logs
transferred to the Syslog server include security logs and operation logs).
2. Choose Certificate Management tab, and click Query to obtain the certificate name,
the valid time when the certificate starts to take effect and expires, and the authority that
issues the certificate.
3. Select the certificate and click Delete at the lower right corner of the window to delete
the SYSLOG certificate on the NE.
NOTE
You can also choose Set Login Account from the shortcut menu and set Login User and Password
in the dialog box that is displayed.
3. Right-click the NE and choose Query Board from the shortcut menu. Then board
information about the NE is displayed.
NOTE
It may take a period of time for the board information to display, which is normal.
5. Select the check box before the desired main control board and click to add the
board to the operation list.
6. In the Upgrade Version field, click .The Board software setting window is
displayed
7. Set the software load type to Certificate and click Add Software. The Choose File
window is displayed.
NOTE
You can click Add Software to add multiple files at the same time.
8. In the Choose File dialog box, select the desired Syslog certificates.
9. In the Board software setting dialog box, click OK. The upgrade software selection is
complete.
10. Select a board in Operation List, and click Start.
11. When the loading is complete, click Activate. The Warning dialog box is displayed.
Confirm whether to activate the software.
12. Click Yes to start activating the software.
13. After the activation, the Operation Result dialog box is displayed indicating that the
activation succeeds. Click Close.
Prerequisites
You are an NMS user with the Administrators permission or higher.
Enabling KMC
On the main menu, choose Administration > NE Security Management > NE
Communication Service Management. Click the NE KMC Service Management tab, and
set Control Switch to Enabled or Disabled to enable or disable KMC( KMC in this
document refers to Key Management Center).
If you enable KMC, you must set Encrypt Data Key Encrypt Type.
Click the NE KMC Service Management tab. Then, click under Encrypt Data Key.
The dialog box for changing a KMC key is displayed. Then, manually change the key.
You are advised to change the KMC key in the following situations:
l The key is leaked.
l The key has not been changed for a long period of time.
NOTE
NOTE
1. You need to select an appropriate data key encryption mode according to feasibility and usability as
required.
2. If you select the User Password mode, you need to remember the value of Encrypt Data Key
Encrypt Key; otherwise, database import or export may fail.
3. The complexity requirements of Encrypt Data Key Encrypt Key must be the same as those of
Encrypt Data Key.
4. After you downgrade a version supporting KMC to a version that does not support KMC, you need
to delete the keystore files from ofs1/sm/ and ofs2/sm/.
Prerequisites
You are an NMS user with Administrator User Group rights or higher.
1. In the NE Explorer, select an NE and choose Security > ACL from the Function Tree.
2. Click the Basic ACL tab. The basic ACL rule list is displayed.
3. Click Query to query the basic ACL rules from the NE.
4. Click New.
An undefined basic ACL rule is added to the basic ACL rule list. Set the parameters
according to the network requirements.
5. Click Apply to apply the new configuration data to the NE.
6. A dialog box is displayed, indicating that the operation is successful.
7. You can repeat the preceding steps set more basic ACL rules for this NE.
1. In the NE Explorer, select an NE and choose Security > ACL from the Function Tree.
2. Click the Advanced ACL tab. The advanced ACL rule list is displayed.
3. Click Query to query the advanced ACL rules from the NE.
4. Click New.
An undefined advanced ACL rule is added to the advanced ACL rule list. Set the
parameters according to the network requirements.
5. Click Apply to apply the new configuration data to the NE. A message appears
indicating the operation is successful.
6. You can repeat the preceding steps to set more advanced ACL rules to this NE.
Parameter list for ACL rules is shown as following.
Operation Permit/ Deny Indicates the ACL operation type. The values are as
Type follows:
Deny: If a received message does not comply with
the ACL rule, the message is discarded.
Permit: If a received message complies with the
ACL rule, the message is discarded.
Sink IP Sink IP Address The Sink IP Address parameter and the Wildcard
Address parameter together determine the addresses that
comply with an ACL rule.
Source Port The valid value This parameter is valid only when the protocol type
range is from 0 is TCP/UDP.
to 65535 or
0xFFFFFFFF.
0xFFFFFFFF
indicates that the
parameter is not
concerned about
this item.
Sink Port The valid value This parameter is valid only when the protocol type
range is from 0 is TCP/UDP.
to 65535 or
0xFFFFFFFF.
0xFFFFFFFF
indicates that the
parameter is not
concerned about
this item.
ICMP ICMP Protocol Specifies that this item is valid only when the
Protocol Type protocol type is TCP/UDP. If the parameter value is
Type 255, this parameter is meaningless to this item. (If
this parameter is set to 255, then ICMP Code Type
should also be 255.)
ICMP Code ICMP Code This parameter is valid only when the protocol type
Type Type is ICMP. If the parameter value is 255, it specifies
that this parameter meaningless to this item. (If the
protocol type is 255, then the code should also be
255.)
Prerequisites
Operation Prerequisites
Configuring LCT Access to NEs You are an NMS user with Administrator
User Group rights or higher.
NMS Access
The NMS is connected to devices through Ethernet NM interfaces and OAM serial ports,
remote login, manage and maintain the devices. The NMS communicates with the devices
through TCP/IP protocols. The NMS and gateway devices can be connected to the DCN or a
network cable. Users can also select the proper connection ways as required. For non-GNEs,
users can disable device access through Ethernet NM interfaces and OAM serial ports. For the
operation method, see2.3.1 Ethernet Access Control ,2.3.2 Serial Port Access Control.
NOTICE
l If no NMS user has logged in to an NE it allows a user to log in from an LCT
regardless of whether the LCT access is enabled.
l If an LCT user requests to log in to an NE to which an NMS user has logged in, the
NE determines whether to permit the login of the LCT user according to the setting of
LCT Access Control Switch.
l An NMS user can log in to an NE to which an LCT user has logged in. After the
NMS user logs in to the NE successfully, the logged-in LCT user is not affected.
l When both an LCT user and an NMS user have logged in to an NE, the logged LCT
user is not affected if LCT Access Control Switch is set to Disabled Access.
SNMP Access
1. In the NE Explorer, select an NE and choose Communication > SNMP
Communication Parameters.
2. Click Create. The Create SNMP Communication Parameters dialog box is displayed.
Set parameters, such as NMS IP Address, Read/Write Permissions, Port, Read/Write
Community Name, and Trap Version. If the IP address has been set to 0.0.0.0, any IP
address can access the NE.
he default Trap community name is Public. Users can change the Trap community name.
The security user name of SNMP v3 traps is empty by default. SNMPv3 trap is
functional only if the security user name is specified.
The Read Community Name, Write Community Name, and Trap community name
must meet the following complexity requirements:
The name must be a character string with a minimum length of six bytes. Valid
length ranges from six to sixteen bytes.
The name must combine at least two types of the following characters:
n Lowercase letters
n Uppercase letters
n Digits
n Special characters, including space and `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
If such complex community names are unnecessary for you, you can choose
Communication > SNMP Communication Parameters to disable the community
name complexity verification function.
NOTE
If the community name complexity verification function is disabled, users can use a low-
complexity community name. However, a low-complexity community name is easy to be
deciphered, posing security risks on the system.
Report SDH No Report, Report Specifies the report trap for SDH
Performance Trap performance data.
Report Alarm Trap No Report, Report Specifies the report trap for alarm
data.
SSH Access
l Set the NE communication service mode.
a. Choose Administration > NE Security Management > NE Communication
Service Management from the main menu.
e. Click New Key Pair. The New Key Pair dialog box is displayed.
f. In the New Key Pair dialog box, set Key Type to S-RSA (NE As the Server) and
Overwrite Mode to Yes. During the key creation, a dialog box is displayed
indicating that you need to wait for 10 minutes to view the key creation status and
then upload the key after it is created.
g. Click OK. In the key pair create dialog box, click Close. After 10 minutes, Click
Query New Key Pair.
h. Click Export Public Keys. In the displayed dialog box, select S-RSA and set File
Name. Click OK.
i. In the Result dialog box, click Close.
NOTE
Users can copy the public key information in the file exported in step 3 to the text box, or
click Import to import public key information to the NMS.
g. Click OK. In the Result dialog box, click Close.
h. The public key information generated by the NE is uploaded to the authorized_keys
file in the .ssh directory of the logged-in user.
l Associate an SSH user and the SSH client key.
a. Choose Administration > NE Security Management > NE Communication
Service Management from the main menu.
b. Click the SSH User Management tab.
c. Select the target NE from the NE list and click .The Query dialog box is
displayed and query results are shown on the right of the interface.
d. Click Query to check the NE user authentication information.
Prerequisites
Operation Prerequisites
Modifying Connection Modes Between the l You are an NMS user with
NMS and GNE Administrator User Group rights or
higher.
l The IP GNE has been created.
Operation Prerequisites
Modifying Connection Modes Supported by You are an NMS user with Administrator
Common NEs User Group rights or higher.
2. Choose Administration > DCN Management from the Main Menu. Click the GNE
tab. Right-click the GNE to be modified and choose Modify GNE from the shortcut
menu.
3. In the Modify GNE dialog box that displayed, set Connection Mode to Security SSL.
NOTE
For a common NE, its GNE uses to communicate with the NMS, so that it can communicate
normally with its NMS. For example, if an NE's GNE uses Security SSL mode to communicate
with the NMS, then its corresponding connection mode should be set to Security SSL. SSL
connection modes support bidirectional authentication for both the client and server.
l If NEs are managed through a GNE, the GNE and the NMS are connected in SSL mode. If
the GNE and non-GNEs are connected using the management network ports, it is
recommended that you set all non-GNEs that are in the same LAN with the GNE to GNEs
and manage NEs in secure SSL mode.
l If an NE is connected to an external network that is not secure, it is recommended that you
set the NE to a GNE and manage the NE in secure SSL mode.
l If an NE is connected to an external network that is not secure, it is recommended that you
set ACLs for the NE for packet filtering.
By default, the DC accounts of NEs are blank, after enter the Board Software Upgrade, the
navigator tree cannot automatically filter the NE list of the subnet. You need to configure the DC
account of the NE in the DC Login User Management (Choose Administration > NE Security
Management > NE Login Management) first, then enter the Board Software Upgrade again,
the navigator tree will filter the specific NEs.
3. Right-click a desired NE in the navigation tree and choose Login NE from the shortcut
menu.
NOTE
You can also choose Set Login Account from the shortcut menu and set Login User and Password
in the dialog box that is displayed.
4. Right-click the NE and choose Query Board from the shortcut menu. Then board
information about the NE is displayed.
NOTE
It may take a period of time for the board information to display, which is normal.
6. Select the check box before the desired main control board and click to add the
board to the operation list.
7. In the Upgrade Version field, click The Board software setting window is
displayed.
8. Set the software load type to Certificate and click Add Software. The Choose File
window is displayed.
NOTE
You can click Add Software to add multiple files at the same time.
9. In the Choose File dialog box, select the CA.CRT, CERTNE.CRT, CERTNE.KEY,
and SSLCFG.KEY certificates. SSLCFG.KEY is a communication key. For how to
load SSLCFG.KEY, see Operation and Maintenance > Administrator Guide > Network
Prerequisites
You are an NMS user with Administrator User Group rights or higher.
1. Choose Administration > NE Security > Service Management > NE Communication
Services Management from the Main Menu.
4. Wait for 10 minutes and then check the key status. If the key is created, upload the key.
To upload the key, right-click the NE and choose Set Passphrase from the shortcut
menu. In the displayed dialog box, set the new passphrase and confirm it (the
passphrase must meet complexity requirements). Click OK, and a message "Do you
want to upload public key information immediately?" is displayed.
NOTE
10. Click the SFTP Public Key Fingerprint Management tab page. On the tab, click New.
In the displayed New SFTP Public Key Fingerprint dialog box, enter the Server IP
Address, Server Port, Algorithm, and Public Key Fingerprint, and click OK.
Prerequisites
You are an NMS user with Administrator User Group rights or higher.
1. In the NE Explorer. Choose Configuration > NE Time Synchronization from the
Function Tree.
2. Enable NE Time Synchronization and configure the NTP server address, and click
Apply.
Security suggestion: If you do not need to use the NTP service, it is recommended that
you disable the NTP port. If the NTP port is enabled, you need to create a key password,
which is an integer ranging from 1 to 1024 and meets its complexity requirements.
NTP uses MD5 to verify C/S identities. If authentication is adopted, the keys configured
at both ends must be the same and reliable.
Note that security risks arise if you do not use MD5 for interconnection.
It is recommended that you enable authentication on both the server and client.
3. After the NTP service is enabled, the NE will enable the server and client. For
consideration of security, the NTP server can be separately enabled or disabled.
a. On the U2000 main menu, choose Administration > NE Security Management >
NE Communication Services Management. The window shown in the following
figure is displayed.
b. In Control Switch, select Enabled or Disabled to enable or disable the NTP server.
Enabled is selected by default.
2: Operation Level
3: Maintenance Level
4: Administrator level
5: Super administrator level
NOTE
If the user permission value is not set for RADIUS server users or is beyond the preceding value range,
equipment automatically set the user level to XXXX level. It is recommended that you set the value to 0
for new devices.
Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l Communication between the NE and the NMS is normal.
Procedure
Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE
RADIUS Function Configuration from the Function Tree
Step 2 Click Query to query the information about RADIUS function configuration from the NE.
----End
Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l The RADIUS client function of the NE is enabled.
Procedure
Step 1 In the NE Explorer, select the desired NE from the Object Tree and choose Security > NE
RADIUS Configuration from the Function Tree.
NOTICE
The login timeout interval configured on the NMS is 15s (which is 10s on the Web LCT).
Ensure that the result of Interval of Packet Transmission multiplied by Packet
Retransmission Attempts must exceed the login timeout interval; otherwise, the equipment
will be unavailable because of login timeout.
Step 2 Click the RADIUS Server Configuration tab. The RADIUS Server Informationdialog box
is displayed.
Step 3 Click Query to query the information about RADIUS server configuration from the NE.
Step 6 Configure information about the RADIUS server. Click OK to save the configuration.
NOTE
l When a new RADIUS server is added, an IP address that uniquely identifies the RADIUS server
must be entered.
l When a new proxy server is added, an IP address or NE name that uniquely identifies the proxy
server must be entered.
l Before adding a new RADIUS proxy server, you need to configure the NE as RADIUS proxy server.
l If a RADIUS proxy server is added, a shared key (which contains 8 to 128 characters or is blank)
can be configured on the NAS so that the key can be shared between the NAS and RADIUS proxy
server. It is recommended that the shared key contain at least 16 characters. In addition, the shared
key must be the same as that configured on the RADIUS proxy server.
l Configure security related to account management on the RADIUS server. For example, enable the
user lock and set user timeout.
----End
Prerequisites
l You are an NMS user with Administrator Group rights or higher.
l The NE is enabled as a RADIUS client and RADIUS proxy.
Procedure
Step 1 In the NE Explorer, select an NE. Choose Security > NE RADIUS Configuration from the
Function Tree.
Step 4 Click New. The New Authentication Key dialog box is displayed.
Step 6 Right-click a key configuration and choose Delete from the shortcut menu if necessary.
NOTE
l If an NE is enabled as a RADIUS proxy server, a shared key (which contains 8 to 128 characters)
can be configured on the RADIUS proxy server so that the key can be shared between the RADIUS
proxy server and NAS. It is recommended that the shared key contain at least 16 characters. In
addition, the shared key configured on the RADIUS proxy server must be the same as that
configured on the NAS. Please refer to the following figure "Radius Key Length Setting".
l If a shared key is configured between the NAS and a RADIUS proxy server, after the NAS is
downgraded, the shared key on it becomes empty, and the NMS cannot log in to the NAS. In this
case, you must delete the shared key on the RADIUS proxy server for communication with the NAS.
----End
Risks:
To prevent a shared key from being easily deciphered or leaked, ensure that the following
requirements are met:
A shared key must contain 8 to 128 characters. It is recommended that a share key contain 16
characters.
A shared key must contain at least two types of the following characters: lowercase letters,
uppercase letters, digits, and special characters.
Shared keys must be updated every 90 days at least.
It is advisable to configure a unique shared key between each client and a server.
Prerequisites
l You are an NMS user with Administrator User Group rights or higher.
l The RADIUS server has been created.
Procedure
Step 1 In the NE Explorer, select an NE and choose Security > NE Radius Configuration from the
navigation tree, as shown in Figure 3-15 RADIUS server configuration.
Step 2 Click Query to query the information about RADIUS parameter configuration from the NE.
Step 3 Click New to display the New.The New NE RADIUS Server Configuration dialog box.
Step 4 Configure the RADIUS parameters and click OK to save the configurations.
Precautions:
l To prevent a shared key from easily deciphered or leaked, meet the following
requirements:
a. Eight characters or longer, 16 characters recommended
b. A combination of two or more types of such characters as lowercase letters,
uppercase letters, digits, and special characters
c. Updates every 90 days at least
d. It is recommended that you configure different shared keys for the clients to
connect a server.
e. During the query for Radius configuration information, the shared key in plaintext
will be sent to the NMS but is displayed as * on the NMS. To prevent the shared
key from being leaked, you are advised to query and configure the related
information through an SSL secure channel.
For compatibility purposes, empty keys are allowed when you add a RADIUS
proxy server, which brings risks. It is recommended that you change it to a shared
key.
----End
Table 3-5 Security threats facing data services and corresponding preventive measures
Threat Preventive Description Affected Services
Measure
Heavy traffic attack Control the service Various measures Ethernet services
flow. are used to limit the
service flow.
Ethernet services include two types: private line services and private network services.
l Private line services: Services are forwarded using VLAN tags, and isolated based on
Layer 2 logic. Meanwhile, service flow is controlled using the QoS scheme, and invalid
packet are filtered using the ACL. In this way, data confidentiality is ensured.
l Private network services: Refers to Layer 2 switch services that are forwarded based on
MAC addresses or MAC+VLAN. Private network services apply to various scenarios,
MAC addresses are difficult to control, and the MAC address learning and forwarding
mechanism is prone to be affected by user data packets. Therefore, private network
services are exposed to security attacks.
NOTE
Ethernet converged services are also forwarded using VLAN tags, and they have the same security
mechanism as private line services.
Prerequisites
Service Operation Prerequisites
Flow control
When the flow of broadcast packets, multicast packets, or unicast packets with unknown
destination addresses is excessive, service bandwidth is overloaded, or network congestion
may occur due to burst traffic. By means of flow control, these problems can be prevented to
ensure stable and secure network operation.
l Broadcast packet suppression
By means of broadcast storm suppression, broadcast flow can be limited, and broadcast
packets that exceed the suppression threshold will be discarded.
After port-based broadcast storm suppression is enabled, broadcast packets will be
discarded. By default, the broadcast packet suppression threshold is 30(%).
The broadcast packet suppression threshold can be set to limit the broadcast flow passing
through the sub-interface. When the broadcast flow exceeds the value set by the user,
broadcast packets will be discarded. In this way, the percentage of broadcast flow will be
decreased to be within a reasonable range, and broadcast storms will be effectively
suppressed.
EOT boards
1. In the NE Explorer, click the NE, select the board to be configured, and choose
Configuration > Ethernet Interface Management > Ethernet Interface from the
navigation tree.
2. Click the External Port on the right interface.
3. Click the Advanced Attributes tab, select the port to be modified, and set the Broadcast
Packet Suppression or Broadcast Packet Suppression Threshold attribute.
Figure 3-20 QoS networking model when the OptiX OSN 1800 is used as a TDM device
The QoS scheme of the TDM device uses the DiffServ model. Specifically, functions
such as CAR and traffic shaping are configured at the ingress or egress of the SDH
network, to limit the service flow, prevent burst traffic or heavy traffic attack, and protect
important services against network congestion.
Loop avoidance
If a loop exists in a Layer 2 switch network, packets will be continuously duplicated and
circled in the loop, causing a broadcast storm. In this case, all valid bandwidth will be
occupied, and the network will become unavailable.
EOT boards
1. In the NE Explorer, click the NE, select the board to be configured, and choose
Configuration > Ethernet Interface Management > Ethernet Interface from the
navigation tree.
2. Click the External Port on the right interface.
3. Click the Advanced Attributes tab, select the port to be modified, and set the Loop
Detection or Loop Port Shutdown attribute.
NOTE
If the IVL learning mode is selected for private Ethernet network services, the VLAN filtering
table must be created.
3. Click New, and the dialog box of creating VLAN unicast will be displayed. Then set
static MAC address parameters.
NOTE
If the SVL learning mode is selected for private Ethernet network services, VLAN ID cannot be
specified.
4. Click OK to save the configuration.
MAC address blacklist
In private network L2VPN services, MAC addresses can be added to, deleted from,
or queried on the blacklist. Unauthorized services can be filtered by adding invalid
MAC addresses into the blacklist.
EOT boards
1. In the NE Explorer, click the NE, select the board to be configured, and choose
Configuration > Ethernet Service > Ethernet LAN Service from the navigation tree.
2. Select the private Ethernet network services to be configured, and click the Disable
MAC Address tab.
3. Click New, and the dialog box of disabling MAC addresses will be displayed. Then set
MAC address blacklist parameters.
NOTE
If the SVL learning mode is selected for private Ethernet network services, VLAN ID cannot be
specified.
4. Click OK to save the configuration.
Service isolation
The following provides logical and physical isolation measures, which are used to prevent
malicious users from intercepting data and to reduce the impact of broadcast flow.
l Layer 2 logical isolation
VLAN is a basic function of network data devices. One VLAN forms a logical subnet (a
logical broadcast field), and different VLANs are assigned to different users, so Layer 2
user services cannot be communicated. In this way, logical isolation is achieved for
Layer 2 services. Meanwhile, VLAN division helps limit the broadcast flow to various
broadcast fields and narrow down the broadcast range.
The OptiX OSN 1800 supports private Ethernet line services. VLAN tags can be
identified, forwarded, and changed.
4 Security Maintenance
Security maintenance is a means to audit the device in terms of security to discover security
risks in time and effectively implement security hardening, aiming to ensure that the device
works properly and securely.
4.1 Suggestions on Port Maintenance
4.2 NE Account Maintenance
4.3 Log Audit
4.4 Weak Password Policy Detection
4.5 Security Patch Upgrade
Security loopholes of equipment can be mended online using hot patches.
4.6 Software Package Integrity Verification
It is recommended that unused ports be disabled during routine O&M to avoid unauthorized
access traffic. These TCP/UDP ports should be closed when not in use:
The NMS access port number is TCP 1400. It is a port for communication with the NMS,
therefore allowing the NMS to manage the NE. This port is enabled by default.
To enable the NMS access port, set Connection Mode to Common or Secure SSL
+Common and then click Apply. To disable the NMS access port, set Connection Mode to
Secure SSL and click Apply.
The NMS secure access port number is 5432. It enables an NE to securely access the NMS,
therefore allowing the NMS to manage the NE. This port uses the SSL/TLS security protocol
and is enabled by default.
To enable the NMS secure access port, set Connection Mode to Secure SSL and then click
Apply. To disable the NMS secure access port, set Connection Mode to Common and click
Apply.
Automatically extended ECC supports TCP-AO. After you set an authentication key on an
NE, existent extended ECC is disconnected and new ECC connections are established
between the NEs that share the same key.
Take either of the following strategies to avoid an NE unreachable to the NMS when the
existent extended ECC is disconnected:
l Query the routes of the NE and calculate the distance between the NE and its gateway
NE (GNE). Set a key for the NE farther to the GNE first.
l Delay validating a key so that keys will take effect after the keys are set for all the NEs.
Then, query whether the keys take effect.
For an authentication-configured secure network, ensure that keys are configured on new
devices before the new devices are enabled on the network; otherwise, they cannot use
extended ECC for network access.
The automatically extended ECC port number is 1600. It is the default communication port
when the HWECC protocol is running between NEs and HWECC channels are set up over
Ethernet. This port is enabled by default.
Set Extended ECC Mode to Auto mode. To enable the automatically extended ECC port,
click Apply; to disable the automatically extended ECC port, click Stop.
STelnet Port
Security suggestion: STelnet access is a secure access mode. If you do not need to use STelnet
access, it is advisable to disable the STelnet port.
The STelnet port number is 22. This port is used for setting up the STelnet channel and is
disabled by default.
On the Communication Service Management tab page, to enable the STelnet port, set
Control Switch to Enabled for the Service Type STelnet; to disable the STelnet port, set
Control Switch to Disabled for the Service Type STelnet.
Figure 4-7 Port for Communicating with the RADIUS Client/Proxy Authentication
Server
Figure 4-8 Port for Communicating with the RADIUS Proxy Accounting Server
4. SNMP Port
The SNMP port number is 161. This port is an SNMP protocol communication port,
allowing the SNMP NMS to access the NE by the SNMP protocol. This port is disabled
by default. To enable the SNMP port, set related SNMP communication parameters.
If the NE has no SNMP communication parameter settings, the SNMP port is disabled.
To disable the SNMP port, select the SNMP parameter setting and click Delete.
6. Management-Plane NE Search
Port 1500 is used to search for NE IP addresses in broadcast and unicast manner when
management-plane NE search is enabled. It is recommended that you disable this
function.
Set NE search within a network segment on management plane to Disable.
7. Multicast NE Search
Port 8002 is used to search for NE IP addresses in multicast manner when multicast NE
search is enabled. It is recommended that you disable this function.
Set NE search across network segments on management plane to Disable.
8. IP GNE
Port 1400 is used to forward inter-NE management packets when IP networking is used.
Disable the UDP 1400 port if all-HWECC or all-OSI networking is adopted.
Security logs must be periodically audited to strengthen the protection against unauthorized
account access or login attempts. You can add an access control list (ACL) or deploy a
firewall to shield unauthorized login attempts, and can clear abandoned or unused accounts to
prevent unauthorized account access.
5 Security Hardening
An RADIUS server can be deployed on the live network, with all devices on the network
using the same accounts or passwords. These accounts are configured on the RADIUS server
only. This effectively lowers the maintenance workload, because you need only to
periodically examine the accounts or passwords on the RADIUS server during O&M.
You can set the syslog server on NE1 to the NE ID (0x00092012) of the GNE, and then
configure the IP address (128.100.1.1) of the syslog server on a gateway NE (GNE). Here, a
forwarding server must be configured, because Huawei proprietary Embedded control channel
(ECC) protocol instead of IP is used on the management plane of the network where NE 1 is
located.
If IP is used on the network, the IP address of the syslog server can be directly configured on
each NE and then the forwarding server is not necessary.
If a connection to the syslog server is not set up in TSL mode, log data packets are plaintext
data and may be captured on the network and equipment may be analyzed according based on
the log. It is recommended that syslog is transmitted over a connection in TLS mode.
compared for consistency, ensuring the file integrity. The file summary information is added
to the end of the list file dbf.pkg for transmission. For compatibility with earlier versions, this
function is disabled by default before delivery.
NOTE
1. To ensure the version compatibility, a command for enabling/disabling this function is added. This
function is disabled by default.
2. This function can be achieved only by using commands.
3. For OptiX OSN 1800 I/II Compact, just F1SCC surport this function.
:pe-set-secprotect:enable
:pe-backup-data:11,db
After the commands are run, the protection information of the database file is generated
in the key file. If the protection information is not generated and the function is enabled,
running the pe backup commands will fail because of a file verification failure.
NOTE
Only the F3SCC02 1800I/II equipment supports this function.
Function structure
OptiX OSN 1800 equipment provides the USB hardening function to encrypt the data copied
into the USB flash drive and ensure data integrity. As the following figure shows.
Function description
OptiX OSN 1800 equipment with the encryption function can provide encryption and
integrity protection for the registered encryption file stack in the USB flash drive and the read
process of application-layer data (including the database and software package) on the USB
flash drive.
1. Encryption implementation: The data copied into the USB flash drive can be strictly
encrypted by AES-256, ensuring that the data is stored in ciphertext format in the USB
flash drive and cannot be directly read or viewed.
2. Integrity protection implementation: The USB disk tool of the NMS provides an
authentication certificate and the data encryption function,and also provides various
encryption modes such as SHA256,PDKDF2, and ALL to generate authentication files.
The checksum (generated by the SHA256 algorithm) is saved for the data in the USB
flash drive. When OptiX OSN 1800 equipment reads data from the USB flash drive, the
checksum matching process starts. The data that fails in the checksum matching process
cannot be restored to the NE. In this manner, the data in the USB flash drive is
effectively protected from tampering, damage, and replacement by unknown data,
ensuring data reliability and equipment security.
Prerequisites
You are an NMS user with the Administrators permission or higher.
1. In the NE Database Security Management area at the lower part, click the Decoupled
Board Security Management tab.
2. Click Query to query Decoupled Board Security information of the NE.
3. Perform operations using either of the following board decoupling security modes.
Common Mode
The startup process in this mode is the same as that in earlier versions. If the board is not
authorized, security logs should be recorded.
1. In the Security Mode column, select Common.
2. Click Apply, and then click Close when the message Operation Succeeded is
displayed.
3. Click Query. The list of unauthorized board software is displayed. Select the boards to
be authorized and click Authorize.
3. Click Query. The list of unauthorized board software is displayed. Select the boards to
be authorized and click Authorize.
DCN networks should be trusted. They must be physical networks or logically independent
networks (VPNs) that are constructed by the customer or hired from a reliable vendor. The
customer should take certain measures, for example, deploying firewalls, to ensure DCN
network security.
The equipment also provide a certain networking mechanism and hardening measures to
improve DCN network security. The customer can select a measure based on DCN network
security and trust level to enhance DCN network security.
01 Use TLS to connect The NMS connects to NEs in SSL/TLS mode. The
the NMS and common connection mode should be disabled. You
managed are advised to use the TLS1.2 protocol and disable
equipment. SSL2.0/3.0 and TLS1.0.
03 Use SFTP for The SFTP protocol must be used for software loading
software loading and file transfer, and the FTP protocol must be
and file transfer. disabled.
04 Use SSH rather than Connect to the managed NEs using SSH, and disable
Telnet. Telnet. If the SSH protocol is used, the key
authentication mode is recommended.
06 Deploy the Syslog You are advised to use the Syslog server to back up
server. logs, and use the SSL authentication mode when
deploying the Syslog server.
12 Use extended ECC If the extended ECC function is used, extended ECC
authentication. authentication must be enabled.
13 Disable DCN ports The DCN ports and management network ports on the
that are not used. equipment must be disabled if they are not used.
14 Disable services and To prevent the equipment from being attacked, the
protocols that are service ports and protocols that are not used on the
not used. equipment must be disabled. After service
rectification and network adjustment, the service ports
and protocols that are not required any more must
also be disabled. For details about the service ports
and protocols, see the port matrix.
NOTE
l For DCN networks, the all-GNE networking mode is recommended if possible, and the following security
hardening measures should be taken:
1. Disable the UDP1400 service port. (For details, see Suggestions on Port Maintenance).
2. Disable the extended ECC service. (For details, see Suggestions on Port Maintenance).
l If a GNE is used to manage non-GNEs, take the following security hardening measure:
Configure an encryption channel between the GNE and non-GNEs. (For details, see Using Encrypted
Channels to Prevent Sensitive Data from Theft).
The following figure shows an example about how to prohibit Telnet access to the device.
Trusted transmission channels such as SSL, SFTP, or SSH channels are recommended when
the NMS or other management terminals need to travel an untrusted network (for example, a
third-party leased network).
Select secure SSL connection when creating gateway NEs on the NMS according to section
3.2.1. If you log in to a device using an NMS in common mode or common and security
mode, you log in to the device in common mode, and the plain text transmission between the
NMS and device is risky. In this scenario, you are advised to select the secure SSL connection
mode. In this mode, a secure encrypted channel is established between the NMS and gateway
NE using the SSL3.0/TLS1.0/TLS1.1/TLS1.2 protocol.
When you use the NMS to manage non-GNEs, encrypted data transmission is not supported
between the GNE and non-GNEs. If a trusted channel links the GNE with non-GNEs, you can
manage the non-GNEs through the GNE. If the channel is not trusted, it is recommended that
you use the secure SSL connection or encrypted channels to manage NEs in an all-GNE
manner.
Default SSL certificates are shipped with Huawei equipment. Only private keys in PKCS#1
format are supported. You can replace a default SSL certificate with your own one. You can
delete your own SSL certificate from a device. If you load and activate your own SSL
certificate on a device, the default SSL certificate is deactivated. You can activate and use it
again if you delete all your own SSL certificates from the device.
When you manage non-GNEs on the NMS, data transmitted between a GNE and non-GNEs
is not encrypted by default. You can configure an encrypted channel between a GNE and non-
GNEs that communicate on an untrusted channel by performing the following steps:
Intermediate NEs, links, and third-party equipment only transparently transmit data and is
unable to decrypt it so the data cannot be thieved.
Encrypted channels consume a large number of CPU resources on a GNE so the encrypted
channels must be limited or even canceled when the CPU resources on a GNE are
insufficient. Configure a proper number of encrypted channels, with 200 maximum.
Pay attention to the following risks after you configure encrypted channels and the NE enters
the encrypted communication state:
1. If necessary, change the authentication keys of encrypted channels at both ends to the
same value on the NMS. Otherwise, communication keys fail to be negotiated when one
NE is reset so the NE cannot enter the encrypted communication state while the other
NE stays in the encrypted communication state. As a result, the NEs become unreachable
to the NMS.
2. When the encrypted channel at one end is deleted, NEs become unreachable to the NMS.
If necessary, delete the encrypted channels on non-GNEs and then delete the
corresponding encrypted channels on the GNE.
3. If an NE is degraded to a version that does not support encrypted channels, delete the
configurations of the encrypted channels, as described in point 2.
The device supports two modes to download software packages on an all-IP network. One is
to use the File Transfer Protocol (FTP) client, and the other is to use the SFTP client. The
device serves as the client, and the NMS serves as the server. To guarantee security during
software package download, you can selectively disable the FTP client service and use only
the SFTP client to download software packages.
The following figure shows how to enable or disable the FTP/SFTP client.
SNMPv3 users are managed according to RFC3414. To improve management security, the
equipment provides an MML interface to manage SNMPv3 users. For details, see the relative
user guide.
On EOT boards, configure the Hub/Spoke attribute of VB ports to avoid the service
communication among Spoke ports.
6 Appendixes
6.1 References
6.1 References
1. OptiX OSN 1800 I/II Compact V100R006C20 Security White Paper
2. OptiX OSN 1800 I/II Compact V100R006C20 Communication Matrix