Sie sind auf Seite 1von 75

NetNumen™ U31 R10

Unified Element Management System


Security Management

Version: V12.17.30

ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://support.zte.com.cn
E-mail: 800@zte.com.cn
LEGAL INFORMATION
Copyright © 2017 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit the ZTE technical support website http://support.zte.com.cn to inquire for related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History

Revision No. Revision Date Revision Reason

R1.0 2017-09-30 First edition

Serial Number: SJ-20170919162559-009

Publishing Date: 2017-09-30 (R1.0)

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Contents
Chapter 1 Operating System Security Management ............................... 1-1
1.1 Setting User Authentication................................................................................. 1-2
1.2 Querying System Logs ....................................................................................... 1-4
1.3 Setting the Security Audit Function ...................................................................... 1-5
1.4 Setting the Forcible Access Control Function ....................................................... 1-6
1.5 Customizing System Services ............................................................................. 1-8
1.6 Setting System Security Hardening ..................................................................... 1-9

Chapter 2 Database Security Management.............................................. 2-1


2.1 Setting the Database Log Recording Function...................................................... 2-1
2.2 Forbidding Users From Logging In to the Database Remotely ............................... 2-4
2.3 Setting Password Strength.................................................................................. 2-5
2.4 Modifying a Weak Password ............................................................................... 2-6

Chapter 3 Network and Application Security Management.................... 3-1


3.1 Customizing Firewall Filtering Rules .................................................................... 3-1
3.2 Setting File Transfer Channel Security ................................................................. 3-2

Chapter 4 Operation and Maintenance Security Management............... 4-1


4.1 Security Management......................................................................................... 4-3
4.1.1 Creating a Department ............................................................................. 4-4
4.1.2 Creating an Operation Set ........................................................................ 4-5
4.1.3 Creating a Role ........................................................................................ 4-7
4.1.4 Creating a Role Set ................................................................................ 4-10
4.1.5 Creating a User...................................................................................... 4-12
4.1.6 Customizing the User Account Rule......................................................... 4-19
4.1.7 Viewing Locked Users ............................................................................ 4-22
4.1.8 Setting Logout Idle Time ......................................................................... 4-24
4.1.9 Modifying the Password of a Database Account ....................................... 4-25
4.1.10 Modifying the Password of an FTP Account ........................................... 4-28
4.1.11 Locking a Client Session ....................................................................... 4-30
4.1.12 Restricting Concurrent Sessions............................................................ 4-32
4.1.13 Setting the User Login Mode ................................................................. 4-33
4.1.14 Querying Login Users ........................................................................... 4-34
4.1.15 Logging Out a User .............................................................................. 4-35
4.1.16 Modifying Common User Passwords in Batches ..................................... 4-36

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


4.1.17 Adding a User to the Blacklist................................................................ 4-37
4.1.18 Clearing Invalid Accounts...................................................................... 4-39
4.2 Data Transfer Channel Management ................................................................. 4-41
4.2.1 Setting Logical SSH Channels ................................................................ 4-41

Figures............................................................................................................. I
Tables ............................................................................................................ III
Glossary .........................................................................................................V

II

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 1
Operating System Security
Management
For a description of Operating System (OS) security measures, refer to Table 1-1.

Table 1-1 OS Security Measure Descriptions

Measure Policy Instruction

User authentication System administrators customize their own security For details, refer
authentication policy settings based on their to 1.1 Setting User
requirements. The configuration files include Authentication.
/etc/pam.conf and the files in /etc/pam.d/. By
default, the Pluggable Authentication Module (PAM)
function is enabled on the system.

System logs Users check log records in /var/log/. By default, For details, refer
the system provides a sophisticated log function. to 1.2 Querying
System Logs.

Security audit Users can set the daemon process, add audit rules, For details, refer
and start the daemon process to use the security audit to 1.3 Setting the
function. By default, this function is enabled on the Security Audit
system. Function.

Forcible access control The system provides the access control function by For details, refer
reading policy rules and security context. By default, to 1.4 Setting the
the forcible access control function is enabled on the Forcible Access
system. Control Function.

System customization Highly-customized system functions and services For details, refer
can be provided based on product requirements. By to 1.5 Customizing
default, the system provides minimized services. System Services.

System security Security policies can be started by running specified For details, refer
patches security hardening scripts or commands on the system to 1.6 Setting
after the system is installed. By default, the system System Security
provides the OS security hardening function. Hardening.

Table of Contents
Setting User Authentication ........................................................................................1-2
Querying System Logs ...............................................................................................1-4
Setting the Security Audit Function.............................................................................1-5

1-1

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Setting the Forcible Access Control Function .............................................................1-6


Customizing System Services ....................................................................................1-8
Setting System Security Hardening ............................................................................1-9

1.1 Setting User Authentication


The NetNumen U31 provides a system administrator with maximum flexibility, and provides
multiple applications with secure and reliable authentication services.
Users can legally use relevant system resources and network services only after passing
security authentication.

Prerequisite
The PAM installation package is available.

Context
PAM is a sub-system of a Linux system. PAM is used to provide user authentication and
authorization.

Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep pam
3. If not, run the command to install the package.
# rpm -ivh "PAM software package"
4. Run the command to verify that the software package version is correct.
# rpm -qi "PAM software package"
5. Check the PAM security module types in /lib64/security/. The corresponding
configuration file is located in /etc/security/.
# ls /lib64/security/
pam_access.so
pam_ftp.sopam_mkhomedir.sopam_securetty.sopam_unix_acct.so
……
6. In the files of /etc/pam.d/ path or in the /etc/pam.conf file, view or add security
authentication rules.
7. In the directories specified in the rules that you have just added in Step 6., define the
configuration files based on your security needs.
– End of Steps –

1-2

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 1 Operating System Security Management

Example
The following example shows how the PAM controls user login security. The system
security requirements are as follows:
Users logging in to the system need to be controlled. Only the root user can log in to the
Linux system locally. Only the liyang user can remotely log in to the Linux system from
192.168.13.*. Other users are forbidden to log in to the Linux system.
Modify /etc/pam.d/login to add a new security authentication rule. Perform the
following steps:
[root@root pam.d/]# cat login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required /lib/security/pam_access.so accessfile=/etc/login.conf
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
[root@root pam.d]#

The auth required /lib/security/ pam_access.so accessfile=/etc/login.conf rule


defines that the system uses the pam_access module to control user access through
the /etc/login.conf configuration file. The accessfile parameter indicates the full
path of the configuration file.
Based on the needs, modify the contents of /etc/login.conf as follows
(permission:users:origins):
# vi /etc/login.conf

+ : root : LOCAL
+ : liyang : 192.168.13.

- : ALL : ALL

+ : root : LOCAL: indicates that the root user can log in to the system locally.
+ : liyang: 192.168.13.: indicates that the liyang user can log in to the Linux system
remotely from the 192.168.13.*/24 subnet (192.168.13 is a subnet).

1-3

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

- : ALL : ALL: indicates that all the other users are forbidden to log in to the system. The
access permissions that the ALL field indicates must be placed at the end of the file.

1.2 Querying System Logs


The log management function involves recording various events occurring in the system
to provide powerful support for analyzing and tracing system security events.

Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Based on system logs, use log query commands and tools to analyze logs.
Common commands include who, w, users, last, lastlog, and ac. Common tools include
dmesg, tail, more, and less.
– End of Steps –

Example
Run the dmesg command to query the logs generated when the system was last booted.
[root@root/]# dmesg
Linux version 2.6.18-164.el5 (root@localhost.localdomain) (gcc version 4.1.2 20080704
(Red Hat 4.1.2-46)) #1 SMP Fri Dec 3 09:02:01 CST 2010
BIOS-provided physical RAM map:
BIOS-e820: 0000000000010000 - 000000000009fc00 (usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 000000007dda0000 (usable)
BIOS-e820: 000000007dda0000 - 000000007ddae000 (ACPI data)
BIOS-e820: 000000007ddae000 - 000000007ddf0000 (ACPI NVS)
BIOS-e820: 000000007ddf0000 - 0000000080000000 (reserved)
BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
BIOS-e820: 00000000fff00000 - 0000000100000000 (reserved)

Run the who /var/log/wtmp command to check the current login information.
[root@root/]# who /var/log/wtmp
root :0 2014-07-11 15:03
root :0 2014-07-11 15:03
root pts/0 2014-07-11 15:04 (:0.0)
root :0 2014-07-11 15:46
root :0 2014-07-11 15:46
root pts/0 2014-07-11 15:46 (:0.0)
root :0 2014-07-15 14:43
root :0 2014-07-15 14:43

1-4

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 1 Operating System Security Management

root pts/0 2014-07-15 14:44 (:0.0)


root :0 2014-07-18 10:35
root :0 2014-07-18 10:35
root pts/0 2014-07-18 10:35 (:0.0)

1.3 Setting the Security Audit Function


The security audit function is used to record system security information. The system can
immediately generate an audit record if a user violates a system security rule.

Prerequisite
The audit-related installation packages are available.

Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the audit-related software package is already
installed.
# rpm -qa|grep audit
3. If not, run the command to install the package.
# rpm -ivh "audit software package"
4. Run the command to verify that the software package version is correct.
# rpm -qi "audit software package"
5. Set the audit daemon process auditd.
6. Add audit rules and watchdogs to collect required data.
7. Start the auditd process, which starts the audit system in the kernel and starts
recording logs.
8. The logs will be regularly searched and the corresponding audit reports will be
generated. Users can check the reports and analyze the data.
– End of Steps –

Example
The default configuration file for the auditd process is /etc/audit/auditd.conf.
Users can set the parameters in this file to customize audit logs generated.
An example of this file is as follows:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4

1-5

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

Audit rule examples are as follows:


#Record all file opens from user 501
#Use with caution since this can quickly
#produce a large quantity of records
-a exit,always -S open -F uid=501 -F key=501open
#Record file permission changes
-a entry,always -S chmod

1.4 Setting the Forcible Access Control Function


The system provides the forcible access control function, which is better than the
conventional UNIX permission control function. The forcible access control function
provides a flexible and configurable MAC mechanism.

Based on the settings, access control can be implemented. For example, a process can
only access files required for the tasks of the process.

Prerequisite
The relevant SELinux installation package is available.

1-6

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 1 Operating System Security Management

Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep selinux
3. If not, run the command to install the package.
# rpm -ivh "selinux software package"
4. Run the command to verify that the software package version is correct.
# rpm -qi "selinux software package"
5. Modify /etc/selinux/config to start or disable SELinux. Run the command to
restart the system.
# reboot
6. Run the SELinux-related commands to set access control.
– End of Steps –

Example
Start the SELinux service:
[root@root/]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Query the SELinux operation mode and context details:


[root@root/]# /usr/sbin/getenforce
Enforcing

[root@root/]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

1-7

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Restart the system as the root user:


[root@root/]# reboot

1.5 Customizing System Services


This procedure describes how to customize OS services based on product requirements
to avoid system security risks.

Prerequisite
You have logged in to the OS as the root user.

Steps
l Customize system services through GUI.
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. On the OS desktop, select System > Administrator > Services. The Service
Configuration dialog box is displayed, see Figure 1-1.
This dialog box can also be displayed if you run the command in a terminal window
(XTerm or GNOME).
# system-config-services

Figure 1-1 Service Configuration Dialog Box

3. Enable the services that you want to start when the system is started.

You can also run the command in a terminal window.

# ntsysv
l Customize system services through commands.

1-8

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 1 Operating System Security Management

1. Run the command to query the version of the current OS.


# cat /etc/klinux-release
2. Run the command to set whether a service is started automatically when the
system is started.
# chkconfig
To check whether each service is enabled when the system is started, run the
#chkconfig --list command.
To check whether a specified service is enabled when the system is started, run
the #chkconfig --list <service> command.

To enable a service, run the #chkconfig [--level <levels>] <service><on|off|reset>


command.
3. Run the command to start, stop, or restart a service.

# service
To start a service: run the #service <service> start command.
To stop a service: run the #service <service> stop command.
To restart a service: run the #service <service> restart command.
– End of Steps –

Example
This example describes how to run the command to start and stop the sshd service.
# chkconfig
Run the following command to enable the sshd service when the system is started at
runlevel 3, 4, or 5:
#chkconfig --level 345 sshd on
Run the following command to disable the sshd service when the system is started:
#chkconfig sshd off
Run the following command to check the enablement status of the sshd service:

#chkconfig --list sshd


sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

1.6 Setting System Security Hardening


Based on different product security requirement scenarios, users can set different
security hardening patch policies to implement one-click installation of security hardening
packages.

1-9

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Prerequisite
The security hardening installation package is available.

Steps
1. Run the cat /etc/klinux-release command to query the version of the current OS.
2. Run the rpm -ivh “rpm software package” command to install the one-click installation
package of the security hardening function corresponding to the current OS.

3. Run the security-enhance-xxx command to enable the security hardening function of


the server security policy.
4. Run the cat command to check the log records in /var/log/CGSL/system-enhan
ce/.
– End of Steps –

Example
This example describes how to enable the security hardening function of a ZTE server
security policy.
1. Check the current OS version information.
[root@localhost ~]# cat /etc/klinux-release
CGSL V4.x version information is as follows:

TAG_CGS_MAIN_V4_03_20_P1
2. Install the one-click installation package of the security hardening function.
For CGSL V4.x, run the following command:

[root@localhost ~]# rpm -ivh cgsl-customize-1.0.9-el6.noarch.rpm


3. Enable the security hardening function.
[root@localhost ~]# security-enhance-ZTE
4. Check the log records of the security hardening function.

[root@localhost ~]# cat


/var/log/CGSL/system-enhance/security-enhance-ZTE-result.log

1-10

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 2
Database Security
Management
For a description of database security measures, refer to Table 2-1.

Table 2-1 Database Security Measure Descriptions

Measure Policy Instruction

Security information Create Oracle login, logout, and login failure triggers to For details, refer
recorded in database record relevant information. to 2.1 Setting
logs the Database
Log Recording
Function.

Remote login Set remote login permissions of a database user with For details, refer
restriction super administrator privileges. to 2.2 Forbidding
Users From
Logging In to
the Database
Remotely.

Password strength Set database user password strength. For details,


refer to 2.3
Setting Password
Strength.

Weak password Change the passwords of default accounts of the For details, refer
modification database system to complicated ones. to 2.4 Modifying a
Weak Password.

Table of Contents
Setting the Database Log Recording Function............................................................2-1
Forbidding Users From Logging In to the Database Remotely ....................................2-4
Setting Password Strength .........................................................................................2-5
Modifying a Weak Password ......................................................................................2-6

2.1 Setting the Database Log Recording Function


This procedure describes how to create Oracle login, logout, and login failure triggers, and
set the database log recording function.

2-1

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

This function helps record database login information including login accounts, login time,
logout time, and IP addresses that users use to remotely log in to the database.

Prerequisite
You have the database SYSDBA permission.

Steps
1. Log in to the database.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
2. Create LOGON_TABLE, which is used to record database login information.
SQL>CREATE TABLE sys.LOGIN_LOG
(
AUDSID NUMBER,
SID NUMBER,
SERIAL# NUMBER,
LOGIN_TIME DATE,
LOGOUT_TIME DATE
USERNAME VARCHAR2(30 BYTE),
MACHINE VARCHAR2(64 BYTE),
IP VARCHAR2(20 BYTE),
PROGRAM VARCHAR2(48 BYTE)
);

3. Create a login trigger.


SQL>CREATE OR REPLACE TRIGGER login_on_info
AFTER LOGON
ON DATABASE
BEGIN
INSERT INTO sys.login_log
SELECT audsid,
SID,
serial#,
SYSDATE,
NULL,
username,
machine,
SYS_CONTEXT ('USERENV', 'IP_ADDRESS'),
program
FROM v$session
WHERE SID IN (SELECT SID

2-2

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 2 Database Security Management

FROM v$mystat
WHERE ROWNUM = 1)
AND audsid = SYS_CONTEXT ('USERENV', 'SESSIONID')
AND program NOT LIKE 'JDBC%'
AND username <> 'SYSMAN'
AND TYPE <> 'BACKGROUND';
EXCEPTION
WHEN OTHERS
THEN
NULL;
END;
/

4. Create a logout trigger. The oblique stroke on the last line must be entered.
SQL>CREATE OR REPLACE TRIGGER login_off_info
BEFORE LOGOFF
ON DATABASE
BEGIN
UPDATE sys.login_log
SET LOGOUT_TIME = SYSDATE
WHERE audsid = USERENV ('SESSIONID')
AND SID = (SELECT SID
FROM v$session s
WHERE SID IN (SELECT SID
FROM v$mystat
WHERE ROWNUM = 1))
AND serial# = (SELECT serial#
FROM v$session s
WHERE SID IN (SELECT SID
FROM v$mystat
WHERE ROWNUM = 1));
EXCEPTION
WHEN OTHERS
THEN
NULL;
END;
/

– End of Steps –

Result
1. Use a database user to log in to the database. Query sys.login_log. The login
information should be recorded in the table.
Run the following SQL command to query the LOGIN_LOG table:

2-3

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

SQL>select * from sys.login_log;


2. Run the following SQL command. If 0 is not displayed in the command output, it
indicates that the database log recording function is set successfully.
SQL>select count(*) from dba_triggers t where
trim(t.triggering_event) = trim('LOGON');

2.2 Forbidding Users From Logging In to the Database


Remotely
This procedure describes how to forbid users with the SYSDBA (super administrator of the
database) permission from logging in to the database remotely.

Prerequisite
You have the database SYSDBA permission.

Steps
1. Log in to the database.
#su - oracle

$sqlplus /nolog
SQL>conn / as sysdba
2. Run the following command to forbid the users from logging in to the database
remotely.
SQL>alter system set REMOTE_LOGIN_PASSWORDFILE=none
scope=spfile;

3. Restart the database so that the setting will take effect.


SQL>shutdown immediate
SQL>startup
– End of Steps –

Result
The following error occurs when a SYSDBA user tries to log in to the database.

SQL>conn sys/sid@SID_IP as sysdba


Error:

ORA-01017: invalid username/password; logon denied

2-4

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 2 Database Security Management

2.3 Setting Password Strength


This procedure describes how to set the Oracle database user password policy that only
allows strong passwords. In this case, users will fail to set weak passwords.

Note:
This operation is only applicable to the Oracle 10g version, not apply to the Oracle 11g
version.

Prerequisite
You have the Oracle database SYSDBA permission.

Steps
1. Modify the $ORACLE_HOME/rdbms/admin/utlpwdmg.sql Oracle script.
Change the following contents:
-- Check for the minimum length of the password
IF length(password) < 8 THEN
raise_application_error(-20002, 'Password length less than
8');
END IF;
2. Modify the $ORACLE_HOME/rdbms/admin/utlpwdmg.sql Oracle script.
Change the following contents:
ALTER PROFILE DEFAULT LIMIT
--PASSWORD_LIFE_TIME 60
--PASSWORD_GRACE_TIME 10
--PASSWORD_REUSE_TIME 1800
--PASSWORD_REUSE_MAX UNLIMITED
--FAILED_LOGIN_ATTEMPTS 3
--PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function;
3. Run the following SQL command to log in to the Oracle database and enable password
management.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba

2-5

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

SQL>@$ORACLE_HOME/rdbms/admin/utlpwdmg.sql;
SQL>exit
– End of Steps –

Result
1. Log in to the database as the SYSDBA user.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
2. Create a user named abc1 and set its password to abc1.
SQL>create user abc1 identified by abc1;
The command fails. The errors are as follows:
alter user abc1 identified by abc1
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20003: Password should contain at least one digit, one character and one
punctuation.

2.4 Modifying a Weak Password


This procedure describes how to modify the password of a default database account to a
complicated one to prevent attacks against password vulnerabilities.

Prerequisite
You have the database SYSDBA permission.

Steps
1. Log in to the database and query the default accounts in normal status. It is
unnecessary to modify the passwords of expired or locked accounts.
#su - oracle
$sqlplus /nolog
SQL>conn / as sysdba
SQL>select username from dba_users t where t.account_status =
'OPEN' and default_tablespace in('SYSTEM','SYSAUX','USERS');
2. Run the following command to modify the password of a user that you have queried:
SQL>ALTER USER username IDENTIFIED BY password;
For example, if you want to modify the password of the test account to Ems_1234, run
the following command:

2-6

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 2 Database Security Management

SQL>ALTER USER test IDENTIFIED BY Ems_1234;


3. Use a Virtual Network Computing (VNC) client to remotely log in to the current host of
the NetNumen U31.
4. Enter the uif directory of the installation directory of the NetNumen U31 server.
Run the runPlugCenter.sh file to start the NetNumen U31 Unified Management
System-configuration center, see Figure 2-1.

Figure 2-1 Configuration Center

5. Modify the database password in Password.


6. Click Test Database Connection. After the test is passed, click Save.
7. Click Close.
– End of Steps –

Result
Use the new password to log in to the database:
#su - oracle

$sqlplus /nolog

SQL>conn username/New password


Connected in the command output indicates a successful login.

2-7

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

This page intentionally left blank.

2-8

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 3
Network and Application
Security Management
For a description of the network and application security measures, refer to Table 3-1.

Table 3-1 Security Measures Descriptions for Networks and Applications

Measure Policy Instruction

Firewall Users can specify filtering rules by using firewall-related For details, refer
commands. By default, the firewall function is enabled to 3.1 Customizing
on the system. Users can determine the specified Firewall Filtering
settings. Rules.

File transfer channel The system transfers files by means of SSH and SFTP, For details, refer
security instead of conventional plain-text file transfer methods to 3.2 Setting File
such as Telnet and FTP. By default, system services Transfer Channel
such as FTP, Telnet, and file sharing are disabled. Security.

Table of Contents
Customizing Firewall Filtering Rules ...........................................................................3-1
Setting File Transfer Channel Security .......................................................................3-2

3.1 Customizing Firewall Filtering Rules


This procedure describes how to customize firewall filtering rules to filter packets.

Prerequisite
The installation package of iptables (a user space tool) is available.

Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep iptables
3. If not, run the command to install the package.
# rpm -ivh "iptables software package"
4. Run the command to verify that the software package version is correct.

3-1

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

# rpm -qi "iptables software package"


5. Enable and disable the firewall.
Run the following command to check the iptables status: #service iptables status
Run the following command to check the firewall rules: #iptables -L -n
Run the following command to check the firewall NAT rules: #iptables -t nat -L -n
Run the following command to disable the firewall function: #service iptables stop
Run the following command to enable the firewall function: #service iptables start
6. Run the command to set the packet filtering rule required by an actual scenario.
# iptables
The command syntax is as follows:
iptables [-t table] command [match] [target]
– End of Steps –

Example
Run the following command to specify the default destination of the INPUT link to DROP.
This means that any packet that does not match any rule in the INPUT link will be discarded.
# iptables -P INPUT DROP
Run the following commands to enable all TCP and UDP packets to match this rule. “!
ICMP” indicates to exclude ICMP and allow all the other protocols (TCP and UDP in this
example).
# iptables -A INPUT -p TCP, UDP
# iptables -A INPUT -p ! ICMP

3.2 Setting File Transfer Channel Security


This procedure describes how to ensure file security during transfer to enhance system
security.

Prerequisite
The transfer tool installation package related to the current OS version is available.

Steps
1. Run the command to query the version of the current OS.
# cat /etc/klinux-release
2. Run the command to query whether the related software package is already installed.
# rpm -qa|grep "tool name"
3. If not, run the command to install the package.

3-2

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 3 Network and Application Security Management

# rpm -ivh “rpm software package”

4. Run the command to verify that the software package version is correct.
# rpm -qi "rpm software package"
5. Test the secure file transfer tool.
– End of Steps –

Example
This example uses SSH as an example to describe how to use the secure file transfer
channel.
[root@root /]# /etc/init.d/sshd restart
Stop sshd: [OK]
Start sshd: [OK]

[root@root /]# netstat -tlnp | grep ssh


tcp 0 0 :::22 :::* LISTEN 20634/sshd

[root@root /]# ssh 127.0.0.1


The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is e5:1e:d8:e6:24:32:48:82:74:c7:2a:c2:99:07:cc:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
root@127.0.0.1's password: enter a password
Last login: Thu Aug 14 17:45:55 2014 from 10.74.29.16

[root@root ~]# ssh root@127.0.0.1


root@127.0.0.1's password: enter a password
Last login: Thu Aug 14 18:24:47 2014 from root

3-3

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

This page intentionally left blank.

3-4

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4
Operation and Maintenance
Security Management
For a description of operation and maintenance security measures, refer to Table 4-1.

Table 4-1 Security Measure Descriptions for Operation and Maintenance

Measure Policy Instruction

User security User security attributes can be For details, refer to “4.1.5 Creating a User”.
attribute query queried in user information details.

User Ciphertext is used when a user logs For details, refer to “4.1.5 Creating a User”.
identification in to the NetNumen U31 and queries
user information.

Security Users can be granted permissions For details, refer to “4.1.1 Creating a
behavior to perform operations on specified Department”.
management functional modules of the NetNumen For details, refer to “4.1.2 Creating an
U31. Unauthorized users are Operation Set”.
forbidden to perform relevant For details, refer to “4.1.3 Creating a Role”.
operations. For details, refer to “4.1.4 Creating a Role
Set”.
For details, refer to “4.1.5 Creating a User”.
For details, refer to “4.1.13 Setting the User
Login Mode”
For details, refer to “4.1.14 Querying Login
Users”.
For details, refer to “4.1.15 Logging Out a
User”.
For details, refer to “4.1.16 Modifying
Common User Passwords in Batches”.
For details, refer to “4.1.18 Clearing Invalid
Accounts”.

4-1

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Measure Policy Instruction

Security Users that are not granted the For details, refer to “4.1.1 Creating a
attribute security management and user Department”.
management management functions are forbidden For details, refer to “4.1.2 Creating an
to modify security attributes. Operation Set”.
For details, refer to “4.1.3 Creating a Role”.
For details, refer to “4.1.4 Creating a Role
Set”.
For details, refer to “4.1.5 Creating a User”.

Strong Strong passwords are supported to For details, refer to “4.1.6 Customizing the
password prevent password attacks. User Account Rule”.

Permission Multiple roles can be set. Different For details, refer to “4.1.1 Creating a
management roles have different levels of Department”.
management permissions. Users For details, refer to “4.1.2 Creating an
can be associated with roles so Operation Set”.
that user management scope and For details, refer to “4.1.3 Creating a Role”.
permissions can be specified and For details, refer to “4.1.4 Creating a Role
unauthorized operations can be Set”.
prevented. For details, refer to “4.1.5 Creating a User”.

Internal The database account and For details, refer to “4.1.9 Modifying the
control password, and FTP account and Password of a Database Account”.
management password of the NetNumen U31 can For details, refer to “4.1.10 Modifying the
be set. Password of an FTP Account”.

Authentication After the number of user For details, refer to “4.1.7 Viewing Locked
failure authentication failures reaches Users”.
processing a specified value, the user account
will be locked. The maximum
number of failures allowed for a user
can be set. User authentication
information must be recorded in logs.

Concurrent Sessions that a user can have at a For details, refer to “4.1.12 Restricting
session time can be specified. Concurrent Sessions”.
restriction

Session If a user performs no operation during For details, refer to “4.1.8 Setting Logout Idle
termination a specified period after logging in Time”.
to the system, the system will
terminate the session automatically.
To perform operations, the user
must log in to the system again to
establish a new session.

4-2

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Measure Policy Instruction

Session If a user performs no operation For details, refer to “4.1.11 Locking a Client
locking during a specified period (different Session”.
from the period specified for session
termination) after logging in to the
system, the system will lock the
session automatically. Authorized
users can manually lock sessions.

Table of Contents
Security Management ................................................................................................4-3
Data Transfer Channel Management........................................................................4-41

4.1 Security Management


For the relations among department, user, role set, role, and operation and resource
defined by the role, see Figure 4-1.

Figure 4-1 Relation Model for Security Management

The following explains the relation model for security management.

l A user belongs to a specific department based on administrative planning.

4-3

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

l The management rights of a user is determined by the role set and the role which it
belongs to.
l A role set is a collection of one or more roles, so the rights of a role set are the collection
of rights of multiple roles.
l The rights of a role are defined by the operation and resource together.
l The operation set is a set of one or more operation permission.

4.1.1 Creating a Department


This procedure describes how to create a new department.
The concept of department is used in the NetNumen U31 system for managing users
in accordance with their actual administrative divisions. In practical applications,
departments can be created in accordance with the functions of actual network
management departments to manage users based on departments.

The system provides a root department by default. All newly-created departments are
subordinates of the root department.

Steps
1. In the main window of the client, select Security > User Management. The User
Management window is displayed.
2. In the User Management window, right-click a department or root department, and
then select New Sub-department from the shortcut menu. The basic information for
the new department is displayed on the Basic Information tab in the right pane, see
Figure 4-2.

Figure 4-2 Creating a Department

For a description of the parameters, refer to Table 4-2.

4-4

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Table 4-2 Parameter Descriptions for Basic Information

Parameter Description

Department Name Name OF the new department.


Mandatory, range: 1 to 50 character.

Department Detailed description for the new department.


Description Optional, range: 1 to 100 characters.

Superior Existing department, that is, the superior department for the selected
Department department. The default selected superior department is the department
selected in Step 2..

3. Specify the basic information for the new department.


4. Click OK to create the new department successfully.
– End of Steps –

4.1.2 Creating an Operation Set


This procedure describes how to create a new operation set and assign operation rights
to the operation set.
When the predefined operation set cannot meet the system requirement, the maintenance
personnel can customize an operation set, and select executable operations for this
operation set.

Context
The system has five predefined operation sets. These five default operation sets cannot
be modified, and they meet basic permission allocation, so the maintenance personnel can
use them directly. If there are other permission allocation requirements, the maintenance
personnel can customize an operation set.
Table 4-3 shows five predefined operation sets.

Table 4-3 Predefined Operation Set

Predefined Operation Description


Set

Administrator Right Administrator right is the preset operation set with the highest right. Only
the administrator has the rights in the administrator right operation set.
Therefore, the administrator right cannot be assigned. In the operation
set pane, the Administrator Right is always in gray. Only when the
Administrator role is selected in the role tree, the Administrator Right
operation set is available for selection.
Administrator right means that you have unrestricted access right to the
NetNumen U31 system and the managed network.

4-5

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Predefined Operation Description


Set

Double-click the Administrator Right and you can see that it has rights
over all the operation codes.

System Maintenance System maintenance right means that you don't have the right to maintain
Right the system security information. Except this, you have all the rights over
the system and the managed network.

Operation Right Operation right means that you can view the network information and
conduct normal configuration modifications, so that you can perform
operations such as daily maintenance and failure processing. However,
you cannot backup or restore the system. You cannot modify sensitive NE
configuration information either, such as the NE account.

View Right View right means that you can browse the network information. For
example, you can conduct operations such as creating reports and
querying data. But you cannot modify configurations. This right is used in
daily monitoring.

No Right No right means that you don't have any right over the network information.
If a resource is assigned with this right, you don't have any operation right
over this resource.

Steps
1. In the main window of the client, select Security > Role Management. The Role
Management window is displayed.
2. In the Role Management window, click a role under Role. The information of the role
is displayed in the right pane, see Figure 4-3.

Figure 4-3 Role Information

4-6

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

3. Perform one of the following operations to display the New Operation Set dialog box,
see Figure 4-4.
l Click ▼Click to maintain operation sets to select New Operation Set from the
shortcut menu.
l Right-click the operation set and then select New Operation Set from the shortcut
menu.

Figure 4-4 Creating an Operation Set

4. Set the general information and the operation rights for this operation set.
5. Click OK. The new operation set is displayed in the operation set list.
– End of Steps –

4.1.3 Creating a Role


This procedure describes how to create a new role and assign resource and operation
rights for the role.

4-7

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

When predefined roles cannot meet the system requirement, the maintenance personnel
can customize a role. After a role is customized, the maintenance personnel can allocate
the resources and operation set to the new role.

Context
Table 4-4 shows predefined roles. These predefined roles cannot be modified.
Table 4-4 Predefined Roles

Predefined Role Description

Administrator Role Administrator role has unrestricted access right to the NetNumen U31
system and the managed network, including the right to modify the core
information such as the system account.

Maintenance Role Maintenance role doesn't have the right to maintain the system security
information. Except this, you have all the rights over the system and the
managed network.

Operator Role Operation role has the right to view the network information and conduct
normal configuration modifications. However, you cannot backup or restore
the system. You cannot modify sensitive NE configuration information
either.

Supervisor Role Supervisor role has the right to view the network information. For example,
you can conduct operations such as creating reports and querying data.
But you cannot modify configurations.

Steps
1. In the main window of the client, select Security > Role Management. The Role
Management window is displayed.
2. Right-click any node under the Role node in the Role Management window, and then
select New Role from the shortcut menu.
The basic information and rights information for the new role are displayed in the right
pane, see Figure 4-5.

4-8

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-5 Creating a Role

For a description of the parameters, refer to Table 4-5.

Table 4-5 Parameter Descriptions for a New Role

Parameter Description

Basic In- Role Name Role name.


formation Mandatory, range: 1 to 50 characters.

Role Detailed description of a role.


Description Optional, range: 1 to 250 characters.

Lock the Role When a role is locked, users with this role cannot use the rights of
this role. At the same time, the user with only this role cannot log in
to the system.

Access Resource Select an option from the Resource Type drop-down list to filter
Rights Type the current physical resource.

Resource
Click to find management resources in accordance with the
Name
entered resource name.

Resource Defines management resources for the role.


Tree Click to view the role rights icon, see Figure 4-6.

Operation Set The operation set name of this operation. It defines the operation
Name right of a role.
Operators can customize an operation set, or use a default
operation set.

4-9

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-6 Role Right Icon Description

3. Specify Role Name and Role Description.


4. Set the operation resource and operation permission for a role.

a. Select the resource type from the Resource Type list.

b. On the left of the Access Rights area, click a physical resource node.

Note:
If the permission of this node is consistent its parent node or daughter node,
you can right-click this node and then select Follow Parent Node's Right or
Synchronize Rights of Sub-nodes.

c. On the right of the Access Rights area, select an operation set for the physical
resource node.

d. Repeat Steps a.~c. till all physical resources are allocated with an operation set.
5. Click OK to create a new role.

– End of Steps –

4.1.4 Creating a Role Set


This procedure describes how to create a new role set and allocates roles for this role set.
A role set is the collection of several roles. A user assigned with the role set owns the
operation rights specified by all the roles in the set.

4-10

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Steps
1. In the main window of the client, select Security > Role Management. The Role
Management window is displayed.
2. In the Role Management window, right-click a role set, and then select New Role Set
from the shortcut menu.
3. Specify Role Set Name, Role Set Description, and Assigned Roles, see Figure 4-7.

Figure 4-7 Creating a Role Set

For parameter descriptions, refer to Table 4-6.

Table 4-6 Parameter Descriptions of a Role Set

Parameter Description

Role Set Name Enter the role set name in this box.
Mandatory, range: 1 to 50 characters.

Role Set Description Enter the description of the role set.


Optional, range: 1 to 100 characters.

Lock the Role Set Once the role set is locked, the associated operation permission
is suspended.

4-11

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Parameter Description

Available Roles Available roles in the system. Select a role and then click the
icon to add it to the Assigned Roles area.

Assigned Roles Names of roles that have been added to this role set.

4. Click OK to create a new role set.


– End of Steps –

4.1.5 Creating a User


This procedure describes how to create a new user and how to assign a role set or role to
the user.
In addition to user name and password, the following information can also be set for a new
user: account, number of days during which the password is valid, department of the user,
and the maximum number of login users with the same account.

Note:

If a user is not assigned any role or role set, then the user does not have any right after
logging in to the system.

Prerequisite
The user having the user management right logs in to the NetNumen U31 server.

Context
If the user account customization rule is enabled (refer to “4.1.6 Customizing the User
Account Rule”), the account and password of a newly created user must satisfy the user
account customization rule; otherwise, a prompt will be displayed during the user creation
process. For example, the minimum password length, the maximum password length, and
the number of days during which the new password cannot be the same as the last old
password.
If the password of a user will expire, a prompt will be displayed when the user logs in to
the system, indicating that the password should be modified. If a user account is locked,
an alarm message will be reported in alarm management.

Steps
1. In the main window of the client, select Security > User Management. The User
Management window is displayed.

4-12

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

2. In the user management tree, right-click a node and then select New User from the
shortcut menu.
The basic information, rights, log view range, user department, and the advanced
information for the new user are displayed in the right pane, see Figure 4-8.
The new user belongs to the selected node. For example, when you right-click Root
Department, the new user will belong to the root department.

Figure 4-8 Creating a User (Basic Information Tab)

For a description of the parameters, refer to Table 4-7.

Table 4-7 Parameter Descriptions for Basic Information

Parameter Description

User Basic User Name Name of the new user.


Information
Full Name Full name of the new user.

User Password Password for user login. The length for this password
can be set in the user account rule, refer to “4.1.6
Customizing the User Account Rule”.

Confirm Password The confirm password must be consistent with the


user password.

4-13

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Parameter Description

Password User Must Modify Whether the user needs to modify the password before
Control Password Before Next the next login. If this check box is selected, the User
Login cannot Modify Password parameter cannot be set.

User cannot Modify Whether the user can modify the password. If
Password this check box is selected, the User Must Modify
Password Before Next Login parameter cannot be
set.

Set Maximum Password Maximum time during which the user password is
Age (days) valid. The validity period of a password begins when
the password is used. When the maximum validity
period set by this parameter expires, you must reset
the password.

Set Minimum Password Minimum time during which the user password is
Age (days) valid. The validity period of a password begins when
the password is used. The password cannot be
modified before the minimum validity period set by this
parameter expires.

Set Minimum Password Minimum length for the user password.


Length (character)

Set Maximum Password Maximum length for the user password.


Length (character)

cannot Be Last Used Number of passwords used previously that the


Password(s) password cannot be the same as.
If this parameter is set to 0, it indicates that the system
does not check whether the password is the same as
previous passwords.

Account Disable Whether to disable this user account. You only choose
Control one of the following ways:
Disable Start Time
l Disable: The new user account is disabled
Auto Disable If Account
immediately.
Is Idle for the Following
l Disable Start Time: The user account will be
Period
disabled in the defined start time.
l Auto Disable If Account Is Idle for the
Following Period: The user account will be
disabled if the system is not logged in to within
the set days.

Disable Reason If the Disable, Disable Start Time, or Auto Disable


in Case of Idle Account for the Following Period
Disable Stop Time (hour)
(days) check box is selected, the two parameters can
be set.

4-14

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Parameter Description

Temporary User Set whether the user is a temporary user.


A temporary user can only log in to the client once.
After he/she logs out, the user is disabled and cannot
log in again.

Set Account Validity The validity period of an account begins when the
Period (days) account is created. If the validity period of an account
expires, the account becomes invalid and cannot be
used to log in to the system.

Set Account Stop Period The account stopping period begins when the account
(days) is suspended. After the account stopping period of an
account expires, the account is resumed.

Lock at Password Error Number of times that an incorrect password is input,


(times) after which the account will be locked.
If this parameter is set to 0, it indicates that the account
will not be locked forever.

3. On the Basic Information tab, set the basic information for the new user.
4. Click the Right tab, and then assign the role(s), role set(s), or both for the user, see
Figure 4-9.
The user has the rights of the assigned role or role set. A role or role set can be shared
by multiple users.

Note:
If no role or role set is configured for the user, you may click Click Here to GO to Role
Management.

4-15

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-9 Creating a User (Right Tab)

5. Click the Log View Range tab, and then select the roles, role sets, or both that you
want to view user log, see Figure 4-10.

Figure 4-10 Creating a User (Log View Range Tab)

4-16

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

The user with the permission of the system administrator can view logs of all users.
However, the normal user can only view its own logs and logs of users related to the
selected roles or role set.
When the Select All Roles and Role Sets check box is selected, the user can view
logs of all users, including the system administrator.
6. Click the User Department tab, and then select the department that the user belongs
to, see Figure 4-11.

Figure 4-11 Creating a User (User Department Tab)

7. Click the Advanced Information tab, and then set the additional user information, the
connect type, the IP range, and the GUI MAC Binding, see Figure 4-12.

4-17

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-12 Creating a User (Advanced Information Tab)

For a description of the parameters, refer to Table 4-8.

Table 4-8 Parameter Descriptions for Advanced Information

Parameter Description

User Description A description of the user information.

Phone Number (G) Telephone number for the new user.


Range: 1 to 50 digits or "-".

Email The E-mail of the new user. The Character @ is required in the E-mail.

Concurrent Logins Maximum number of users that log in to the client with the account
simultaneously.
If this parameter is set to 10, it indicates that at most 10 users can log in
to the client with the account simultaneously.

Login Type Login modes, including: Password or Certificate. At present, only


Password is supported.

4-18

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Parameter Description

User Working Time You can click Set or View the Working Time and set the working time
during which the user can log in to the system.

Logout Idle Time Whether the user can automatically log off after a period of time during
(minutes) which no operations are performed.
If this parameter is enabled, it sets the waiting time before the user
automatically logs off.

Connect Type Connection types for a newly created user. The user can log in to the
server from a client only when GUI is selected.

IP Range Range of IP addresses that are allowed to log in to the server.

GUI MAC Binding Newly created users can only log in to the server from machines with the
bounded MAC addresses.

8. Click OK.
– End of Steps –

4.1.6 Customizing the User Account Rule


The user account rule specifies the password policy, account lock policy, and the account
checking policy of users.

Steps
1. In the main window of the client, select Security > Set User Account Rule.
The Set User Account Rule dialog box is displayed, see Figure 4-13.

4-19

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-13 Setting the Password Rule

2. In the Password Rule tab, set the password policy in accordance with the actual
requirements.
3. Click the Account Rule tab, see Figure 4-14.

4-20

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-14 Setting the Account Rule

For a description of the parameters, refer to Table 4-9.

Table 4-9 Parameter Descriptions for Account Rule

Parameter Description

Account Never Lock The user is not locked no matter how many times of failure
Lock Rule login when this check box is selected.

Lock Permanently If the times of user failure login reaches the threshold, this user
will be locked.

Lock Temporarily When the times of user login reaches the set threshold for the
Lock at password error, the user will be locked. After the
duration set for the Unlock after parameter, the user will be
unlocked.

4-21

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Parameter Description

The administrator can manually unlock a locked user. After


that, the user can log in to the NetNumen U31 system.

Period for When the number of wrong passwords within period time, the
password input user will be locked.
errors

Lock at password When the number of wrong passwords exceeds the set
error threshold, the user will be locked.
Range: 2 to 20.

Unlock after After the set duration, the locked user will be unlocked.
Range: 1 to 72.

Lock account with If this check box is selected, the system will lock the user in
IP accordance with the IP address.

Do not lock admin If this check box is selected, the system will never lock the
default system administrator (admin).

Account Cannot be user If this check box is selected and a value is set (for example, 5),
Checking accounts deleted you cannot set a user account same as an account that has
in the last (days) been deleted within the latest 5 days.
Range: 1 to 100.

Notify account To enable the password expiry notification function, select this
expiry in an check box and enter the number of days (for example, 5). Then
advance of (days) the system will prompt the password will expires in advance of
5 days while the user logs in.
Range: 1 to 90.

Pass- Import Dictionary Import the Password Dictionary to system.


word Dic-
Export Dictionary Export the Password Dictionary from system.
tionary
Delete Dictionary Delete the Password Dictionary of system.

4. Click OK to confirm the setting of the user account rule.


– End of Steps –

4.1.7 Viewing Locked Users


System administrators can view locked users and unlock them.
If an account lockout condition (the maximum number of times that a wrong password is
entered) is specified in the account rule, and the number of times that a user enters a
wrong password has reached the predefined value, the user will be locked.

4-22

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Steps
1. In the main window of the client, select Security > Set User Account Rule. The Set
User Account Rule dialog box is displayed.
2. Click the Account Rule tab. Set the account lockout rule, see Figure 4-15.
For example, select Lock Temporarily and set Lock at password error(J) to 3. In
this case, the system will lock a non-admin user when this user tries to log in to the
system but has entered a wrong password for three consecutive times.

Figure 4-15 Set User Account Rule Dialog Box

3. In the main window of the client, select Security > User Lock Details. The User Lock
Details dialog box is displayed, see Figure 4-16.

4-23

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-16 Viewing User Lockup Details

4. (Optional) If a user needs to be unlocked, click Unlock and then click OK in the confirm
message box.
5. Click Close to close the User Lock Details dialog box.

– End of Steps –

4.1.8 Setting Logout Idle Time


The setting indicates the automatic logout time for a user if the user does not perform any
operation in a specified period of time.

Steps
1. In the main window of the client, select Security > Set Logout Idle Time.
The Set Logout Idle Time dialog box is displayed, see Figure 4-17.

4-24

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-17 Set Logout Idle Time

2. Set the waiting time.

3. Select the users to be set in All Users, click to add the user to Selected Users.

4. Click OK.
– End of Steps –

4.1.9 Modifying the Password of a Database Account


This procedure describes how to modify the password of an EMS database account in the
Inner Control Management dialog box.

4-25

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Prerequisite
You have logged in to a NetNumen U31 client as the system administrator.

Steps
1. Double-click the U31 Client icon on the client desktop. The Login dialog box is
displayed.
2. Set User Name, Password, and Server Address. Click OK. The client portal is
displayed, see Figure 4-18.

Figure 4-18 Client Portal

3. Click System Maintenance. The System Maintenance window is displayed.

4-26

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-19 System Maintenance Window

4. Select Security > Inner Control Management. The Inner Control Management
dialog box is displayed, see Figure 4-20.

Figure 4-20 Inner Control Management Dialog Box

5. Right-click the sub-node under the Database node. Select Connect to Database.
The Database Login dialog box is displayed, see Figure 4-21.

Figure 4-21 Database Login Dialog Box

6. Enter the password of the SYSTEM user. Click OK. The database is logged in to.
7. Right-click a database account in the right pane, see Figure 4-20. Select Change
Password. The Modify Database Accounts’Passwords dialog box is displayed,
see Figure 4-22.

4-27

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Note:
The passwords of UEP3X and CN_RPT database accounts are not modified.

Figure 4-22 Modify Database Accounts’ Passwords Dialog Box

8. Enter the original password in Old Password. Set a new password in New Password.
Enter the new password again in Confirm Password.

9. Click OK. A dialog box is displayed. Click OK.


10. Restart the NetNumen U31 server so that the settings will take effect.

– End of Steps –

4.1.10 Modifying the Password of an FTP Account


This procedure describes how to modify the password of an EMS FTP account in the Inner
Control Management dialog box.

Prerequisite
You have logged in to a NetNumen U31 client as the system administrator.

4-28

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Steps
1. Double-click the U31 Client icon on the client desktop. The Login dialog box is
displayed.
2. Set User Name, Password, and Server Address. Click OK. The client portal is
displayed.
3. Click System Maintenance. The System Maintenance window is displayed.
4. Select Security > Inner Control Management. The Inner Control Management
dialog box is displayed.
5. Select the FTP Account node. The FTP accounts are displayed in the right pane, see
Figure 4-23.

Figure 4-23 FTP Account Management Dialog Box

6. Right-click an account. Select Change Password. The Modify FTP Account


Password dialog box is displayed, see Figure 4-24.

Figure 4-24 Modify FTP Account Password Dialog Box

7. Enter the original password in Old Password. Set a new password in New Password.
Enter the new password again in Confirm Password.

8. Click OK. A dialog box is displayed. Click OK.

4-29

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

9. Restart the NetNumen U31 server so that the settings will take effect.
– End of Steps –

4.1.11 Locking a Client Session


Users can lock sessions of a NetNumen U31 client. A session can be locked manually or
automatically.
l Manually: After a user manually locks a session, the session is immediately locked.
l Automatically: When the period during which a user performs nothing on a client
exceeds a predefined period, the client will automatically lock the session.

Steps
l Manually lock a session.

1. In the main window of the client, select System > Lock Screen. The Select Lock
Type dialog box is displayed, see Figure 4-25.

Figure 4-25 Select Lock Type Dialog Box

2. Set Lock Type.

3. Click OK. A dialog box is displayed. Click OK.


When a user manually locks a client session:
à If Lock Screen is selected, the Unlock dialog box is displayed, see Figure
4-26.

4-30

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-26 Unlock Dialog Box

à If Lock Operation is selected, the user must press Ctrl + U when the user
wants to perform operations on the client. The Unlock login dialog box is then
displayed.
l Automatically lock a session.
1. In the main window of the client, select System > Preferences. The Preferences
dialog box is displayed, see Figure 4-27.

Figure 4-27 Preferences Dialog Box

2. Select System > Screen Lock from the left tree.


3. Select Enable. Set Idle Time and Lock type for locking the screen regularly.
4. Click OK.

4-31

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

When the period during which a user performs no operations on the client exceeds
the predefined period:
à If Lock Screen is selected, the Unlock dialog box is displayed on the client,
see Figure 4-26.
à If Lock Operation is selected, the user must press Ctrl + U when the user
wants to perform operations on the client. The Unlock login dialog box is then
displayed.
– End of Steps –

4.1.12 Restricting Concurrent Sessions


This procedure describes how to specify the maximum number of sessions that a user can
have simultaneously.

Steps
1. In the main window of the client, select Security > User Management. The User
Management window is displayed.
2. From the user management tree, select a user. In the right pane, the user information,
including the basic information, permissions, log view range, user department, and
advanced information, is displayed.

3. Click the Advanced Information tab, see Figure 4-28.

Figure 4-28 Advanced Information

4. Click Modify. Set the number of sessions in Concurrent Logins.

Concurrent Logins: Maximum number of sessions that a user can have


simultaneously. If this parameter is set to 10, it indicates that a maximum of 10 users
can use this account to log in to the client simultaneously.

4-32

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

5. Click OK.
– End of Steps –

Result
When the number of times that the account is used to log in to a NetNumen U31 client
simultaneously exceeds the value of Concurrent Logins, this account cannot be used to
log in to the client one more time except when a session is released.

4.1.13 Setting the User Login Mode


This procedure describes how to set the user login mode.
The maintenance personnel can set that only a user with the permission of the system
administrator is allowed to log in to the NetNumen U31 server at the same time.
When the Single user login mode check box is selected, the other current login user will
be logged out forcedly.

Note:
Only the user with the permission of the system administrator can set the user login mode.

Prerequisite
The user with the permission of the system administrator has logged in to the client.

Steps
1. In the main window of the client, select Security > Set User Login Mode.
The Set User Login Mode dialog box is displayed, see Figure 4-29.

Figure 4-29 Set User Login Mode Dialog Box

2. Select the Set User Login Mode check box as required.

4-33

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

3. Click OK.
– End of Steps –

4.1.14 Querying Login Users


This procedure describes how to query the information of the current login users, including
login IP, login MAC, login time, connection type, and idle time since the last check (min).
The maintenance personnel can also send messages to other login users.

Steps
1. In the main window of the client, select Security > Login User Management.
The Login User Management dialog box is displayed, see Figure 4-30.

Figure 4-30 Login User Management

2. Click Refresh to obtain the information of the login users again.


3. (Optional) Perform the following steps to send messages to other login users.
a. Click a user, and then select Send Message. The Send Message dialog box is
displayed, see Figure 4-31.

4-34

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-31 Sending Messages

b. Enter the content, and then click Send.


4. Click Close to close the Login User Management dialog box.
– End of Steps –

4.1.15 Logging Out a User


When the administrator needs to maintain the system, or finds that some users perform
invalid operations, the administrator can forcefully disconnect these users.

Note:
Only the administrator can forcefully disconnect these users. In addition, the current
session cannot be deleted by the user.

Steps
1. In the main window of the client, select Security > Login User Management. The
Login User Management dialog box is displayed.
2. Click a login user, and then click Force to Log Out (K). The Confirm message box is
displayed.
3. Click OK.
4. Click Close to close the Login User Management dialog box
– End of Steps –

4-35

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

4.1.16 Modifying Common User Passwords in Batches


This procedure describes how to modify common user passwords in batches except the
administrator. The passwords of all common users can be modified to the same one. The
new password should comply with the password policy specified by the Enable Weak
Password Check parameter.

Steps
1. In the main window of the client, select Security > Batch Modify Common Users'
Passwords. The Batch Modify Common Users' Password dialog box is displayed,
see Figure 4-32.

4-36

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-32 Modify All Common Users' Password Dialog Box

2. Enter the new password in the New Password and Confirm Password text boxes.
3. Add the matching users to Users to Be Modified.

4. Click OK.

– End of Steps –

4.1.17 Adding a User to the Blacklist


This procedure describes how to add a user to the blacklist.

4-37

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

The user in the blacklist cannot log in to the NetNumen U31 system.

Note:
Only the user with the role of the system administrator can add a user to the blacklist.

Prerequisite
The user with the role of the system administrator has logged in to the client.

Steps
1. In the main window of the client, select Security > User Blacklist.

The User Blacklist dialog box is displayed, see Figure 4-33.

4-38

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-33 User Blacklist Dialog Box

2. Select a user to be added to the blacklist, and then click the icon to add the user
to the Users in Blacklist box.

3. Click OK.
– End of Steps –

4.1.18 Clearing Invalid Accounts


This procedure describes how to disable or delete the accounts that do not log in to the
system for specific days.

4-39

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Note:
Only the user with the role of the system administrator can disable or delete invalid
accounts.

Prerequisite
The user with the role of the system administrator has logged in to the client.

Steps
1. In the main window of the client, select Security > Clean Up Accounts.

The Clean Up Accounts dialog box is displayed, see Figure 4-34.

Figure 4-34 Clean Up Accounts Dialog Box

2. Perform the following operations as required:

4-40

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

To... Do...

Disable the accounts that i. Click the Disable accounts that are idle in the last 60 day (s)
are idle within N days option.

ii. In the Matching Accounts box, select the account to be dis-


abled and then click the icon to add the account to the Dis-
abled Account box.

Delete the accounts that i. Click the Delete accounts that are idle in the last 90 day(s).
are idle within N days
ii. In the Matching Accounts box, select the account to be deleted
and then click the icon to add the account to the Deleted
Account box.

3. Click OK.
When invalid accounts are cleared successfully, click OK.
– End of Steps –

4.2 Data Transfer Channel Management


4.2.1 Setting Logical SSH Channels
This procedure describes how to enable encrypted SSH channels for the NetNumen U31
server and clients.

Steps
Starting the SSH Server on the NetNumen U31 Server
1. Enter the uif directory of the installation directory of the NetNumen U31 server.
Run the runPlugCenter.sh file to start the NetNumen U31 Unified Management
System-configuration center.

2. In the left navigation tree, select Common Configuration > Common Property.
3. In the Server area of the right pane, select Global Configuration > Encrypted
Communication Configuration > Whether to start SSH forward service, see
Figure 4-35.

4-41

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-35 Starting the Service for Forwarding Data Through SSH

4. Click Yes in Value of config.


5. Click Save.

Enabling SSH Login on a NetNumen U31 Client


6. Enter the uif directory of the installation directory of the NetNumen U31 client. Run
the runPlugCenter.bat file (OS: Windows) or the runPlugCenter.sh file (OS:
Linux) to start the NetNumen U31 Unified Management System-configuration center.
7. In the left navigation tree, select Common Configuration > Common Properly.
8. In the Client area of the right pane, select Global Configuration > Basic
Configuration > Display logging in with SSH on login window, see Figure 4-36.

4-42

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Chapter 4 Operation and Maintenance Security Management

Figure 4-36 Enabling SSH Login on a Client

9. Click Yes in Value of config.


10. Click Save.
On the NetNumen U31 Client, Logging In to the Server Through SSH
11. Double-click the U31 Client icon on the client desktop. The Login dialog box is
displayed, see Figure 4-37.

Figure 4-37 Login Dialog Box

4-43

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

12. Set User Name, Password, and Server address. Select SSH Port. Enter an SSH
port for forwarding data. By default, the port number is 21140.
13. Click OK. The client accesses the NetNumen U31 server through SSH.
– End of Steps –

4-44

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Figures
Figure 1-1 Service Configuration Dialog Box............................................................. 1-8
Figure 2-1 Configuration Center................................................................................ 2-7
Figure 4-1 Relation Model for Security Management................................................. 4-3
Figure 4-2 Creating a Department............................................................................. 4-4
Figure 4-3 Role Information ...................................................................................... 4-6
Figure 4-4 Creating an Operation Set ....................................................................... 4-7
Figure 4-5 Creating a Role........................................................................................ 4-9
Figure 4-6 Role Right Icon Description.................................................................... 4-10
Figure 4-7 Creating a Role Set................................................................................ 4-11
Figure 4-8 Creating a User (Basic Information Tab)................................................. 4-13
Figure 4-9 Creating a User (Right Tab) ................................................................... 4-16
Figure 4-10 Creating a User (Log View Range Tab) ................................................ 4-16
Figure 4-11 Creating a User (User Department Tab) ............................................... 4-17
Figure 4-12 Creating a User (Advanced Information Tab)........................................ 4-18
Figure 4-13 Setting the Password Rule ................................................................... 4-20
Figure 4-14 Setting the Account Rule...................................................................... 4-21
Figure 4-15 Set User Account Rule Dialog Box....................................................... 4-23
Figure 4-16 Viewing User Lockup Details................................................................ 4-24
Figure 4-17 Set Logout Idle Time ............................................................................ 4-25
Figure 4-18 Client Portal ......................................................................................... 4-26
Figure 4-19 System Maintenance Window .............................................................. 4-27
Figure 4-20 Inner Control Management Dialog Box................................................. 4-27
Figure 4-21 Database Login Dialog Box.................................................................. 4-27
Figure 4-22 Modify Database Accounts’ Passwords Dialog Box.............................. 4-28
Figure 4-23 FTP Account Management Dialog Box................................................. 4-29
Figure 4-24 Modify FTP Account Password Dialog Box .......................................... 4-29
Figure 4-25 Select Lock Type Dialog Box................................................................ 4-30
Figure 4-26 Unlock Dialog Box................................................................................ 4-31
Figure 4-27 Preferences Dialog Box ....................................................................... 4-31
Figure 4-28 Advanced Information .......................................................................... 4-32
Figure 4-29 Set User Login Mode Dialog Box ......................................................... 4-33
Figure 4-30 Login User Management...................................................................... 4-34

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


NetNumen™ U31 R10 Security Management

Figure 4-31 Sending Messages .............................................................................. 4-35


Figure 4-32 Modify All Common Users' Password Dialog Box................................. 4-37
Figure 4-33 User Blacklist Dialog Box ..................................................................... 4-39
Figure 4-34 Clean Up Accounts Dialog Box ............................................................ 4-40
Figure 4-35 Starting the Service for Forwarding Data Through SSH ....................... 4-42
Figure 4-36 Enabling SSH Login on a Client ........................................................... 4-43
Figure 4-37 Login Dialog Box.................................................................................. 4-43

II

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Tables
Table 1-1 OS Security Measure Descriptions ............................................................ 1-1
Table 2-1 Database Security Measure Descriptions .................................................. 2-1
Table 3-1 Security Measures Descriptions for Networks and Applications ................. 3-1
Table 4-1 Security Measure Descriptions for Operation and Maintenance ................ 4-1
Table 4-2 Parameter Descriptions for Basic Information ............................................ 4-5
Table 4-3 Predefined Operation Set .......................................................................... 4-5
Table 4-4 Predefined Roles....................................................................................... 4-8
Table 4-5 Parameter Descriptions for a New Role ..................................................... 4-9
Table 4-6 Parameter Descriptions of a Role Set...................................................... 4-11
Table 4-7 Parameter Descriptions for Basic Information ......................................... 4-13
Table 4-8 Parameter Descriptions for Advanced Information ................................... 4-18
Table 4-9 Parameter Descriptions for Account Rule ............................................... 4-21

III

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Tables

This page intentionally left blank.

IV

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential


Glossary
EMS
- Element Management System
- 网元管理系统
FTP
- File Transfer Protocol
- 文件传输协议
HTTPS
- Hypertext Transfer Protocol Secure
- 超文本传输安全协议
ICMP
- Internet Control Message Protocol
- Internet控制报文协议
MAC
- Media Access Control
- 媒介接入控制

NAT
- Network Address Translation
- 网络地址转换
SFTP
- Secure File Transfer Protocol
- 安全文件传输协议
SSH
- Secure Shell
- 安全外壳

TCP
- Transmission Control Protocol
- 传输控制协议
UDP
- User Datagram Protocol
- 用户数据报协议
VNC
- Virtual Network Computing
- 虚拟网络计算
ZTE
- Zhongxing Telecommunications Equipment
- 中兴通讯

SJ-20170919162559-009|2017-09-30 (R1.0) ZTE Proprietary and Confidential