7/6/2017 Security Level:

Introduction to the
BSC6900 V900R014
FeatureSecurity
Features
www.huawei.com
RAN14 Security Design Team

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

 Explain the principles of the main and enhanced
security features of WCDMA RAN14.
Be able to configure the feature.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 2

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 3

Definition of Security/Safety
Safety involves natural or quasi-natural attributes, and security involves human
attributes. The safety involving natural or quasi-natural attributes is impaired mainly
because of natural disasters (such as flood, drought, and earthquake) and quasi-
natural disasters (such as deterioration of environments and health conditions). The
security involving social humanities is impaired mainly because human beings get
involved intentionally, for example, theft, robbery, destruction, explosion, and other
crimes. In a broad sense, the preceding two meanings are included.
Huawei focuses on "the impairment caused by intentional human intervention".
"Product security" can be simply considered as "network security". Generally, network
security means that the hardware, software, and data in the network system are
protected and are not damaged, altered, or disclosed incidentally or maliciously, that
the system works properly and continuously, and that network services are not
interrupted.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 4

 Definition and Scope of Product Security
Product security covers the following eight aspects:
Access control: For example, illegal access of users or administrators results in attacks and damage, and
unauthorized information or log deletion makes information unavailable.
Authentication: For example, control fails because of authentication failure, weak passwords, and password
cracking.
Non-repudiation: For example, hackers delete system logs and forge data, identities, and attack sources.
Data confidentiality: For example, unauthorized users obtain secret information or crack encrypted data.
Communication security: For example, wiretapping and DDOS attacks result in leakage of transmitted data
and disconnection from networks.
Data integrity: For example, data is modified or copied illegally.
Availability: For example, viruses, Trojan, and illegal tampering cause information and services unavailable.
Privacy protection: If confidential data is cracked, the private information of users may be disclosed.

To be simple, product security problems are online product problems directly or indirectly caused by
malicious behaviors, including virus infection, hacker attack, information disclosure, information
tampering, and product security function defects.

For example, the breakdown caused by product defects is a reliability problem, whereas the
breakdown caused by malicious behaviors such as DOS attack, hacker attack, and intentional damage
to the system is a security problem.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 5

 Network Threats
Emergency Interception, Interception, Clock General OS virus/Trojan
call/user tampering, and tampering, interference/ta Account/Password leakage
location/virus attack network attack, mpering Illegal access
traffic attack and replay attack User privacy disclosure

DHCP
SNTP OSS
IPCLKServer Server

BTS MSC

IP
MBSC
NodeB

Internet A/IuCS/IuPS
NodeB Iub/Abis SGSN
Uu LMT/WebLMT
Um
File/Software corruption
Network attack Interception, Interception, tampering, File/Software virus infection
Illegal local access tampering, corruption, corruption, and attack Port scanning
Traffic attack and replay attack Port scanning Time synchronization
Virus (from USB flash drive) Illegal access information
Base station forgery interference/tampering
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6
 Security Solution Antivirus software (Windows OS)
OS patch and OS hardening
Emergency UEA1/UEA0 SSL IP clock Customized system (Dopra Linux)
call/user UIA1 FTPS synchronization Account/password management
location SNOW3G security User privacy protection
A5/1, A5/2, A5/3, GEA1, PKI (CMPv2)
GEA2, GEA3, GEA4

DHCP
SNTP OSS
IPCLKServer Server

BTS MSC

IP
MBSC
NodeB
LMT/WebLMT

Internet A/IuCS/IuPS
NodeB Abis/Iub SGSN
Uu (Um)
ACL & ACL enhancement
HTTPS
Flow control FTPS(FTP over SSL)
VLAN/VPN FTPS
Closing of local maintenance Software integrity protection
window IPSec (PKI or PSK) SSL
DHCP Time synchronization security
USB flash drive encryption authentication authentication
PKI (CMPv2)
802.1X
Security alarm/log Page 7
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
General Layout of Security Technologies
for GU Products
Operation & maintenance security End user security
Centralized user Account and User privacy protection (identity information, activity status, and
management password policy communication contents)
User rights Log and audit Trace data privacy Trace function rights
management management protection control
User operation Data backup and
monitoring restoration Terminal location Attack defense of terminals
OM transmission security
(FTPS/SSL/HTTPS)
Communication security
Security alarm Web security Isolation of three Signaling plane User plane
planes encryption encryption
Met
Disabling insecure
DHCP security services Signaling Network layer IPv6 security
Database security robustness protocol robustness
SNTP security hardening Attack defense of Terminal junk traffic Equipment identity To be
Digital certificate devices filtering authentication enhanced
PKI deployment
application
ACL/firewall Air interface security Charging anti-spoofing
Clock synchronization NE security status (A5/4 and Snow3G)
security monitoring
Jamming detection
Under
Strong authentication LDAP centralized development
(dual factors) user management
Centralized USB flash drive Equipment platform security
authentication of OSS security Not met
products Windows/Linux
Windows hardening Solaris hardening hardening
Remote maintenance
OS log management security OS security patch Windows antivirus Software integrity
Software integrity OS remote management protection
protection patching/upgrade To be
Remote disabling of Banner information Femeto Pico security planned
Security documents (user manuals and pre- maintenance ports security
sales and maintenance documents)

Network security DNS security Port matrix

Security domain VPN deployment VLAN classification Maintenance terminal Network disaster
classification policy policy access control recovery
Firewall deployment Intrusion detection Live network security 802.1X access Gi interface
policy deployment policy hole detection authentication security

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 8

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 9

Embedded Firewall

Background and benefits

IP network deployment is increasingly becoming popular. As more IP
networks are leased, IP networks may be connected to public
networks. In this case, the attacks and junk packets on public
networks will adversely affect normal operation of unprotected
equipment.
Even on the proprietary networks of operators, if configurations are
incorrect or improper, a large number of unexpected packets may be
generated on NodeBs, affecting normal operation of equipment.
Values and advantages
Protect services against network attacks and improve equipment security.
Protect services against improper configurations or operations.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 10

 Embedded Firewall
Generally, embedded firewall involves the following technologies:
Packet filtering:
Packets are filtered based on the specified rules. Packet filtering is simple but inflexible. In
addition, packet filtering checks each packet against policies. If many policies exist, the
performance degrades sharply.
Application gateway
The application gateway makes the firewall an intermediate access node. The application
gateway is secure but its development cost is high. It is difficult to develop an agent service
for each application. Therefore, the application gateway is not applicable to a network with
abundant services but only provides agent support for certain applications.
Status detection
Status detection is a type of advanced communication filtering. It checks application layer
protocols and monitors the status of connection-based application layer protocols. Each
connection status is maintained and is used to dynamically determine whether packets are
allowed to pass through the firewall.
The mainstream commercial firewall is the status detection firewall, but it is complex to
deploy the status detection firewall on NodeBs.
The application gateway firewall is more costly than the status detection firewall but provides
more reliable security. It can best defend SynFlood attacks.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 11

Technical Principles of Embedded Firewall
Technical principles
The BSC supports intelligent configuration without white list and the simple firewall functions
of the AIU interface board (FG2c/GOUc) to filter invalid data flows. When the BSC6900 is
attacked, users can be informed in time. Maintenance personnel can locate the attack
sources and attack types based on security alarms, MML commands, and security logs to
prevent malicious attacks from the network, for example, malformed packet attacks, and
ensure the security of the BSC6900.
The AIU interface board on the BSC6900 supports the following simple firewall functions:
Rate limiting for broadcast packets
Prevention against Internet Control Message Protocol (ICMP) attacks
Prevention against Address Resolution Protocol (ARP) attacks
Prevention against Smurf attacks
Prevention against invalid packet attacks

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 12

 Configuring Embedded Firewall
Intelligent configuration without white list
The BSC6900 automatically generates ACL rules for all data flows that enter the BSC6900. An ACL rule
includes the source address, destination address, port number, protocol type, and DSCP priority. After receiving
a packet, the BSC6900 matches it with the ACL rule. If the packet matches the rule, the packet is allowed to
pass through; otherwise, the packet is discarded.
Rate limiting for broadcast packets
The interface board supports FE/GE port rate limiting for broadcast packets to defend network storms.
If the number of broadcast packets is higher than or equal to the preset threshold, an alarm is reported.
If the number of broadcast packets is lower than the preset threshold, the alarm is cleared.
ICMP attack prevention
The interface board supports prevention against ICMP attacks. The ADD ICMPGUARD command is used to
configure the policy for preventing ICMP attacks. After the policy is configured, the interface board discards the
specified type of ICMP packets sent from the specified network segment.
The IPADDR parameter is used to specify the source IP address of the packets that are used to initiate attacks,
and the GUARDTYPE parameter is used to specify the type of ICMP packets that are used to initiate attacks.
ARP attack prevention
ARP response flooding attacks may be initiated on the interface board, that is, the attacker sends a large
number of forged ARP packets whose source IP addresses vary, causing communication interruption.
The ARP entry learning function prevents ARP response flooding attacks. By default, this function is enabled.
After this function is enabled, the interface board learns only the response packets of the ARP packets sent by
the system, that is, the interface board records the MAC addresses of the response packets so that it can reject
forged ARP packets.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 13

 Configuring Embedded Firewall
Prevention against Smurf attacks
The interface board supports prevention against Smurf attacks which may cause network congestion.
This prevention is implemented through check on ICMP packets. The interface board checks the
received ICMP packets.
If the destination address of a packet is a network address or a broadcast address, the packet is
discarded.
If the destination address of a packet is the address of a local interface board, the packet is allowed to
pass through.
Prevention against invalid packet attacks
If VALIDPKTCHKSW is set to ON, invalid packet detection is enabled.
When the number of detected invalid packets is greater than or equal to the preset threshold, an alarm is
reported and a run log is generated.
When the number of detected invalid packets is smaller than the preset threshold, the alarm is cleared.
When the number of received invalid packets exceeds the alarm threshold, you can locate the attack
source and attack type by querying the statistics of invalid packets and detailed information about the
packets.
The statistics of invalid packets can be queried in run logs.
The detailed information about invalid packets can be queried by running the DSP INVALIDPKTINFO
command.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 14

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 15

Software Integrity Protection

Background and benefits

If security risks exist during release of a software package, the
software package may be tampered or embedded with Trojan or rear
door.
The original CRC protection function is weak and cannot detect that a
software package is tampered in many cases.

Technical features
The RAN13 protects software integrity by using digital signature and
can effectively detect whether a software package is tampered.
You can choose whether to enable the digital signature function.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 16

Software Integrity Protection
Technical principles
Secure hash algorithm (SHA): SHA is used as the digital signature
standard and can generate a message digest for any length (smaller
than 264 bits) of data by calculation.
Digital signature based on the public key mechanism:

Software Software

Calculate message Encryption using

digest Message private keys Digital
digest signature
Sender

Receiver
Decryption using
Message public keys Digital
digest signature
Compare
Calculate message
Message digest Software
digest

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 17

 Software Integrity Protection
Specific implementation: Software
component 1
Software
component 2
Software
component n
See the figure on the right.
CRC and SHA
The SHA verification code Software
Verification package
Signature making
mechanism is added. Then digital code storage tool
Digital
phase
file signature A
signature is performed for the file
Product software Signature
that stores CRC and SHA package tool Digital signature
Software version
B
verification codes. In addition, the package Private key
R&D
digital signature based on the personnel Release a software Software
package version
public key mechanism is Software release
release
phase
platform
performed for the software Software version
package containing
package of a product and the digital signatures

digital signature is released with Download a software

Field package
the software package. In this way, personnel
Signature verification Public key
module
when the software package is EMS, USB, and upgrade tool
Software
activated, the source and integrity upgrade
Issue to NEs phase
can be checked, which ensures Public key

the reliability of the whole software Signature Signature verification Signature verification
verification module module module
package. NE NE NE

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 18

Software Integrity Protection (Enhanced in RAN14)

The software integrity is checked when the BSC software is started.

From the angle of security, after the OMU is installed, the BSC software may still be
tampered by external users maliciously or by internal unauthorized users. A purpose of this
function is to check the software for its integrity when boards are started.
The BSC checks software integrity regularly everyday.
The BSC checks BIN files for integrity regularly every day.
Remarks:
This function is supported by default and is not controlled by a switch.
A security alarm is generated when the integrity check fails. One alarm is reported for each
corrupted file.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 19

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 20

 USB Flash Drive Encryption
Background: Under the protection of tools, data files are copied to a USB flash drive
and sent to the BSC.

A USB flash drive may be used to

Software Configure data Other files Export files
store sensitive data. package

The data in a USB flash drive is File protection tool

transmitted in plaintext without any

security protection measures. Software
Configure data Security policy
package information

Solution:
Export files USB flash drive
Other files
Encrypt data in a USB flash drive to
protect the data integrity. File encryption and decryption, Security policy
NE
and integrity check module information
USB data integrity protection is similar
Configure data Other files Export files
to software integrity protection. Data Software
package

files are encrypted and signed before

The BSC checks data in the USB flash drive and decrypts the data based on the
they are copied to a USB flash drive, security policy information.

and are verified on the BSC.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 21

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 22

 OS Security

2. Security
1. Security design implementation

Linux minimum security solution

Linux security configuration
guide specifications
Linux firewall configuration
guide specifications
Linux system anti-virus solution
3. Security test
SetSuSe reinforcement tool
Linux integrity protection solution
Linux security standard library
4. Life cycle

Linux security
check tool
Linux patch
Linux system Huawei Linux management solution
service description
security solution

Dopra Linux is a minimum system customized based on the Suse kernel. It performs
excellently in attack defense tests.
Dopra Linux is a Suse system that is tailored thoroughly and does not support antivirus
software. As a result, customers are doubtful about the system.
To remove customers' doubts, a Dopra system that is immune to viruses must be developed.
The MBSC based on IPtable of Dopra Linux supports the ACL blacklist and white list
configuration.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 23

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 24

Enhanced Operation Log 1Enhanced Domain User Log

The logs about operations of domain users on the BSC must record real user
names and IP addresses.
At present, when an M2000 user performs a BSC operation on the M2000 client, the BSC cannot
distinguish the NM user and the IP address of the client. The BSC records the EMSCOMM user as
the operator and the IP address of the M2000 server as the IP address of the client. EMSCOMM is
a virtual user name and represents the M2000 server. As a result, you cannot determine or trace
which M2000 users perform BSC operations by querying logs of the BSC. The user experience is
poor.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 25

Enhanced Operation Log 1Enhanced Domain
User Log (Scope)
This feature involves the following commands:

MML or binary commands sent to the BSC through the M2000 client

MML or binary commands sent over third-party interfaces (such as northbound interface,
Nastar, NIC, and NodeB Proxy) provided by the M2000 to the BSC

This feature does not involve the following commands:

Machine-machine interface commands sent by the M2000 server and the NetEco to the BSC

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 26

Enhanced Operation Log 2Enhanced Trace Log

Trace logs must record detailed information about users.

Tracing of operation logs is supported in versions earlier than RAN14.0. However, except the UE
tracing column where user information is recorded, the tracing information in other columns is
empty. The new tracing function supports recording of key user information in other trace logs.
The added information is recorded in Operation.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 27

Enhanced Security Log
The security log mechanism (including log generation, log reporting, log storage, and log audit) has already
been available in earlier versions of the system. In RAN14.0, the mechanism is optimized based on customer
requirements, representing the compliance with the radio security log baseline, supplementing security log
scenarios, and providing abundant recording functions of security logs.
At present, the BSC can generate logs for recording the following operations:
Security event type Security event Event level Default audit policy Event source MBSC analysis result
(event status)
Events related to A domain user logs in to the BSC. Major Audit success or failure EMS Recorded
account-based login A domain user logs out of the BSC. Major Audit success or failure EMS Recorded
A local user logs in to the BSC. Major Audit success or failure LMT Recorded
A local user logs out of the BSC. Major Audit success or failure LMT Recorded
The account used by a local user to log in to Critical Audit success or failure LMT Recorded
the BSC is locked after the number of login
attempts exceeds the limit.
The account used by a local user to log in to Minor Audit success or failure LMT Recorded
the BSC is automatically locked after the idle
duration reaches the locking duration.
A local account used to log in to the BSC is Minor Audit success or failure LMT Recorded
unlocked manually.

Events related to A domain user or a local user who has logged in Audit success or failure EMS/LMT Recorded
account to the BSC is forced to log out. Major
management A local BSC user is added, deleted, or modified. Audit success or failure LMT Recorded
Minor
The group local users belong to is changed. Audit success or failure LMT Recorded
Minor
The commands in the command group are Audit success or failure LMT Enhanced
adjusted. Major
The rights of local BSC users are changed. Audit success or failure LMT Recorded
Major
A local BSC user changes his/her password. Audit success or failure LMT Recorded
Minor
A local BSC user changes the password of Audit success or failure LMT Recorded
another user. Major
The account or password policy is modified. Major Audit success or failure LMT Recorded

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 28

Security Status Audit (Content)
The following information about the BSC is collected through the NIC so that the audit
tool can analyze and display the results of security status audit:

Note: An independent guide to the audit tool is provided at

//support.huawei.com/support.

Product OS name and version

List of installed software
Hash value set of important files
Disk space usage
Authentication configuration of applications and services
Account status of applications and services
Authorization information of important operations
Password policy configuration of applications and services
Security alarm configuration
When the serial port input of the host board is disabled:
TCP/IP security alarm threshold setting
ICMP security alarm threshold setting
Whether digital signature is enabled
Whether the tracing function is enabled and the authorization
information
Data related to digital certificate
Local license data
Service set configuration and operation data

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 29

 Security Status Audit (Tool Deployment)
SAT Server

NIC Server M2000

Script

MBSC MBSC

The network information collector (NIC) server on the operator's network can collect
security data from all NEs. The NIC server can also be embedded on the M2000 server.
The shell script in the M2000 is used to collect security data of the M2000.
The SAT server imports security data files and exports security analysis reports.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 30

 Chapter 1 Security Introduction

Chapter 2 Simple Firewall

Chapter 3 Software Integrity Protection

Chapter 4 USB Flash Drive Encryption

Chapter 5 Security of General Operating Systems

Chapter 6 Security Audit

Chapter 7 System Access

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 31

Password Policy (Enhanced)
Password security can be checked based on the weak password dictionary.

When this function is enabled, the password entered by a user cannot be the
same as any password in the weak password dictionary.

To enable weak password check, run the SET PWDPOLICY command.

DICTCHKSW (switch for controlling weak password dictionary): 0: OFF; 1:

ON

To query whether weak password check is enabled, run the LST PWDPOLICY
command.

Note:

At present, the weak password dictionary cannot be modified.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 32

FTP Server Port Customization (Configured on
the M2000)
Feature introduction
The customer requires that the port providing the FTP service cannot be port 21 all the time. In this
case, the BSC must:
- Allow the FTP server to set and listen to other ports except port 21.
- Set different destination ports based on different server addresses as the FTP client and set the
destination ports of clients by the wildcard address (0.0.0.0).

Related configuration
To set and query the FTPS server, run the SET FTPSSRV and LST FTPSSRV commands.
To add, modify, and query the destination port of an FTP client, run the ADD
FTPSCLTDPORT, MOD FTPSCLTDPORT, and LST FTPSCLTDPORT commands.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 33

 Enhanced File Access Rights Control

Enhanced file access rights control

Implemented before RAN14.0:
For the file manager on the web LMT, the download, upload, and deletion functions provided by the
file manager are available for an administrator; whereas only the download function is available for
a common user. When an M2000 domain user logs in to the web LMT, the user is considered a
common user.
For a user who logs in to the OMU over FTP, the download, upload, and deletion functions
provided by the file manager are available for an administrator; whereas only the download function
is available for a common user. M2000 domain users do not have any right.

Enhanced after RAN14.0:

In terms of implementation, the file manager is consistent with the FTP right: By default, a local
user is an administrator, and the download, upload, and deletion functions provided by the file
manager are available for the local user; whereas only the download function is available for a
common user. Users can be customized as required. M2000 domain users can be customized as
required.
In addition, the security logs of the file manager, recording user operations, are added. For FTP,
security logs are not generated due to use of numerous machine-machine interfaces.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 34

Support the login policies over HTTPS: forced HTTPS login, login over HTTPS only, and compatible mode. In different policies, the behaviors on the LMT are as follows:

Configurable HTTPS Login Policy on the Web LMT

(Enhanced)
Configurable HTTPS Login Policy on the Web LMT

Implemented before RAN14.0:

A login policy is modified in the configuration file of the web server. The new login policy takes effect
after the web server is restarted.
Enhanced after RAN14.0:
To set the login policy on the web LMT, run the SET WEBLOGINPOLICY command.

Scenario Jump Scenario Scenario Description

Manual input Login page System access
Scenario 1 http https https Forced HTTPS login
Scenario 2 https https https Forced HTTPS login
Scenario 3 http https http Login over HTTP only
Scenario 4 https https http Login over HTTP only
Scenario 5 http http http Compatible mode
Scenario 6 https https https Compatible mode

Note: If RAN13.0 has set the login policy in a file, you must set the login policy again in RAN14.0,
which is described in the upgrade guide.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 35

Enhanced HTTPS Transmission

Enhanced HTTPS Transmission

Implemented before RAN14.0:

Support manual replacement of digital certificates on the server.

Certain weak algorithm controllers are not available in SSL but available on the web LMT.

Enhanced after RAN14.0:

The web server uses the certificates delivered with controllers. (The SET CERTFILE
command can be run to replace a certificate.)

The web LMT and SSL use the same weak algorithm controllers.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 36

Thank you
www.huawei.com