9YZ 04669 0202 USZZAi3

Use pursuant to applicable agreements
Title page
Alcatel-Lucent 9959
Network Performance Optimizer | M5
Security Guide
9YZ-04669-0202-USZZA
Issue 3 | July 2012
Alcatel-Lucent Proprietary

Legal notice
Legal notice
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright 2012 Alcatel-Lucent. All rights reserved.
Contains proprietary/trade secret information which is the property of Alcatel-Lucent and must not be made available to, or copied or used by anyone outside
Alcatel-Lucent without its written authorization.
Not to be used or disclosed except in accordance with applicable agreements.
Not to be used or disclosed except in accordance with applicable agreements.
Contents
About this document

Purpose
.............................................................................................................................................................................................. v
v
Reason for reissue
.......................................................................................................................................................................... v
v
Document pertinence
Audience
.................................................................................................................................................................... v
v
........................................................................................................................................................................................... v
v
Assumed knowledge .................................................................................................................................................................... vi

vi
Product names ................................................................................................................................................................................ vi
vi
Prerequisites
................................................................................................................................................................................... vi
vi
Technical support .......................................................................................................................................................................... vi

vi
How to order ................................................................................................................................................................................... vi
vi
How to comment ........................................................................................................................................................................... vi
vi
1
Overview
Overview ...................................................................................................................................................................................... 1-1
1-1
Introduction ................................................................................................................................................................................. 1-1
1-1
Common industry best practices
......................................................................................................................................... 1-2
1-2
NPO specific needs related to security compliance

Overview ...................................................................................................................................................................................... 2-1
2-1
NPO required port list ............................................................................................................................................................. 2-1
2-1
Services closed on NPO
......................................................................................................................................................... 2-8
2-8
Assure and assess security on NPO products

Overview ...................................................................................................................................................................................... 3-1
3-1
OS hardening integration
....................................................................................................................................................... 3-1
3-1
....................................................................................................................................................................................................................................
Alcatel-Lucent 9959 NPO
iii
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
Contents
....................................................................................................................................................................................................................................
IP filtering integration ............................................................................................................................................................. 3-4

3-4
Auditing ........................................................................................................................................................................................ 3-7
3-7
Tools used for security scanning on NPO ........................................................................................................................ 3-9
3-9
4
Classes, event names, actions

Overview ...................................................................................................................................................................................... 4-1
4-1
Audit log level for Solaris ...................................................................................................................................................... 4-1
4-1
Audit log level for Linux
....................................................................................................................................................... 4-4
4-4
....................................................................................................................................................................................................................................
iv
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
About this document

About this document
Purpose
The purpose of this document is to list the ports used between NPO servers on one side
and external applications (mainly PC clients) on the other side, and describe the NPO
product security assessment.
Reason for reissue
Refer to the following Editions for a list of technical and editorial updates to the current
guide.
In Edition 03
Official release of document for Release M5.1 ML.

In Edition 02
NPO required port table updated, NPO port differences between M5 and M4 updated and
NPO Aux required port table added.
In Edition 01
First official release of document for Release M5.

Document pertinence
This document applies to the NPO M5.0 projects.

Audience
This document is intended for:
Field service technicians

Project managers
Site administrators
System support engineers (specialists)
Occasional users (e.g. subcontractors).
...................................................................................................................................................................................................................................
v
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
About this document

....................................................................................................................................................................................................................................
Assumed knowledge
You must have a basic understanding of the:
Alcatel-Lucent operations and maintenance concepts for the BSS and RNS
NPO operations
Installation tools and materials
IP and IP networks
UNIX commands
RMAN to put in place the Backup/Restore mechanism.
Product names
This document uses the following NPO naming convention: 9959 NPO and the generic
term NPO refer to the Alcatel-Lucent 9959 Network Performance Optimizer.
Prerequisites
None.
Technical support
For technical support, contact your local Alcatel-Lucent customer support team. See the
Alcatel-Lucent Support web site (http://www.alcatel-lucent.com/support/) for contact
information.
How to order
To order Alcatel-Lucent documents, contact your local sales representative or use Online
Customer Support (OLCS) (http://support.alcatel-lucent.com)
How to comment
To comment on this document, go to the Online Comment Form (http://infodoc.alcatellucent.com/comments/) or e-mail your comments to the Comments Hotline
(comments@alcatel-lucent.com).
....................................................................................................................................................................................................................................
vi
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
Overview
1
Overview
Purpose
This Overview gives information needed by project managers and foremen, for
presentation to the customer and for site planning.
Contents
Introduction
1-1
1-2
Introduction
Overview
This document presents the security of the NPO platform when it runs on Solaris or Red
Hat Linux. The scope of this document is to provide the information on the expected
security level of the NPO product.
There are a number of reasons for testing products, including:
Improving the overall quality of the product and solution

Protecting Alcatel-Lucent customers from critical impacting field issues
Increasing the Alcatel-Lucent image in the IP security area as communication is

shared with the customers
Providing a vehicle to validate industry security standards as well as ensuring new
contributions
Supporting responses to the security section on RFPs
Providing an understanding of security strengths and gaps.
At the same time, this document provides guidelines on security feature customizations
on the NPO. This document also supports external use when configuring firewalls.
...................................................................................................................................................................................................................................
1-1
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
Overview
....................................................................................................................................................................................................................................

Overview
As a best practice, appropriate security mechanisms must be integrated into all phases of
the product development lifecycle in order to mitigate security breaches. The risks should
be understood and product development itself must minimize the introduction of security
vulnerabilities.
OS Platform hardening mainly consists of removing all unused components and disabling
any service/feature that are not required for the product that makes use of that OS
platform. CIS bench marks and other product security requirements should be followed
for OS hardening. Backdoors are methods that enable an attacker to bypass normal
authentication or to obtain remote access to the system, while intended to remain hidden
to casual inspection. Backdoors may take the form of an installed program or could be a
modification to a legitimate program/application.
....................................................................................................................................................................................................................................
1-2
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
2 PO specific needs
N
related to security
compliance
Overview
Purpose
This section provides an overview of NPO specific needs related to security compliance.
Contents
NPO required port list
2-1
2-8

NPO Main Server
The following table provides an overview of NPO Main server communication.

Protocol
Secured
Network
connections
TCP/UDP
Port range
Note
SUN-RPC
No
Aux => Main
TCP
111
portmapper
SUN-RPC
No
Aux => Main
UDP
111
portmapper
SSH
Yes
Aux => Main
TCP
22
SSH
NTP
No
Main => NTP
UDP
123
NTP1)
HTTPS
Yes
PC => Main
TCP
443
CSA
JRMP/SSL
Yes
PC => Main
TCP
1098
CSA
JRMP/SSL
Yes
PC => Main
TCP
1099
CSA
CORBA/
IIOP
No
PC => Main
TCP
5000
Naming
Service
CORBA/
IIOP
No
TCP
5100
Notification
Service
HTTPS
Yes
TCP
5400
BlazeDS
Aux => Main

PC => Main
Aux => Main
PC => Main
...................................................................................................................................................................................................................................
2-1
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Protocol
Secured
Network
connections
TCP/UDP
Port range
Note
HTTPS
Yes
PC => Main
TCP
7979
Customer
Documentation
JCA/SSL
Yes
PC => Main
TCP
8093
CSA
HTTPS
Yes
PC => Main
TCP
8191
HTTPD
HTTPS
Yes
PC => Main
TCP
8443
HTTPD
HTTPS
Yes
PC => Main
TCP
9444
CSA
JRMP/SSL
Yes
PC => Main
TCP
14445
CSA
CORBA/
IIOP
No
PC => Main
TCP
3200032700
NPO
CORBA/
IIOP
No
TCP
3400034700
NPO
AJP/SSL
Yes
PC => Main
TCP
9009
CSA
JRMP/SSL
Yes
PC => Main
TCP
15500
CSA
JRMP
No
Aux => Main
TCP
55555
PCMD
TLS
No
Aux => Main
TCP
1521
Oracle
Listener2)
Local3)
TCP
390
LDAP
Local3)
TCP
636
LDAP/SSL
3)
TCP
2016
Oracle oraagent
3)
Local
TCP
5300
PMON IIOP
Local3)
TCP
5310
PMON
HSQLDB
Local3)
TCP
6010
X11
3)
Local
TCP
8006
Tomcat PMON
Local3)
TCP
8010
Tomcat PMON
Local3)
TCP
8444
Tomcat PMON
Local3)
TCP
8005
Tomcat MUSE
3)
TCP
8012
Tomcat MUSE
3)
Local
TCP
8445
Tomcat MUSE
Local3)
TCP
3873
NGSEC
Local3)
TCP
4444-4446
NGSEC
Local3)
TCP
8009
NGSEC
3)
TCP
8083
NGSEC
3)
TCP
9443
NGSEC
Aux => Main

PC => Main
Aux => Main
Local
Local
Local
Local
....................................................................................................................................................................................................................................
2-2
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Protocol
Secured
Network
connections
TCP/UDP
Port range
Local3)
TCP
Dynamic
ports
Note
Note: 1) The NPO only acts as a NTP client.

2)
The Oracle Listener is configured to accept only connections from NPO main or aux
servers.
3)
Ports indicated as local cannot be accessed from outside the server (local
firewalling)
This is the default list of opened ports on the NPO main server. If the customer has
specific applications or additional 3PP software installed on top of the NPO software,
then the system administrator may need to open additional ports. This can be done using
the IP filtering. Check IP filtering integration (p. 3-4) for more information.
A relevant example for these cases is the use of 3PP Centralized Backup Management
solutions. Refer to specific 3PP documentation for more information on port
requirements.
Information concerning the ports needed between the different instances of cluster is out
of the scope of this document.
The following table shows only the ports that are different in M5 versus M4.
Service
name
Service
used by
Domain (communication from)
Local
HTTPS
Secure
Webserver
NAV
NavServer
IIOP
CORBA
AD
/MAAT
Auxiliary
OMC CliServer ent

X
X
X
Protocol
M5
Port
used
M4
Port
used
Additional
considerations
TCP
7001
Port 7001
used by
NPO for
html
properties
TCP
3399 3499
TCP
32000 32000
32700; 36000
34000
34700
Other
X
....................................................................................................................................................................................................................................
2-3
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Service
name
Service
used by
CSA
Security
Protocol
M5
Port
used
TCP
M4
Port
used
Additional
considerations
9080
Client to
server
15500 15500
15600
Server to
client
SUN-RPC
portmapper
TCP
111
SUN-RPC
portmapper
UDP
111
NTP
NPO
UDP
123
HTTPS
CSA
aaplication
TCP
443
JRMP
PCMD
application
TCP
55555
TLS
Oracle
Listener
TCP
1521
Oracle
listener is
configured
to accept
only
connections
from NPO
main or
AUX
servers
NPO only
acts as a
NTP client
LDAP/SSL
TCP
636
1)
Oracle
oraagent
TCP
2016
1)
X11
TCP
6010
1)
Tomcat
PMON
TCP
8444
1)
Tomcat
MUSE
TCP
8005
1)
Tomcat
MUSE
TCP
8012
1)
Tomcat
MUSE
TCP
8445
1)
NGSEC
TCP
3873
1)
....................................................................................................................................................................................................................................
2-4
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Service
name
Service
used by
Protocol
M5
Port
used
M4
Port
used
Additional
considerations
NGSEC
TCP
4444
4446
1)
NGSEC
TCP
8009
1)
NGSEC
TCP
8083
1)
NGSEC
TCP
9443
1)
TCP
Dynamic
ports
1)
Note: 1) Ports indicated as local cannot be accessed from outside the server
Linux NPO Aux server
The following table provides an overview of NPO AUX communication.

The same configuration is applicable to all kinds of AUX servers (QOS/GL2, PCMD and
WCT).
Protocol
Secured
Network
connections
TCP/UDP
Port range
Note
SUN-RPC
No
Main => Aux
TCP
111
port mapper
SUN-RPC
No
Main => Aux
UDP
111
port mapper
SSH
Yes
Main => Aux
TCP
22
SSH
NTP
No
Aux => NTP
UDP
123
NTP1)
Aux => Main

CORBA/
IIOP
No
Main => Aux
TCP
5000
Naming service
CORBA/
IIOP
No
Main => Aux
TCP
5300
Process
monitoring
CORBA/
IIOP
No
Main => Aux
TCP
3200032700
NPO
CORBA/
IIOP
No
Main => Aux
TCP
3400034700
NPO
Local2)
TCP
390
LDAP
2)
Local
TCP
443
CSA
Local2)
TCP
636
CSA
LDAP/SSL
....................................................................................................................................................................................................................................
2-5
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Protocol
Secured
Network
connections
TCP/UDP
Port range
Note
Local2)
TCP
5310
PMON
HSQLDB
Local2)
TCP
6010
X11
2)
TCP
8006
Tomcat PMON
2)
Local
TCP
8010
Tomcat PMON
Local2)
TCP
8444
Tomcat PMON
Local2)
TCP
8443
HTTPD
Local2)
TCP
8191
HTTPD
2)
TCP
Dynamic
ports
Local
Local
Note: 1) The NPO only acts as NTP client.

2)
Ports indicated as local cannot be accessed from outside the server (local
firewalling)
NPO client PC'
The following table provides an overview of NPO client PC incoming connections.

Protocol
Secured
Network
connections
TCP/UDP
Port range
Note
RMI
Yes
Main => PC
TCP
1550015600
CSA callbacks
CORBA/
IIOP
No
Main => PC
TCP
3200036000
CORBA NPO
components
Local
TCP
3399-3499
NAV
Connections to other Systems
Connection to Network Elements (incoming connection for MME):

The NPO connects only MME network equipments (no direct connection to other
equipments).
All connections are initiated by the NPO (Main and Aux Servers) and done over SSH
(TCP/port 22 on MME).
Note: Connections:
1. NPO maintains a remote SSH connection with each MME.
2. Periodic file retrieval connections are performed via SCP (TCP/port 22).
....................................................................................................................................................................................................................................
2-6
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Authentication
1. Account set-up and public key exchange on MME is described in the PCMD
reference guide 1.3 and 1.4.
Note: There is no connection from MME back to NPO server.
Connection to EMS (incoming connections for EMS):
The NPO connects to OMC-R, WMS and SAM depending on deployed technology. All
connections are initiated by NPO (Main and Aux servers) using below documented ports.
For EMS releases not supporting secured connections (B11, UA7), the NPO will use FTP
connecting either on TCP/port 20 or on TCP/port 21.
By default, the NPO will use SSH/SFTP connecting on TCP/port 22.
In the particular SAM case (LTE), SAM-O interface is accessed either using HTTP
TCP/port 8080 (non-secured mode) or HTTPS TCP/port 8443 (secured mode). For more
information, refer to NPO and SAM-O documentation regarding connection configuration
and authentication settings.
Note: There is no connection from EMS back to NPO server.
Details for SAM case:
CM data: Main NPO server connects on Main SAM, SFTP is used to retrieve the
snapshot file. Snapshot file generation is scheduled every day on SAM server during
installation. In redundancy case, SAM-O/HTTP is used to identify which SAM server is
active.
NUART data: Main NPO server connects on main SAM, SAM-O/HTTP is used to
generate the file(s), SFTP is used to retrieve the resulting file(s). In redundancy case,
SAM-O/HTTP is used to identify which SAM server is active.
ENB PM data: QoS Aux NPO server (Main if no Aux) connects on Aux SAM (Main if no
Aux), SSH is used to list files, SFTP is used to retrieve files. In redundancy case,
SAM-O/HTTP is used to find active SAM Aux (or Main).
MME PM data: it is the same as for ENB PM data. In redundancy case, SAM-O/HTTP is
used to find active SAM server.
HTTP is on port 8080. All SSH things (ssh, sftp, scp) are on port 22.
....................................................................................................................................................................................................................................
2-7
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................

Overview
The general approach is that ports are closed on an DENY-based list.

The following is a list of services that are deactivated or not installed on the NPO Linux:
System Application Server

Automount
Buttons and Dials Stream
Network Booting RPL (Remote Program Load) Server
Cachefs
Desktop Management Interface (DMI)
Kerberos Key Distribution Center (KDC)
Line printer (LP)
System Activity Reporter (SAR)

Point-to-Point Protocol (PPP)
Service Location Protocol (SLP)
Simple Network Management Protocol (SNMP)

SunSoft Print Service (SPC)
Unix-to-Unix Copy (UUCP)
X Font Server (xfs)

RPC 100235
Kerberos V5 warning messages daemon
Kerberos propagation daemon for slave KDCs
OpenCard Framework (OCF) communications

RPC spray
SVM multi-node communications
Telnet server
UUCP server
Character generator
Comsat
Daytime
Discard
Echo
Finger
Kernel statistics server
Network rwall server
Network user name service

Remote execution server
....................................................................................................................................................................................................................................
2-8
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Remote login
Remote quota server
Removable media management

Remote Shell (RSH)
Talk
Trivial name server
Telnet
NFS (Network File System)
The following is a list of services that are deactivated or not installed on the NPO Solaris:
System Application Server
Automount
Buttons and Dials Stream
Network Booting RPL (Remote Program Load) Server

Cachefs
Desktop Management Interface (DMI)

Kerberos Key Distribution Center (KDC)
Line printer (LP)
Solaris Network Cache and Accelerator
System Activity Reporter (SAR)

Point-to-Point Protocol (PPP)
Service Location Protocol (SLP)
Simple Network Management Protocol (SNMP)
SunSoft Print Service (SPC)

Unix-to-Unix Copy (UUCP)
Volume Management (VOLD)
X Font Server (xfs)
RPC 100235
Kerberos V5 warning messages daemon
Kerberos propagation daemon for slave KDCs

OpenCard Framework (OCF) communications
RPC spray
SVM multi-node communications

Telnet server
UUCP server
Character generator
Comsat
Daytime
Discard
....................................................................................................................................................................................................................................
2-9
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Echo
Finger
Kernel statistics server

Network rwall server
Network user name service
Remote execution server
Remote login
Remote quota server

Removable media management
Remote Shell (RSH)
Talk
Trivial name server
Telnet
NFS (Network File System) (refer to the following note).
Note: The NFS is still enabled for 2xV490 ASM configurations.
....................................................................................................................................................................................................................................
2-10
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
3 ssure and assess security

A
on NPO products
Overview
Purpose
This section describes how to define and ensure security on NPO products.
Contents
3-1
IP filtering integration
3-4
Auditing
3-7
Tools used for security scanning on NPO
3-9
OS hardening
OS hardening consists of a customized version of the Solaris Security Toolkit software

4.2.
The Solaris Security Toolkit software, informally known as the JumpStart Architecture
and Security Scripts (JASS) toolkit, provides an automated, extensible, and scalable
mechanism to build and maintain secure Solaris OS systems. Using the Solaris Security
Toolkit software, you can harden and audit the security of systems.
The customized packages are:
ALUoshmain
ALUsst
All services present in 3.2 services that are closed on the NPO are verified and disabled if
they are installed.
crontab entries for the following system accounts are locked and removed:
listen
nobody4
...................................................................................................................................................................................................................................
3-1
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
nuucp
smmsp
uucp
Create the following log files:
/var/log/authlog file to track authentication messages.
/var/adm/daemonlog file to records all daemon logs
/var/adm/emerglog file to track the critical error that original sent to console and
root mail
/var/adm/loginlog file to track failed login attempts

/var/adm/sulog file to track the use or attempted use of "su".
Change the user password policy:

Change PASSLENGTH setting from 6 to 8.
The log file for OS hardening actions is:
/SECURITY/ALUoshmain/log/last.log
Default approach on ports and services on Linux
The OS hardening consists of customized scripts based on Security Configuration

Benchmark for Linux Red Hat Enterprise 5 recommendations.
The customized package is ALUoshard
The package consists of the following scripts:
1_secure_ssh.sh (SSH server configurations in order to secure the service)
3_secure_xinetd.sh (Xinetd services to be disabled)
5_cis_services3-5.sh (Minimize boot services)
6_daemon_umask.sh (Set daemon umask)
7_secure_sendmail.sh (Disable sendmail)
8_disable_GUI.sh (Disable GUI login)
9_disable_services.sh (Disable standard boot services)
10_cis_network.sh (System network parameter tuning)
11_secure_logging.sh (Secure logging)
12_log_permissions.sh (Permissions on log files)
14_cdrom_mount.sh (Cdrom nodev nosuid mount options)
15_user_mount.sh (Disable user mounted removable filesystems)
16_passwd_shadow.sh (Set passwd/shadow (like) file permissions)
17_sticky.sh (Sticky bit on world writable directories)
18_suid_guid.sh (Unexpected SUID/GUID files)
19_unowned.sh (Unowned files/directories)
13_vfstab_nodev.sh (Vfstab nodev mount option)
21_pam_rhost.sh (Disable PAM rhosts support)
....................................................................................................................................................................................................................................
3-2
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
22_ftp_users.sh (Create ftp users files)
24_at_cron.sh (Restrict at/cron to authorized users)
26_root_console.sh (Restrict root logins on system console)
28_single_user_authentication.sh (Single user mode authentication)
29_restrict_nfs_client.sh (Restrict nfs client request to privileged ports)
30_block_sys_login.sh (Block login of system accounts)
31_empty_passwords.sh (Verify empty passwords)
33_no_legacy_passwd.sh (No legacy password entries)
34_root_path.sh (No . In the root path)
36_user_dot_files.sh (User dot files)
37_remove_netrc.sh (Remove netrc files)
38_default_umask.sh (Set default umask)
41_warnings.sh (Create warnings for network and physical access services)
42_gui_warnings.sh (Create warnings for GUI based logins)
44_audit_sysstat.sh (Configure auditd and sysstat services)
45_no_duplicate_id.sh (No duplicate user ID)
46_root_home.sh (Root home directory rights)
47_user_password.sh (User password complexity)
48_secure_man_doc.sh (Man and doc pages protection)
50_sendmail_greeting.sh (Change default sendmail greeting string)
52_grub_sec.sh (Additional GRUB security)
54_account_lockout.sh (Account lockout after 3 login failures)
55_cis_network.sh, see above network parameter tuning
56_remove_compilers.sh (Remove compilers)
57_uid0_no_duplicate.sh (No duplicate UID=0 on the system)
23_xserver_nolisten_tcp.sh (X Server no listen tcp)

25_crontab_perm.sh (Restrict permissions on crontab files.)
35_home_dirs.sh (Home directories restrictions)
The log files for OS hardening actions are in /SECURITY/ALUoshard/log/.

The last.log needs to be checked in order to see if the output of some scripts suggests a
manual action to be performed by the system administrator.
....................................................................................................................................................................................................................................
3-3
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Default approach on Solaris
The scope of IP filtering is:
Pre-configured set of IP filtering rules is delivered with the product to ensure that only
required IP communication from and to the NPO Server is valid
Alcatel-Lucent service team must be able to customize the default set of rules
Can be used to restrict access to weak services, that have to be enabled (i.e. not
disabled by OS hardening since required by the NPO application).
The implementation was based on Solaris build-in ip filtering.

There are two Solaris services:
network/ipfilter
The IP Filter provides packet-filtering capabilities on a Solaris system. On a properly
setup system, it can be used to build a firewall.
network/pfil
The pfil framework allows for a specified function to be invoked, for every incoming
or outgoing packet, for a particular network I/O stream. These hooks may be used to
implement a firewall or perform packet transformations.
Configuration provided by ALU on Solaris
There are two configuration files: one for ipfiltetr and one for pfil.
The configuration file for pfil is located in /etc/ipf/pfil.ap and contains mainly the
interfaces on which pfil will be applied.
The configuration file for the ipfilter is located in /etc/ipf/ipf.conf which contains
the filtering rules for ports, interfaces, protocols, etc. The filtering rules implemented, for
each configured interface, are:
First, block and log everything by default, then allow specific services
ICMPecho bandwidth consumption

Denial of Service prevention
Weird flag
Spoofing prevention
Reject any unroutable address
Reject land attack DoS
Allow FTP server in active mode

Allow FTP server in passive-mode (port 1023 - 65535)
Allow SSH service
Block TELNET, FINGER, REXEC, RLOGIN, RSH

Allow NPO applications on TCP and UDP
Allow HTTPS, FTP, SSH, DNS, NTP, XTERM, AUTH
....................................................................................................................................................................................................................................
3-4
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Customize IP filtering on Solaris
It is possible to define individual rules. Mainly each rule is based on the following
parameters
<action><in-out><object>
<action> can be: block, pass, log,
<object> can be: all, ip, ip range
<in-out> can be: in or out
For example, to block acces to this server on the ce0 interface from the 192.169.1.34 ip
address:
Block in on ce0 from 192.168.1.34 to any
For the changes made in /etc/ipf/ipf.conf to be taken into account, you must
restart ipfilter (svcadm restart ipfilter).
When adding a new rule in /etc/ipf/ipf.conf, ensure that the new rule does not
conflict with an existing rule.
For more complex rules, refer to and also to the System Administration Guide IP Services
(http://docs.sun.com/app/docs/doc/816-4554).
Default approach on Linux
The scope of IP filtering is:
Pre-configured set of IP filtering rules is delivered with the product to ensure that only
required IP communication from and to the NPO Server is valid
Alcatel-Lucent service team must be able to customize the default set of rules
Can be used to restrict access to weak services, that have to be enabled (i.e. not
disabled by OS hardening since required by the NPO application).
The implementation was based on Solaris build-in ip filtering.

There is one Linux service:
alu-iptables
alu-iptables is an Alcatel-Lucent customized version of the iptables linux service.
Therefore, the original iptables service will remain disabled.
On a properly setup system, it can be used to build a firewall., filtering IP, ports, packet
length, etc.
Configuration provided by ALU on Linux
The configuration file (script) for alu-ipfilters is located in

/etc/sysconfig/alu-iptables.sh and contains a set of rules for each active
network interface; the loopback interface is excluded.
Load the needed kernel modules

Block and log everything by default, then allow specific services
ICMPecho bandwidth consumption
....................................................................................................................................................................................................................................
3-5
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Denial of Service prevention

Weird flag
Spoofing prevention
Reject any unroutable address
Allow NPO applications on TCP and UDP
Allow HTTPS, SSH, NTP, AUTH
The list of NPO ports on main and AUX servers:
NPO main server:
TCP: 1098 1099 1521 5000 5100 7979 8443 8191 9444 10050 14445 34000 34013
UDP: 67
NPO AUX server:
TCP: 1098 1099 5000 5100 7979 8443 8191 9444 14445 34000 34013
UDP: 67
Customize IP filtering on Linux
It is possible to define individual rules. Mainly each rule is based on the following
parameters
iptables -[AD] chain rule-specification [options]
Each chain is a list of rules which can match a set of packets

A firewall rule specifies criteria for a packet, and a target.
If the packet does not match, the next rule in the chain is the examined; if it does
match, then the next rule is specified by the value of the target, which can be the name
of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or
RETURN.<object> can be: all, ip, ip range
For options, consult the iptables mian page.
For example, to allow ssh packets (port 22) on this server:

iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
For the changes made in etc/sysconfig/alu-iptables.sh to be taken into account,

you must restart the alu-iptables service (service alu-iptables restart).
For more complex rules, refer to the iptables main page.
....................................................................................................................................................................................................................................
3-6
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
Auditing
....................................................................................................................................................................................................................................
Auditing
Default approach on Solaris
Solaris auditing is enabled in NPO, in order to provide logs on user activity on the file
system.
This script (parse_os_audit.sh) is used to view the audit logs.
Auditing can be performed at different levels in order to reduce the space and the used
resources:
Level1=al1 class (Level1=minimum detail)

Level2=al1&al2 classes
Level3=al1&al2&al3 classes activated
Only level 1 can be enabled full time. Enabling level 2 and level 3 will have an impact
over the performance and must be enabled only for short periods of time. The NPO
performance is not guaranteed when level 2 and level 3 are enabled.
The history in level 2 and level 3 cannot be predicted, because it depends on the activity
on the server, disk space will decrease rapidly.
Usage:
parse_os_audit.sh [--after datetime] [--before datetime] [-class <C>] [--event (E)] [--user <U>] <AUDIT_FILE_NAME> [>
<OUTPUT_FILE_NAME>]
The format for datetime is yyyymmdd[hh[mm[ss]]].

The format for class for Solaris is: al1,al2,al3 (can be comma separated).
event <E> is one in the list described in Audit log level for Solaris (p. 4-1).
user is the real user.
The audit logs are located in /opt/INDSaudit/store/primary. When this location is

almost full, then the logs will be created in /var/audit/secondary. The logs are
stored in 7zip format.
The configuration for logs is stored in /etc/security/audit_control. For example,
you can set the following parameters inside the file:
dir:/opt/INDSaudit/store/primary
dir:/var/audit/secondary
minfree:20
dir lists the directories to be used when creating audit files, in the order in which they
are to be used.
minfree specifies the percentage of free space that must be present in the file system
containing the current audit file.
....................................................................................................................................................................................................................................
3-7
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
Auditing
....................................................................................................................................................................................................................................
The <OUTPUT_FILE_NAME> is the name of the file where the result of parsing is put. It is
optional, but it is recommended to use this file since the output of the parsing command is
usually large.
Configuration provided by ALU on Solaris
The auditing level can be changed using BSMrun (the server must be booted in single
user mode - init 1). Refer to the following procedure Manage Solaris Audit Logs
(../npoplug/npopl304.htm)
Default approach on Linux
Linux auditing can be enabled in NPO, in order to provide logs on user activity on file
system.
This script (parse_os_audit.sh), located in the /usr/sbin/ directory, is used to
view the audit logs.
Auditing is performed at different levels in order to reduce the space and the used
resources:
Level1=al1 class (Level1=minimum detail)

Level2=al1&al2 classes
Level3=al1&al2&al3 classes activated
Only level 1 can be enabled full time. NPO is dimensioned to store 10 files of 100 Mb
which correspond to 90 days of normal utilization of NPO in levels 1.
Enabling level 2 and level 3 will have an impact over the performance and must be
enabled only for short periods of time. The NPO performance is not guaranteed when
level 2 and level 3 are enabled.
The history in level 2 and level 3 cannot be predicted, because it depends on the activity
of the server, disk space will decrease rapidly (disk will be full in a matter of hours in
level 2 and minutes in level 3).
Usage:
parse_os_audit.sh [--after datetime] [--before datetime] [-class <C>] [--event (E)] [--user <U>] [<AUDIT_FILE_NAME>] [>
<OUTPUT_FILE_NAME>]
The format for datetime is yyyymmdd[hh[mm[ss]]].

The format for class for Linux is: al1 or al2 or al3.
event <E> is one in the list described in Audit log level for Linux (p. 4-4).
user is the real user.
The audit logs are located in /var/log/audit . The log file rotation is performed
automatically by the auditd demon. The configuration file of the auditd demon is
/etc/audit/auditd.conf. <AUDIT_FILE_NAME> is optional and it is used only in
case a different file is parsed.
....................................................................................................................................................................................................................................
3-8
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
Auditing
....................................................................................................................................................................................................................................
With this configuration file, the disk space usage of audit log files can be configured. For
example, you may have the following parameters inside the file:
log_file = /var/log/audit/audit.log
max_log_file = 5
max_log_file_action = ROTATE
log_file specifies the full path name to the log file where audit records will be stored.
max_log_file specifies the maximum file size in megabytes. When this limit is
reached, it will trigger a configurable action (max_log_file_action).
max_log_file_action tells the system what action to take when the system has
detected that the maximum file size limit has been reached. Valid values are ignore,
syslog, suspend, rotate and keep_logs. The rotate option will cause the audit
daemon to rotate the logs.

The <OUTPUT_FILE_NAME> is the name of the file where the result of parsing is put. It is
optional, but it is recommended to use this file since the output of the parsing command is
usually large.
Configuration provided by ALU on Linux
The auditing level can be changed using BSMrun. Refer to the following procedure
Manage Linux Audit Logs (../npoplug/linaudit.htm)

NESUS
This vulnerability scanner serves a key role in the test process. It scans for known security
problems that are common in IP applications. The test suite is continually enhanced as
new problems are discovered and the latest tests can be downloaded from the Internet.
Customized tests can easily be added to the suite using the NASL scripting language.
Up to date Nesus tool is always used for scanning the servers.
The plugin domains used by Nesus tool are:
CGI abuses
Databases
Default Unix Accounts
Denial of Service
DNS
Finger abuses
Firewalls
FTP
Gain a shell remotely
....................................................................................................................................................................................................................................
3-9
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
General
HP-UX Local Security Checks
Misc
Peer-To-Peer File Sharing
Policy Compliance
Port scanners
Red Hat Local Security Checks
RPC
Service detection
SMTP problems
SNMP
Solaris Local Security Checks
Web Servers.
CIS
The CIS Configuration Assessment Tool is used to test the operating system configuration
against industry best practices. Alcatel-Lucent has license to use all CIS benchmark tools
and documents. The tool can be downloaded from the QA&CC STO website or from the
CIS website directly.
McAfee Foundstone Enterprise
Foundstone Enterprise is more than a network scanner; its priority-based approach

combines vulnerability, asset data, and countermeasures to help you make more informed
decisions. It uses threat intelligence and correlation to help you determine how emerging
threats and vulnerabilities on networked systems affect your risk profile, so that you
deploy resources where they are needed most. Enterprises improve operational efficiency
and security protection while meeting compliance requirements.
Denial of Service Testing Tools
These black-box DoS testing tools implement known network flood attacks (TCP flood,
Naptha, Ping flood, ICMP Echo Reply flood, IP TTL=0 flood) and logic/software attacks
(Land, Ping of Death, Teardrop). To simplify their usage, a generic CLI framework is
provided.
Protocol robustness tools
TBC.
....................................................................................................................................................................................................................................
3-10
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
4 lasses, event names,

C
actions
Overview
Purpose
This section describes the classes, event names and actions that can be used to ensure
security;
Contents
Audit log level for Solaris
4-1
4-4

Annex 1
Class
Event Name
Action
al1
AUE_login
login - local
al1
AUE_logout
logout
al1
AUE_telnet
login - telnet
al1
AUE_rlogin
login - rlogin
al1
AUE_rshd
rsh access
al1
AUE_su
su
al1
AUE_rexecd
rexecd
al1
AUE_passwd
passwd
al1
AUE_rexd
rexd
al1
AUE_ftpd
ftp access
al1
AUE_ftpd_logout
ftp logout
al1
AUE_ssh
login - ssh
al1
AUE_role_login
role login
...................................................................................................................................................................................................................................
4-1
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Class
Event Name
Action
al1
AUE_prof_cmd
profile command
al1
AUE_newgrp_login
newgrp login
al1
AUE_admin_authenticate
admin login
al2
AUE_EXIT
exit(2)
al2
AUE_FORK
fork(2)
al2
AUE_CREAT
creat(2)
al2
AUE_LINK
link(2)
al2
AUE_UNLINK
unlink(2)
al2
AUE_EXEC
exec(2)
al2
AUE_MKNOD
mknod(2)
al2
AUE_CHMOD
chmod(2)
al2
AUE_ACCESS
access(2)
al2
AUE_KILL
kill(2)
al2
AUE_SYMLINK
symlink(2)
al2
AUE_READLINK
readlink(2)
al2
AUE_EXECVE
execve(2)
al2
AUE_CHROOT
chroot(2)
al2
AUE_VFORK
vfork(2)
al2
AUE_SETGROUPS
setgroups(2)
al2
AUE_SETPGRP
setpgrp(2)
al2
AUE_FCHOWN
fchown(2)
al2
AUE_FCHMOD
fchmod(2)
al2
AUE_RENAME
rename(2)
al2
AUE_MKDIR
mkdir(2)
al2
AUE_RMDIR
rmdir(2)
al2
AUE_UTIMES
utimes(2)
al2
AUE_STATFS
statfs(2)
al2
AUE_MOUNT
mount(2)
al2
AUE_OPEN_RC
open(2) - read,creat
al2
AUE_OPEN_RT
open(2) - read,trunc
al2
AUE_OPEN_RTC
open(2) - read,creat,trunc
al2
AUE_OPEN_W
open(2) - write
al2
AUE_OPEN_WC
open(2) - write,creat
al2
AUE_OPEN_WT
open(2) - write,trunc
....................................................................................................................................................................................................................................
4-2
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Class
Event Name
Action
al2
AUE_OPEN_WTC
open(2) - write,creat,trunc
al2
AUE_OPEN_RW
open(2) - read,write
al2
AUE_OPEN_RWC
open(2) - read,write,creat
al2
AUE_OPEN_RWT
open(2) - read,write,trunc
al2
AUE_OPEN_RWTC
open(2) - read,write,creat,
trunc
al2
AUE_CORE
process dumped core
al2
AUE_SETUID
old setuid(2)
al2
AUE_UTIME
old utime(2)
al2
AUE_SETGID
old setgid(2)
al2
AUE_MUNMAP
munmap(2)
al2
AUE_LCHOWN
lchown(2)
al2
AUE_FORK1
fork1(2)
al2
AUE_ACLSET
acl(2) - SETACL command
al2
AUE_UMOUNT2
umount2(2)
al2
AUE_cron_invoke
cron-invoke
al2
AUE_crontab_create
crontab-crontab created
al2
AUE_crontab_delete
crontab-crontab deleted
al2
AUE_halt_solaris
halt(1m)
al2
AUE_init_solaris
init(1m)
al2
AUE_uadmin_solaris
uadmin(1m)
al2
AUE_poweroff_solaris
poweroff(1m)
al2
AUE_crontab_mod
crontab-modify
al2
AUE_filesystem_add
add filesystem
al2
AUE_filesystem_delete
delete filesystem
al2
AUE_filesystem_modify
modify filesystem
al2
AUE_network_add
add network attributes
al2
AUE_network_delete
delete network attributes
al2
AUE_network_modify
modify network attributes
al2
AUE_allocate_succ
allocate-device success
al2
AUE_allocate_fail
allocate-device failure
al2
AUE_deallocate_succ
deallocate-device success
al2
AUE_deallocate_fail
deallocate-device failure
al2
AUE_listdevice_succ
allocate-list devices success
....................................................................................................................................................................................................................................
4-3
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Class
Event Name
Action
al2
AUE_listdevice_fail
allocate-list devices failure
al2
AUE_create_user
create user
al2
AUE_modify_user
modify user
al2
AUE_delete_user
delete user
al2
AUE_disable_user
disable user
al2
AUE_enable_user
enable user
al2
AUE_smserverd
smserverd
al3
AUE_CHDIR
chdir(2)
al3
AUE_STAT
stat(2)
al3
AUE_LSTAT
lstat(2)
al3
AUE_FCNTL
fcntl(2)
al3
AUE_OPEN_R
open(2) - read
al3
AUE_CLOSE
close(2)
Level
Event Name
Actions
al1, al2 and al3
ALL
display all messages
al1, al2 and al3
CWD
al1, al2 and al3
PATH
al1
LOGIN
al1
USER_AUTH
al1
USER_ACCT
al1
CRED_ACQ
al1
CRED_DISP
al1
CRED_REFR
al1
USER_START
al1
USER_END
al1
USER_AUTH
al1
USER_ERR
al1
USER_LOGIN
al1
USER_LOGOUT

Annex 2
....................................................................................................................................................................................................................................
4-4
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
Level
Event Name
Actions
al1
USER_CHAUTHTOK
al2
CONFIG_CHANGE
al2
EXECVE
al2
OBJ_PID
al2
SYSCALL
exit
al2
SYSCALL
fork
al2
SYSCALL
kill
al2
SYSCALL
execve
al2
SYSCALL
vfork
al3
SYSCALL
chdir
al3
SYSCALL
stat
al3
SYSCALL
lstat
al3
SYSCALL
fcntl
al3
SYSCALL
open
al3
SYSCALL
close
....................................................................................................................................................................................................................................
4-5
9YZ-04669-0202-USZZA M5
Issue 3 July 2012
....................................................................................................................................................................................................................................
....................................................................................................................................................................................................................................
4-6
9YZ-04669-0202-USZZA M5
Issue 3 July 2012

9YZ 04669 0202 USZZAi3

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

9YZ 04669 0202 USZZAi3

Încărcat de

Drepturi de autor:

Formate disponibile

Use pursuant to applicable agreements

Use pursuant to applicable agreements

About this document

Reason for reissue

Assumed knowledge .................................................................................................................................................................... vi

Technical support .......................................................................................................................................................................... vi

NPO specific needs related to security compliance

Assure and assess security on NPO products

IP filtering integration ............................................................................................................................................................. 3-4

Classes, event names, actions

About this document

Official release of document for Release M5.1 ML.

First official release of document for Release M5.

This document applies to the NPO M5.0 projects.

This document is intended for:

Field service technicians

About this document

You must have a basic understanding of the:

Common industry best practices

Improving the overall quality of the product and solution

Increasing the Alcatel-Lucent image in the IP security area as communication is

Providing an understanding of security strengths and gaps.

Common industry best practices

Common industry best practices

Services closed on NPO

NPO required port list

The following table provides an overview of NPO Main server communication.

Aux => Main

Aux => Main

Aux => Main

Main => NTP

Aux => Main

NPO specific needs related to security compliance

NPO required port list

Aux => Main

Aux => Main

Aux => Main

NPO specific needs related to security compliance

NPO required port list

Note: 1) The NPO only acts as a NTP client.

Domain (communication from)

OMC CliServer ent

NPO specific needs related to security compliance

NPO required port list

Domain (communication from)

NPO specific needs related to security compliance

NPO required port list

Domain (communication from)

The following table provides an overview of NPO AUX communication.

Main => Aux

Main => Aux

Main => Aux

Aux => NTP

Aux => Main

Main => Aux

Main => Aux

Main => Aux

Main => Aux

NPO specific needs related to security compliance

NPO required port list

Note: 1) The NPO only acts as NTP client.

NPO client PC'

The following table provides an overview of NPO client PC incoming connections.