OM Security (SRAN9.0 - Draft A) PDF

SingleRAN
OM Security Feature Parameter

Description
Issue
Draft A
Date
2014-01-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue Draft A (2014-01-20)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
SingleRAN
OM Security Feature Parameter Description
Contents
Contents
1 About This Document..................................................................................................................1
1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................1
1.3 Change History...............................................................................................................................................................1
2 Overview.........................................................................................................................................3
3 Technical Description...................................................................................................................4
3.1 OMCH Security..............................................................................................................................................................4
3.2 Web Security..................................................................................................................................................................5
3.2.1 Overview.....................................................................................................................................................................5
3.2.2 User Authentication.....................................................................................................................................................5
3.2.3 HTTPS-based Data Transmission...............................................................................................................................6
3.2.4 Anti-attack...................................................................................................................................................................7
3.2.5 Rights Control..............................................................................................................................................................8
3.3 User Management...........................................................................................................................................................8
3.3.1 Overview.....................................................................................................................................................................8
3.3.2 Login Authentication.................................................................................................................................................10
3.3.3 User Rights Control...................................................................................................................................................11
3.3.4 Login Password Policy..............................................................................................................................................12
3.3.5 FTP User Management..............................................................................................................................................14
3.4 User Data Anonymization............................................................................................................................................15
3.5 Digital Signature-based Software Integrity Protection.................................................................................................15
3.5.1 Definition...................................................................................................................................................................15
3.5.2 Application Scenarios................................................................................................................................................15
3.5.3 Digital Signature........................................................................................................................................................16
3.6 Time Security...............................................................................................................................................................18
3.6.1 SNTP Security for Base Station Controllers.............................................................................................................18
3.6.2 NTP Security Authentication for Base Stations........................................................................................................19
3.7 Security Alarms, Events, and Logs..............................................................................................................................20
3.7.1 Overview...................................................................................................................................................................20
3.7.2 Security Alarms and Events......................................................................................................................................20
3.7.3 Security Logs and Security Audit..............................................................................................................................21
3.7.3.1 O&M Event Recording...........................................................................................................................................21

ii
SingleRAN
Contents
3.7.3.2 Centralized Log Management................................................................................................................................24

3.7.3.3 Security Log Auditing............................................................................................................................................25
3.8 OMU Anti-attack..........................................................................................................................................................26
3.9 Security Policy Level Configuration............................................................................................................................26
4 Engineering Guidelines.............................................................................................................29
4.1 OMCH Security............................................................................................................................................................29
4.2 Web Security................................................................................................................................................................29
4.2.1 When to Use Web Security.......................................................................................................................................29
4.2.2 Deployment...............................................................................................................................................................29
4.2.2.1 Requirements..........................................................................................................................................................29
4.2.2.2 Activation...............................................................................................................................................................29
4.2.2.2.1 Using MML Commands......................................................................................................................................29
4.2.2.2.2 Using the CME....................................................................................................................................................30
4.2.2.3 Activation Observation...........................................................................................................................................32
4.3 User Management.........................................................................................................................................................32
4.3.1 When to Use User Management................................................................................................................................32
4.3.2 Deployment...............................................................................................................................................................32
4.3.2.1 Requirements..........................................................................................................................................................32
4.3.2.2 Activation...............................................................................................................................................................32
4.3.2.2.1 Using the MML Commands................................................................................................................................32
4.3.2.2.2 Using the CME....................................................................................................................................................34
4.4 User Data Anonymization............................................................................................................................................35
4.5 Digital Signature-based Software Integrity Protection.................................................................................................35
4.6 Time Security...............................................................................................................................................................35
4.6.1 Deployment of SNTP Security for Base Station Controllers....................................................................................35
4.6.1.1 Requirements..........................................................................................................................................................35
4.6.1.2 Activation...............................................................................................................................................................35
4.6.2 Deployment of NTP Security Authentication for Base Stations...............................................................................36
4.6.2.1 Requirements..........................................................................................................................................................36
4.6.2.2 Data Preparation.....................................................................................................................................................36
4.6.2.3 Activation...............................................................................................................................................................36
4.6.2.3.1 Using MML Commands......................................................................................................................................37
4.6.2.3.2 MML Command Examples.................................................................................................................................37
4.6.2.3.3 Using the CME....................................................................................................................................................37
4.6.2.5 Reconfiguration......................................................................................................................................................39
4.6.2.6 Deactivation............................................................................................................................................................39
4.7 Security Alarms, Events, and Logs..............................................................................................................................39
4.8 OMU Anti-attack..........................................................................................................................................................39

iii
SingleRAN
Contents
4.8.1 When to Use OMU Anti-Attack................................................................................................................................39

4.8.2 Required Information................................................................................................................................................40
4.8.3 Deployment...............................................................................................................................................................40
4.8.3.1 Requirements..........................................................................................................................................................40
4.8.3.2 Activation...............................................................................................................................................................40
4.8.3.4 Deactivation............................................................................................................................................................41
4.9 Security Policy Level Configuration............................................................................................................................41
5 Parameters.....................................................................................................................................42
6 Counters........................................................................................................................................65
7 Glossary.........................................................................................................................................66
8 Reference Documents.................................................................................................................67

iv
SingleRAN
1 About This Document
About This Document
1.1 Scope
This document describes operation and maintenance (O&M) security, including its technical
descriptions, engineering guidelines, and parameters.
This document covers the following features:
l
MRFD-210305 Security Management
LBFD-004010 Security Management
TDLBFD-004010 Security Management
1.2 Intended Audience

This document is intended for personnel who:
l
Need to understand the features described herein
Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes, which are defined as follows:
l
Feature change
Changes in features of a specific product version
Editorial change
Changes in wording or addition of information that was not described in the earlier version
Draft A (2014-01-20)
This document is created for SRAN9.0.

SingleRAN
1 About This Document
This document originates from Base Station and OM Security Feature Parameter Description
and Base Station Controller and OM Security Feature Parameter Description of SRAN8.0.
Compared with SRAN8.0, SRAN9.0 adds security policy level configuration described in 3.9
Security Policy Level Configuration. For details about the engineering guidelines, see 4.2 Web
Security.

SingleRAN
2 Overview
Overview
Table 2-1 lists the O&M security measures supported by Huawei network elements (NEs) in
SRAN9.0.
Table 2-1 Supported security measures
Security Measures
MBSC
eGBTS
NodeB
eNodeB
MBTS
Operation and maintenance

channel (OMCH) security
Web security
User management
User data anonymization
Digital signature-based
software integrity protection
Time security
Security alarms, events, and

logs
OMU anti-attack
Security policy level

configuration
NOTE
indicates that the NE supports this security measure.
- indicates that the NE does not support this security measure.
NOTE
In his document, MBSC is called the base station controller, and eGBTS, NodeB, eNodeB and MBTS are
collectively referred to as the base station. For details about O&M security measures for the GBTS, see
GBSS Security Overview Feature Parameter Description.

SingleRAN
3 Technical Description
Technical Description
3.1 OMCH Security

An OMCH is configured between a base station (other than a GBTS) or base station controller
and the U2000 or WebLMT to transmit information for base station management and
maintenance.
Data transmitted over OMCHs is secured using Secure Sockets Layer (SSL).
SSL is a cryptographic protocol designed to secure communication over the Internet. SSL at the
transport layer supports only TCP. As shown in Figure 3-1, SSL works between the transport
layer and the application layer. It secures data transmission for various application protocols,
such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP).
Figure 3-1 SSL-encrypted transmission
SSL protects transmitted data against eavesdropping, tampering, and forging using encryption,
integrity protection, and identity authentication.
l
Encryption
With SSL, the sender encrypts data at the application layer before transmission and the
receiver decrypts the received data. In this manner, data is transmitted as ciphertext,
preventing eavesdropping.

SingleRAN
SSL supports multiple standard encryption algorithms, such as Triple Data Encryption
Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4).
l
Integrity protection
SSL uses the Hash function to generate a digital signature for the data to be transmitted.
The receiver then checks the digital signature to determine whether the data was tampered
with during transmission.
SSL supports multiple standard Hash algorithms, such as Secure Hash Algorithm 1
(SHA-1).
Identity authentication
SSL supports certificate-based authentication. The communicating parties authenticate the
digital certificates of each other before establishing an SSL connection.
Huawei equipment supports SSL versions SSL3.0, TLS1.0, TLS1.1, and TLS1.2. The SSL
version to be used can be negotiated with the peer party. The SSL version used is always TLS1.2
in SRAN8.0 or later and TLS1.1 in SRAN7.0 or earlier. During SSL negotiation, NEs choose a
supported SSL version from the list provided by the U2000.
For details about SSL, see SSL Feature Parameter Description.
The FTP connection between a base station or base station controller and the U2000 is based on
SSL. FTP files on the U2000 can be encrypted using SSL and then transmitted in ciphertext
format. For details about SSL application to FTP, see SSL Feature Parameter Description.
NOTE
Currently, SSL 2.0 cannot be used. In addition, encryption and plaintext algorithms whose lengths are
shorter than 64 bits cannot be used.
3.2 Web Security

3.2.1 Overview
A user can access a base station or base station controller to perform O&M with a WebLMT.
The WebLMT is an HTTP/HTTPS-based web application that takes the following measures to
ensure O&M security:
l
User authentication
HTTPS-based Data Transmission
Anti-attack
Rights control
3.2.2 User Authentication

To log in to the WebLMT, a user must input the correct user name and password.
There are two types of users:
l
Local users: User information is stored and authenticated on the base station controller.
Domain users: Managed by the U2000. User information is stored and authenticated on the
U2000.

SingleRAN
The authentication module uses a brute-force cracking prevention mechanism to authenticate

users that attempt to log in to the WebLMT.
l
A user must input a verification code after inputting the user name and password. The
verification code is an image randomly generated by the web server.
If a user fails to log in to the WebLMT after several consecutive attempts, the account will
be locked and then automatically unlocked after a certain period of time. The
MaxMissTimes(BSC6900,BSC6910,NodeB) parameter specifies the maximum number of
login attempts allowed and the AutoUnlockTime(BSC6900,BSC6910,NodeB) parameter
specifies the duration for which the account is locked. The two parameters can be
configured using the SET PWDPOLICY command. If no operation is performed within
a specified period of time, the WebLMT GUI will be automatically locked. GUI unlock
authentication is implemented on the base station controller. If the user cannot unlock the
GUI after multiple attempts, the current session will be locked for another 30 minutes.
The password policies for local users are as follows:

l
The minimum password length is specified by PwdMinLen(BSC6900,BSC6910).
The password complexity is specified by Complicacy(BSC6900,BSC6910).
The maximum number of single character repetitions is specified by

MaxRepeatCharTimes(BSC6900,BSC6910).
The period in which a password remains valid is specified by MAXVALIDDATES

(BSC6900,BSC6910).
The maximum number of login retries is specified by MaxMissTimes

(BSC6900,BSC6910).
The warning before the password expires (days) is specified by MAXPROMPTDATES

(BSC6900,BSC6910).
Users can change their passwords.
The maximum number of previously used passwords recorded is specified

HISTORYPWDNUM(BSC6900,BSC6910). Users cannot reuse previously used
passwords.
If FirstLoginMustModPWD(BSC6900,BSC6910) is set to ON(Open), users are required

to change their passwords when they log in to the WebLMT for the first time.
If DICTCHKSW(BSC6900,BSC6910) is set to ON(Open), users cannot use the passwords

in the weak password dictionary.
Password security-related parameters can be configured using the SET PWDPOLICY

command. Only local users can configure these parameters.
3.2.3 HTTPS-based Data Transmission

The policy for logging in to the WebLMT is specified by the policy parameter in the SET
WEBLOGINPOLICY command. By default, the WebLMT uses HTTPS to secure data
transmission. A digital certificate is required to use HTTPS. The WebLMT uses a digital
certificate delivered with itself.

SingleRAN
Table 3-1 WebLMT login policy

Scenario
Protocol Used
in the Internet
Explorer
Address Box
Protocol Used
in Login Web
Page
Protocol Used
in the
WebLMT
GUI
Policy
Description
Scenario 1
HTTP
HTTPS
HTTPS
Scenario 2
HTTPS
HTTPS
HTTPS
Forcible
HTTPS:
HTTPS
connection must
be used for the
login web page
and the
WebLMT GUI.
Scenario 3
HTTP
HTTPS
HTTP
Scenario 4
HTTPS
HTTPS
HTTP
Scenario 5
HTTP
HTTP
HTTP
Scenario 6
HTTPS
HTTPS
HTTPS
HTTPS for
login only:
HTTPS
connection must
be used for the
login web page.
Compatibility
mode: Either
HTTP or
HTTPS is used.
NOTE
As of SRAN8.0, the default policy for logging in to the WebLMT changed from compatibility mode to
forcible HTTPS mode.
In compatibility mode, the policy for logging in to the WebLMT is determined by the protocol (HTTP or
HTTPS) entered in the Internet Explorer address box.
3.2.4 Anti-attack
The web server has been reinforced to prevent the impacts of various attacks. The following
types of attacks have been taken into consideration before delivery:
l
Cross-site scripting attack

Attackers inject malicious scripts into web pages. If the web server does not filter out the
malicious scripts, the scripts will be executed when users view the web pages.
Remote file inclusion attack

Attackers forcibly include their own files in the codes on the web server by exploiting the
Web server's vulnerability in filtering file inclusion. By doing this, the attackers can attack
certain websites.
Directory traversal attack

Attackers use the security holes of applications to access data or directories without
obtaining authorization, thereby causing data leak or tampering.

SingleRAN
Distributed denial of service (DDoS) attack

Attackers use the inherent security holes of network protocols to forge reasonable requests
to consume limited transmission bandwidth or occupy excess resources. As a result, the
network or service cannot properly respond to authorized requests and breaks down.
Structured query language (SQL) injection attack

SQL injection attacks are a common type of injection attacks. Attackers inject malicious
SQL commands into a web form entry to trick the web server into executing the SQL
commands.
Broken authentication and session management attack

Attackers exploit the defects in functions related to identity authentication in web
applications to steal authentication information or session management data, causing user
or administrator account thefts.
3.2.5 Rights Control

When a local user or domain user account is created, it is allocated certain rights. After a user
accesses the base station or base station controller over the WebLMT, all operations performed
by the user take effect only after being authenticated on the base station controller. If the
authentication fails, the base station or base station controller returns a message indicating that
the user does not have rights to perform the operations.
Accessing the Web Server Directory Using the File Manager

Each user that uses the WebLMT to access the base station controller can download files from
or upload files to the base station controller on the File Manager tab. Different levels of users
have different rights to obtain information:
l
Administrator: Can upload, download, or delete files.
Operator/User/Guest: Can only download files.
Custom user: Can obtain information according to the added commands.
Accessing Static Files on the Web Server

Rights control is implemented for users to access files on the Web server. Users can directly
view the home page of the Web server and a few other web pages. However, they must pass
login authentication to view information on all other web pages.
Performing Operations on the WebLMT GUI

As of SRAN8.0, local Custom users can be authorized based on function items.
3.3 User Management

3.3.1 Overview
User management implements authentication and access control on users who log in to an NE
to perform O&M. Authentication identifies users, and access control defines and restricts the
operations that users can perform and the resources they can access.

SingleRAN
Table 3-2 describes user management functions.

Table 3-2 User management functions
Function
Description
User account management
l Adding, modifying, and deleting accounts

l Querying account information
User password management
l Restricting the minimum password length

and enforcing password complexity
l Limiting the password validity period
l Prohibiting the reuse of recent passwords
Login management
l Authenticating a user identity based on the

account, password, and verification code.
l Specifying the time during which users
can log in
l Locking an account after the number of
failed logins reaches a limit
l Locking the GUI if no operation is
performed within a specified period of
time
User operation authentication
l Authenticating operation objects

l Authenticating operation NEs
l Limiting operation GUIs
l Specifying the MML commands that
users can execute
l Restricting directories that users can
access (over FTP or on the File
Manager tab of the WebLMT)
l Specifying message tracing permission
Centralized user monitoring
l Monitoring online user status

l Monitoring user operations
l Forcing users out
Centralized user management
l (EMS) to authenticate users in a

centralized manner
l Delivering and revoking rights of domain
users
l Degrading local user account
management
l Synchronizing local user account
management policies

SingleRAN
Function
Description
NOTE
l Local users perform O&M in the event of site deployment and transmission faults.
l Domain users perform routine O&M and are managed by the U2000 in centralized mode. The
centralized mode indicates that all the domain user accounts are created, modified, authenticated, and
authorized by the U2000.
l In addition to local and domain users, the base station controller provides the default OS root account
for logging in to the OMU to perform O&M.
l U2000 users can run the MOD OP command to remotely change the password for the admin account.
3.3.2 Login Authentication

User login authentication on an NE (a base station or base station controller) involves two types
of users:
l
Local users: Managed by the WebLMT
Domain users: Managed by the U2000
A domain user can also log in to the WebLMT to access an NE. In this case, the NE forwards
login authentication information to the U2000, which then authenticates the user.
As of SRAN8.0, user login security is enhanced through challenge-response authentication.
However, in versions earlier than SRAN8.0, user names and passwords are transmitted in
symmetric encryption mode, which is incompatible with the enhanced user login mechanism.
Therefore, a new MML command SET AUTHPOLICY is added and the AUTHPOLICY
(BSC6900,BSC6910,NodeB) parameter in this command is used to control the login mode. By
default, this parameter is set to COMPATIBLE_MODE(Compatible Mode), to allow both
the original and enhanced user login mechanisms. This parameter can be set to
ENHANCED_MODE(Enhanced Mode) only if no tool (or service) is directly connected to
the base station controller on the live network or if such a tool (or service) uses the enhanced
user login mechanism. Value ENHANCED_MODE(Enhanced Mode) is preferred, depending
on actual site requirements.
The machine-machine interface between the base station controller and the U2000 uses user
name EMSCOMM by default for mutual authentication. As of SRAN8.0, the password for the
default user can be changed either by performing operations on the U2000 or by running the
MOD OP command on the WebLMT.
NOTE
If both the U2000 and NEs support the enhanced user login mechanism, it is good practice to set
AUTHPOLICY(BSC6900,BSC6910,NodeB) to ENHANCED_MODE(Enhanced Mode) for security
purposes.
In challenge-response authentication mode, the authentication server sends a different question
("challenge") to the client, which must provide a valid answer ("response").
Verifying User Identities

Identities of users are verified by user names and passwords to ensure login security. The users
include local users managed by an NE or domain users who log in to an NE by using the
WebLMT.

10
SingleRAN
NOTE
When deployed or upgraded using USB flash drives, base stations verify the validity of the software
packages in USB flash drives by the digital signatures.
Controlling Login Time

The following login time control policies are used to ensure access security:
l
A validity period can be set for a user account. After the period elapses, login using the
account is not allowed. Administrators can modify validity periods of accounts.
Permissible access time ranges can be set for a user account. The ranges include validity
date ranges, time ranges, and week restrictions. Login is not allowed beyond the permissible
access time ranges.
Displaying Login Status

Users are prompted with login success or failure information to identify security risks, if any.
l
Login success information includes information about the last login success.
Login failure information does not include detailed information.
Locking Insecure Accounts

Administrators can enable or disable local user accounts or unlock locked user accounts.
Disabled or locked user accounts cannot be used for login. The identities of locked user accounts
cannot be checked.
Monitoring Users
The U2000 allows users to query information about online local and domain users and monitor
their status (login or logout). The U2000 can monitor all operations of specified online users.
When detecting that users are forcibly logged out, the U2000 disconnects the management
connections from the users.
Base stations and base station controllers determine the users to be monitored according to the
commands from the U2000 and report the results to the U2000.
3.3.3 User Rights Control

The base stations and base station controllers define five user levels: Administrator, Operator,
User, Guest, and Custom. Rights of these users to use command groups are restricted as follows:
l
The rights of Administrators, Operators, Users, and Guests to use command groups are
fixed.
The rights of Custom users to use command groups are defined depending on actual
requirements.
A command group is a group of commands that have the same attributes. For example, the G_8
command group consists of commands used to query equipment data, including the DSP
DSPUSAGE and DSP E1T1 commands. The LST CCG command can be used to query the
specific commands in a command group.
Table 3-3 lists the mapping between user levels and command groups.

11
SingleRAN
Table 3-3 Mapping between user levels and command groups

User Level
Command Group
Administrator
G_0&G_1&G_2&G_3&G_4&G_5&G_6&G_7&G_8&
G_9&G_10&G_11&G_12&G_13&G_14
Operator
G_0&G_2&G_3&G_4&G_5&G_6&G_7&G_8&G_9&
G_10&G_11&G_12&G_13&G_14
User
G_0&G_2&G_4&G_6&G_7&G_8&G_9&G_10&G_1
1&G_12&G_13&G_14
Guest
G_0&G_2&G_4&G_6&G_8&G_13
Custom
To be added by the user
Users can perform operations only after a successful login. All user operations are monitored
and operation permission is controlled. All operations must be classified according to permission
levels.
User operation permission is controlled by using MML commands or performing WebLMT
menu operations. Each MML command or menu can be associated with a command group. Base
station controllers support authorizing users to use command groups. If a user is authorized for
a command group, the user can run all commands in the command group.
After a user logs in to the WebLMT, the WebLMT hides the controls (such as menus and buttons)
that the user is not authorized to operate.
Before users operate NEs and objects, or run commands, the system checks their operation
permission levels to determine whether the operations are allowed.
When users attempt to perform operations for which they have no permission, the system
displays a message indicating that the operations are not allowed.
User permission information is stored on servers. After users successfully log in to the clients,
the servers send user permission lists to the clients. The user permission lists are always stored
on clients before users log out.
The system does not allow users to run any commands beyond permissible time ranges.
If required, administrators can grant permission to a specific user. If users attempt to access base
station controllers beyond the permissible time range, the base station controllers refuse to
perform user authentication. If users use expired passwords for login, the system forces users to
change their passwords. Administrators can cancel password expiration policies.
3.3.4 Login Password Policy

The policy for controlling the login password can be set using the SET PWDPOLICY
command. The parameters in this command specify the thresholds for determining the password
policy priorities. Table 3-4 describes these parameters.

12
SingleRAN
Table 3-4 Parameters in the SET PWDPOLICY command

Parameter Name
High Priority
Medium Priority
Low Priority
password minimal
length
The value of this

parameter ranges
from 16 to 32.
The value of this

parameter is between
8 and 16.
The value of this

parameter ranges
from 6 to 8.
The value contains

uppercase letters,
lowercase letters,
digits, and special
characters.
The value contains

uppercase letters,
lowercase letters,
and digits.
The value contains

only digits.
password max miss

times
Auto Unlock Time
30 minutes
30 minutes
10 minutes
Resetting Interval of
Account Lock
Counter
10 minutes
5 minutes
2 minutes
Maximum Valid
Days
30 days
60 days
90 days
Expire Prompt Dates
5 days
5 days
5 days
Password History
Records Number
Maximum Single
Char Repeat Times
First Login Must

Modify Password
Switch
ON(Open)
ON(Open)
OFF(Close)
Weak Password
Dictionary Checking
Switch
ON(Open)
ON(Open)
OFF(Close)
(6 to 32 characters)
password
complicacy
(uppercase letter,
lowercase letter,
digit, special
character)
Recommended configurations are as follows:

l
Configuring the policy for high-complexity passwords

SET PWDPOLICY: PwdMinLen=18,
Complicacy=LOWERCASE-1&UPPERCASE-1&DIGIT-1&SPECHAR-1,
MaxMissTimes=2, AutoUnlockTime=30, RESETINTERVAL=10,
MAXVALIDDATES=30, MAXPROMPTDATES=5, HISTORYPWDNUM=3,
MaxRepeatCharTimes=2, FirstLoginMustModPWD=ON, DICTCHKSW=OFF;
Configuring the policy for medium-complexity passwords


13
SingleRAN

MaxRepeatCharTimes=2, FirstLoginMustModPWD=ON, DICTCHKSW=ON;
l
Configuring the policy for low-complexity passwords

MaxRepeatCharTimes=3, FirstLoginMustModPWD=OFF, DICTCHKSW=ON;
Password Usage Rules

To ensure that passwords are not disclosed, tampered with, or stolen, the system adheres to the
following password usage rules:
l
Passwords entered are displayed as asterisks (*).
Users must enter passwords twice when creating passwords, and the passwords entered
cannot be copied.
Users can change their passwords. The old password must be verified during a password
change.
Administrators can change their own passwords or other users' passwords. However,
administrators can only reset (not view) other user passwords during a password change.
User accounts are locked when the number of consecutive password attempts reached a
specified threshold.
Password Storage and Transmission Rules

The system adheres to the following password storage and transmission rules:
l
Passwords are encrypted using SHA256 when stored locally.
Administrators cannot retrieve passwords in the form of plaintext or query other user
passwords.
Password Validity Period Management

The system manages password validity periods using the following methods:
l
The system forces users to change their passwords when passwords expire.
When users first use default or factory passwords, which are automatically allocated by the
system, the system forces users to change the passwords.
The system prompts users to change their passwords before the passwords expire. If
passwords are not changed after expiration, users cannot log in to the system, but the
passwords can be modified or changed on the U2000. Administrators can disable password
expiration policies on the U2000.
3.3.5 FTP User Management

The base station controller has two FTP users:

14
SingleRAN
FtpUsr: Uses a third-party FTP client to log in to the FTP server on the base station controller
and then upload or download information about the base station controller.
U2000 user: Uploads or downloads data between the base station controller and the U2000.
In SRAN7.0 and earlier versions, user management is defined as follows:

l
FtpUsr: The MOD FTPPWD command can be used to change the password, but the
password policy does not take effect on this user.
U2000 user: The password can be changed on the U2000 GUI, but the password policy
does not take effect on this user.
SRAN8.0 and later versions have the following enhancements to user management:
l
When an FtpUsr changes the password, the base station controller checks the password
complexity according to the configured password policy. The base station does not check
the complexity of the password input by the user during software installation. Instead, the
user, when logging in to the FTP server, is prompted with a message indicating that the
password complexity is lower than the current configuration and must be changed.
However, the user can still use the password to log in to the FTP server without interrupting
the current FTP connection. The user will be forced to change the password to meet the
password complexity requirements after a specified period of time. When a U2000 user
changes the password, the base station controller checks the password complexity
according to the configured password policy. However, if a U2000 user fails to log in to
the FTP server, the base station controller does not lock the account but reports a security
alarm. This is because the password is used to secure data transmission over the southbound
interface, which connects the U2000 to the base station controller.
3.4 User Data Anonymization

Huawei equipment supports user data anonymization. This function makes user identity
information anonymous during maintenance and commissioning to protect personal privacy.
For details, see User Data Anonymization Feature Parameter Description.
3.5 Digital Signature-based Software Integrity Protection

3.5.1 Definition
Software integrity protection adds a digital signature to software by using a private key before
uploading software to the target server or NE. When a target NE downloads, loads, or runs
software, the NE authenticates the digital signature by using a matched public key. This ensures
end-to-end software reliability and integrity.
With this function, any virus or software tampering can be promptly detected. This prevents
malicious software from running on NEs.
3.5.2 Application Scenarios

Software integrity protection applies to the following scenarios:
l
Software installation

15
SingleRAN
Software upgrade
OS (DOPRA Linux) upgrade
OS (DOPRA Linux) driver upgrade
3.5.3 Digital Signature

Overview
Integrity protection adopts the following two techniques:
l
Hash algorithm: A one-way Hash function. A Hash algorithm converts an arbitrary data
block into a fixed-size bit string. The most commonly used Hash algorithms are MessageDigest algorithm 5 (MD5) and SHA-1.
Public key cryptography: A pair of public and private keys is used for encryption and
decryption. The two keys relate to each other and belong to the same holder. The public
key is published for use, whereas the private key is confidential.
Principles
Figure 3-2 illustrates the principles of digital signatures.
Figure 3-2 Digital signature principles
The procedure for adding a digital signature is as follows:

1.
A Hash algorithm calculates the message digest for the files to be signed in the software
package.
2.
The private key is used to encrypt the message digest.
3.
The encrypted message digest is saved to a digitally signed file.
The digitally signed file is then released with the software package.
After an NE or a U2000 receives the software package, it verifies the contained digital signature.
The procedure for verifying the digital signature is as follows:

16
SingleRAN
1.
The same Hash algorithm calculates the message digest for the files to be verified in the
software package.
2.
The public key is used to decrypt the digitally signed file to restore the message digest.
3.
The restored message digest is compared with the original message digest.
l If they are identical, the software was not tampered with.
l If they are different, the software was tampered with.
Huawei Software Digital Signature Solution

In addition to the CRC function, the Huawei software digital signature solution in SRAN6.0 and
later incorporates the SHA256 algorithm and public key cryptography-based digital signature.
The Huawei solution implements digital signature and authentication during the software life
cycle (including software generation, release, installation, and running) to ensure software
integrity protection.
Figure 3-3 illustrates the procedure for Huawei software digital signature solution.
Figure 3-3 Procedure for Huawei software digital signature solution

17
SingleRAN
1: Calculate SHA256 check codes.
2: Release the software package.
3: Download the software package.
4: Distribute the software package.
1.
In the software package generation phase, SHA256 check codes are calculated for each
software component in the software package and saved to check code files. The check code
files are then digitally signed with the private key.
The check code files indicate files that are encrypted and added with verification
information and the algorithms that are used.
2.
In the software version release phase, all software files and digitally signed files are
packaged and then uploaded to a version server, for example, http://support.huawei.com.
3.
In the software version upgrade phase, when the U2000, WebLMT, or upgrade tool
downloads the software package from the version server, the U2000, WebLMT, or upgrade
tool authenticates the software package by using the public key. This is to verify the
software package authenticity.
4.
Also in the upgrade phase, when the NE downloads the software package from the U2000,
WebLMT, or upgrade tool, the NE authenticates the software package by using the public
key to verify that the software has not been maliciously tampered with.
External attackers or unauthorized internal users may tamper with the software after the OMU
software is installed. Therefore, the base station controller checks the integrity of the software
on the OMU and reports only one ALM-20723 File Loss or Damage if one or more files are
damaged or lost. This alarm is cleared after all the damaged or lost files are restored.
For an OS upgrade, the U2000 or upgrade tool checks the integrity of the OS upgrade package.
For an OS driver upgrade, the driver upgrade tool checks the integrity of the OS drive package.
3.6 Time Security

3.6.1 SNTP Security for Base Station Controllers
The base station controller must synchronize its time with the SNTP server (for example, the
U2000) to ensure that the system time is accurate. Time synchronization uses SNTP and supports
two modes: plaintext mode and authentication mode. The mode used is specified by the
AUTHMODE(BSC6900,BSC6910) parameter. The authentication mode refers to the SNTP
security mode.
SNTP security prevents the base station controller from adjusting the time incorrectly after
receiving a time synchronization attack message. This improves the reliability of the base station
controller on the network and helps ensure normal O&M functions. The base station controller
encrypts time synchronization request information, adds the key ID and digest value to the time
synchronization request, then sends the request to the SNTP server. Upon receiving a time
synchronization response from the SNTP server, the base station controller identifies the
encryption algorithm and key according to the configured key ID, calculates the digest value
based on the received SNTP packet, and checks whether the calculated digest value is the same
as that contained in the SNTP packet. If so, the base station controller considers the SNTP packet
legal and synchronizes its time with the SNTP server. If not, the base station controller considers
the SNTP packet illegal and the base station controller discards it.

18
SingleRAN
The base station controller supports the SNTP V3 protocol and is compatible with the SNTP
server and NTP server. However, the time synchronization precision of the base station controller
is the same as that supported by SNTP.
3.6.2 NTP Security Authentication for Base Stations

Base stations are deployed on public networks. If a base station uses an invalid reference clock,
the time on the base station becomes incorrect. This may cause errors in information such as
error alarms and logs, affecting base station maintenance.
NTP security authentication protects the integrity and authenticates the source of NTP packets
received by base stations to ensure that base stations use valid reference clock. The
AUTHMODE, KEY, and KEYID parameters in the NTPCP MO on a base station functioning
as an NTP client must be set to the same values as those on the NTP server. NTP security
authentication supports Data Encryption Standard (DES) and MD5. DES has been cracked and
is not recommended. NTP security authentication uses digital signatures to verify NTP packets
to ensure the validity of the reference time received by base stations. Figure 3-4 illustrates the
principle for NTP security authentication.
Figure 3-4 Principle for NTP security authentication
If the AUTHMODE parameter in the NTPCP MO is not set to PLAIN(Plain), NTP security
authentication is performed in encryption mode. The authentication procedure is as follows:
1.
After calculating the checksum of NTP packets, the NTP server sends the checksum and
NTP packets to the base station.
2.
The base station calculates the checksum of the received NTP packets, and compares the
calculated checksum with that in the NTP packets.
l If the checksums are identical, the NTP packets were not tampered with during
transmission and pass the NTP security authentication.
l If the checksums are different, the NTP packets were tampered with and fail the NTP
security authentication.
If the AUTHMODE parameter in the NTPCP MO is set to PLAIN(Plain), the NTP server sends
NTP packets directly to the base station without encryption, and therefore the base station does
not need to decrypt the received NTP packets.
NOTE
Only 3900 series base stations support NTP.

19
SingleRAN
3.7 Security Alarms, Events, and Logs

3.7.1 Overview
The U2000 and the WebLMT manage security alarms, events, and logs. If security faults occur,
users can be informed of the faults and perform fault diagnosis according to the reported alarm
or event information. In addition, security risks and vulnerability can be analyzed by tracing
history security alarms and logs.
Since SRAN7.0, user information and IP addresses can be recorded in the operation logs of
specific domain users. In versions earlier than SRAN7.0, domain users for the U2000 are not
distinguished and are collectively named EMSCOMM.
Since SRAN7.0, log tracing has been enhanced. Detailed information about the traced objects
is recorded in the tracing logs.
3.7.2 Security Alarms and Events

Table 3-5 lists the security alarms and events that may be reported by the base station controller
when the related security faults occur.
Table 3-5 Security alarms and events
Alarm or Event ID
Alarm or Event Name
ALM-20723
File Loss or Damage
EVT-22813
Domain User Login Failed
EVT-22814
Local User Login Failed
EVT-22815
Local User Locked
EVT-22805
Local User Modifying Other Operator's

Password
ALM-20732
SSL Certificate File Abnormity
ALM-20850
Digital Certificate Will Be out of Valid Time
ALM-20851
Digital Certificate Loss, Expiry, or Damage
ALM-20852
Exceeded Failures of Logins by the Local

User
ALM-20714
OMU Time Synchronization Abnormity
Table 3-6 lists the security alarms that may be reported by the base station when the related
security faults occur.

20
SingleRAN
Table 3-6 Security alarms

Alarm ID
Alarm Name
ALM-26204
Board Not In Position
ALM-25670
Water Alarm
ALM-25671
Smoke Alarm
ALM-25672
Burglar Alarm
ALM-26830
Local User Consecutive Login Retries Failed
ALM-25950
Base Station Being Attacked
ALM-26266
Time Synchronization Failure
3.7.3 Security Logs and Security Audit

3.7.3.1 O&M Event Recording
Both base stations and base station controllers support security logs, in which security operations
and events during routine O&M are recorded and cannot be modified. Based on the recorded
information, the operators can perform security audit, identify sources of security accidents and
problems, and find ways to improve network security.
Logs record information about system security and user operations, and are classified into
operation logs of NEs and the U2000, system logs, and security logs. By querying logs, users
can obtain information about the running status, system security situation, and user operations
on NEs or the U2000. Users can also save logs as files or print them out.
The U2000 can centrally manage NE logs by performing the following:
l
Supporting centralized collection, query, measurement, analysis, and output of logs.
Recording information about its own running status, security events, and operations. The
information can be queried and audited.
Periodically collecting NE logs based on user settings.
Users can audit the security logs collected by the U2000 to evaluate O&M security.
O&M Event Recording

Logs of the U2000, base stations, and base station controllers record separate information about
system security and user operations, that is, O&M security-related events during the running
process.
Operation Logs
When commands are sent to NEs from the WebLMT or U2000, the command execution results
are saved in operation logs. The operation logs include those of the U2000 and NEs.

21
SingleRAN
Operation logs record the operations to create, modify, query, modify, load, switch over NEs
and so on. The operations can be manually performed by O&M personnel or automatically
started by scheduled tasks on the WebLMT or U2000.
System Logs
System logs mainly record the system running status of NEs or the U2000. System logs help
users to learn the system running status and identify causes of security faults. The system herein
refers only to Huawei-developed application systems and system logs include those of the U2000
and NEs.
System logs record the following information:
l
Abnormal status and actions while the system is running, such as active/standby
switchovers, storage failures, and timer expiration
Key events during system running, such as system startup and shutdown
Running status, such as startup, exit, and suspension, of the system process
Running status, such as startup, suspension, exit, and breakdown of key system threads
Usage of system resources, such as central processing unit (CPU), memory, and hard disk
Security Logs
Security logs record information about security events.
Security logs of base stations record the following:
l
Events related to account login, such as user login, user logout, account locking, and account
unlocking
Events related to account management, such as account addition, deletion, and

modification, password change, and permission modification
Events related to user authentication, such as unauthorized access
Security logs include those of the U2000 and NEs. Users can evaluate system security by auditing
security logs. For details, see Security Log Auditing.
Table 3-7 describes security events recorded in security logs that a base station controller can
provide.
Table 3-7 Security logs of a base station controller
Security Event Type
Security Log
Account login event
A domain user has logged in to the base

station controller.
A domain user has logged in to the base
station controller.
A local user has logged in to the base station
controller.
A local user has logged out of the base station
controller.

22
SingleRAN
Security Event Type
Security Log
The system locks a local user account whose
failed login attempts exceed the maximum
number.
The system automatically unlocks a local user
account after the locking time expires.
A local user account is manually unlocked.
A local user account is locked by the
administrator.
An account is automatically locked when the
password expires.
Account management event
A domain user or local user has been forced

to log out after having logged in to the base
station controller.
A local user account has been added,
removed, or modified.
The user group to which a local user belongs
has been changed.
The rights granted to a local user group have
been changed.
The commands in a command group have
been adjusted.
The rights granted to a local user have been
changed.
A local user has changed the user's password.
A local user has changed the password of
another user.
The account or password policy has been
changed.
OMU security event
The OMU has started or stopped, or active

and standby OMUs have been switched over.
Digital certificate security event
A digital certificate has been updated.
Upgrade-related security event
The driver has been upgraded.
OMU configuration-related security event
OMU network parameters, such as the

internal network, external network, VLAN,
mask, IP address, and host name, have been
modified.

23
SingleRAN
Security Event Type
Security Log
Active and standby OMUs have been
configured.
OMU security event for changing the

password of an initial account
The password of the admin account has been

changed.
The password of a database account has been
changed.
SNTP time synchronization event
SNTP time synchronization has failed.
Table 3-8 lists security-related operation logs that a base station controller can provide.
Table 3-8 Security-related operation logs
Security Event Type
Operation Log
Account authentication events
A domain user or local user fails to be

authenticated to perform a certain operation.
A user attempts to access an object without
the permission, which is specified when the
user is created by running the ADD OP
command.
The LST SECLOG and LST OPTLOG commands can be used to query security logs and
operation logs, respectively.
3.7.3.2 Centralized Log Management

The U2000 supports the following centralized management on U2000 logs and NE logs:
l
Log collection
Users can set log collection tasks and specify task periods to enable the U2000 to
periodically collect NE logs. Users can also set dumping and export of U2000 logs and NE
logs.
Log query and printing

By querying logs, users can obtain information about the running status, system security
situation, and user operations of the U2000 or NEs. Users can also save logs as files or print
them out.
Log analysis
Based on U2000 logs and NE logs collected, users can analyze such information as system
running status, security events, and operations.

24
SingleRAN
Log Collection
Users can collect and dump all operation logs, security logs, and system logs of the U2000 as
well as operation logs and security logs of NEs. NEs generate and save their own system logs
and automatically report the logs to the U2000. For details, see Log Management in the U2000
product documentation.
Log Query and Printing

For details about how to query or print logs on the U2000, see Log Management in the U2000
product documentation.
On the WebLMT, users can query log files generated during a time range, including operation
logs and security logs. For details, see MML Command Reference.
3.7.3.3 Security Log Auditing

Auditing Security Events
Security event auditing refers to a process where a base station or base station controller generates
audit records based on security events (security logs). Auditable security events include:
l
Startup and shutdown of the system or applications
User login success and failure events: Including information about user names, login time,
workstation (such as its IP addresses), and causes of login failures (such as incorrect
passwords and invalid accounts)
User logout success and failure events: Including information about user names, logout
time, workstation (such as its IP addresses), and causes of logout failures
Users' attempt to access resources without their permission
All O&M and configuration events: Including information about user names, O&M time,
workstation (such as its IP addresses), operations, and responses
Operations concerning user accounts and permission levels: Including addition, deletion,
and modification
Events to be recorded in security logs are configurable, and the configuration process must be
recorded in security events that can be audited. For details about how to audit security logs, see
Log Management in the U2000 product documentation.
Saving Security Logs

Both base stations and base station controllers use databases to save security logs. Users cannot
modify or delete these logs.
If the number of audit records saved in any security log exceeds 200,000, the base stations and
base station controllers transfer the earliest 10,000 records to a Flash to prevent the database
from overflowing.
If the number of saved logs reaches a limit, earliest logs will be discarded at the arrival of new
logs.

25
SingleRAN
NOTE
The maximum number of logs that can be saved can be configured by using the SET LOGLIMIT command
on a base station controller, but not on a base station.
Querying Security Logs

Users can query audit records available in databases. Both base stations and base station
controllers support query by time interval, user name, interface, workstation IP address, result,
and command name (for example, MML command names).
For details about how to query security logs, see Log Management in the U2000 product
documentation.
3.8 OMU Anti-attack

The integrated firewall performs the following operations on all IP data streams transmitted to
the OMU:
l
IP address filtering, which enables the OMU to only accept IP data streams from authorized
IP addresses and network segments
Defending against attacks, such as ICMP ping, IP fragmentation, low time to live (TTL),
Smurf, and distributed denial-of-service (DDoS) attacks
Defending against TCP sequence prediction attacks and synchronization (SYN) flood
attacks
Isolating the internal network from the external network on the base station controller side:
The base station controller discards packets whose destination IP addresses are internal IP
addresses or belong to an internal network segment.
For a properly running network, specifying whitelisted and blacklisted IP addresses is generally
not required and the base station controller does not restrict the IP addresses used for access.
Specifying whitelisted and blacklisted IP addresses can be used to improve the security of the
base station controller:
l
Whitelist: Only the specified IP address or IP addresses in the specified network segment
can be used to access the base station controller. The IP addresses can be specified for a
particular port or for all ports. Once some IP addresses are whitelisted, all the other IP
addresses are blacklisted and cannot be used for access.
Blacklist: The specified IP address or IP addresses in the specified network segment cannot
be used to access the base station controller. The IP addresses can be specified for a
particular port or for all ports. All IP addresses that are not blacklisted are whitelisted.
NOTE
Base stations do not have the OMU.
3.9 Security Policy Level Configuration

A large number of NEs are deployed on the RAN side and scattered. The required security
policies are various and complex. Therefore, security policies may be incorrectly or incompletely
configured.

26
SingleRAN
Security policy level configuration, designed to drastically simplify security policy

configuration, allows hierarchical management of security polices and parameters based on
security risks and best practices in the industry.
Security policy level configuration is implemented by Consistency Check\Security Policy
Level function on the CME. This function manages some security policies for the entire network
and supports user-defined security policy management. The security policies to be managed
include:
l
General security policies
Security policies that are vulnerable to attacks
Security policies that have little impacts on services
By default, there are two levels of security policies:

l
Level 1 enables security policies on condition that function compatibility is guaranteed.
Level 2 enables strongest security policies but may cause compatibility problems.
Table 3-9 provides a default example of the security policy configuration level template.
Table 3-9 Security policy configuration template
#
Property
Level 1
Level 2
Belonging to
OS Password
Complicacy
LOWERCASE-1&
DIGIT-1
LOWERCASE-1
&DIGIT-1&UPP
ERCASE-1
O&M security/
user
management
OS Password Minimal
Length
10
O&M security/
user
management
Set the Activation Status

of the Local OAM
Account
ON
OFF
O&M security/
user
management
Set Local OAM Account

Locked State
OFF
ON
O&M security/
user
management
OAM Password
Complicacy
LOWERCASE-1&
DIGIT-1
LOWERCASE-1
&DIGIT-1&UPP
ERCASE-1
O&M security/
user
management
OAM Password
Minimal Length
10
O&M security/
user
management
OAM Password Max

Period
120
90
O&M security/
user
management

27
SingleRAN
Property
Level 1
Level 2
Belonging to
Set OAM Login

Authentication Policy
AUTO
ONLY_HARD
O&M security/
OMCH
security
Set OAM Connection

SSL Mode
ALL
ONLY_SSL
O&M security/
OMCH
security
10
Set OAM Connection

SSL Authentication
Mode
NONE
PEER
O&M security/
OMCH
security
11
Set FTP SSL Mode
Auto
Encrypted
O&M security/
OMCH
security
12
Set FTP SSL Certificate

Authentication
NO
YES
O&M security/
OMCH
security
13
Set Web LMT login

policy
LOGIN_HTTPS_
ONLY
HTTPS_ONLY
O&M security/
Web security
14
Invalid Packet Check

Switch
ENABLE
ENABLE
Device
security/
integrated
firewall
15
ARP Spoofing Check

Switch
ENABLE
ENABLE
Device
security/
integrated
firewall
16
ARP Learning Strict

Switch
DISABLE
ENABLE
Device
security/
integrated
firewall
NOTE
Security policy level configuration invokes the batch configuration interface of an NE. Therefore, the
configuration restoration function on the CME can be used to roll back batch configuration or restore the
configurations of an NE.

28
SingleRAN
4 Engineering Guidelines
Engineering Guidelines
4.1 OMCH Security

OMCHs are secured using SSL. For details, see SSL Feature Parameter Description.
4.2 Web Security

4.2.1 When to Use Web Security
Web applications are vulnerable to attacks. It is good practice to configure the following:
l
Password security policy
WebLMT login policy
Rights to access File Manager on the WebLMT
4.2.2 Deployment
4.2.2.1 Requirements
None
4.2.2.2 Activation
4.2.2.2.1 Using MML Commands
To set the password security policy, perform the following step:
Step 1 Run the SET PWDPOLICY command to set the password security policy for local WebLMT
users.
----End
To set the WebLMT login policy, perform the following step:

29
SingleRAN
Step 1 Run the SET WEBLOGINPOLICY commandto set the policy for logging in to the WebLMT.
In this step, set Policy for login to LMT and transmission to an appropriate value.
Step 2 Run the RST OMUMODULE command to restart the WebLMT server for the configured
WebLMT login policy to take effect. In this step, set Target OMU to ACTIVE(Active
OMU) and Module Name to weblmt.
----End
NOTE
Running the RST OMUMODULE command disconnects all users from the WebLMT but does not affect
OMU services. The WebLMT server can be restarted within 5 seconds if no exception occurs during the
restart.
While the WebLMT server restarts, WebLMT clients are disconnected and therefore cannot receive the
restart command response from the WebLMT server. In addition, an error message indicating that the
command fails to be sent is displayed. Ignore this error prompt because the command was successfully
sent.
The configured WebLMT login policy takes effect only after you log out and then log back in to the
WebLMT.
You can run the LST WEBLOGINPOLICY command to query the current policy for logging in to the
WebLMT.
To configure the rights of the Custom user to access the File Manager, perform the following
steps:
Step 1 On the WebLMT GUI, click User-defined command Group to add commands and function
items to a specific command group.
Step 2 Run the ADD OP or MOD OP command with Operator Level set to Customs(Custom) and
Command Group set to the same value as that specified in Step 1.
----End
NOTE
The configured rights to access the File Manager take effect only after you log out and then log back in
to the WebLMT.
4.2.2.2.2 Using the CME

Security policy level configuration on the CME can be used to configure password security
policy and WebLMT login policy for existing base stations.
You can perform consistency check on the Current Area on the CME. If the check results need
to be delivered, create or select a planned area first.
Step 1 On the CME, choose CME > Advanced > Consistency Check > Security Policy Level (CME
client mode) to set the consistency check parameters for security policies.

30
SingleRAN
NOTE
Users can define parameters for security policies as required based on the default level settings. For contextsensitive help on a current task in the client, press F1.
Step 2 Select the NEs for which consistency check is to be performed, execute the check to generate a
check report.

31
SingleRAN
Step 3 Based on the check report, correct the configurations on NEs in batches in the event of
inconsistency.
----End
4.2.2.3 Activation Observation

N/A
4.3 User Management

4.3.1 When to Use User Management
User management includes the following security functions:
l
Login authentication
User rights control
FTP user management
4.3.2 Deployment
None
4.3.2.2 Activation
4.3.2.2.1 Using the MML Commands
Login Authentication
Currently, login authentication is performed in the following scenarios:
l
The U2000 is used for connection to a base station or base station controller.
In this scenario, the challenge-response mechanism is used for mutual authentication
between the U2000 and the NE. The user name EMSCOMM is used during the
authentication. The password for the user can be changed either by performing operations
on the U2000 or by running the MOD OP command on the WebLMT. The passwords
recorded must be the same on the U2000 and the NE to ensure a successful connection.
A third-party tool is used for direct connection to a base station controller.

To configure the login authentication mode in this scenario, run the SET
AUTHPOLICY command with the AUTHMODE parameter set to
COMPATIBLE_MODE(Compatible Mode) or ENHANCED_MODE(Enhanced
Mode) based on site requirements. ENHANCED_MODE(Enhanced Mode) is preferred.
If this parameter is set to COMPATIBLE_MODE(Compatible Mode), both the
original and enhanced user login mechanisms are supported.

32
SingleRAN
If this parameter is set to ENHANCED_MODE(Enhanced Mode), only the enhanced

user login mechanism is supported.
User Rights Control

You can add users in either of the following scenarios:
l
To add a user of a predefined level (Administrator, Operator, User, or Guest), do not

configure the user's rights to use command groups, because the system has allocated fixed
command group rights to the user.
To add a Custom user, configure the user's rights to use command groups.
To add a user of a predefined level (for example, Operator), perform the following step:
Step 1 Run the ADD OP command to add an Operator user. In this step, set User Group to OPERATOR
(Operator).
----End
NOTE
The command group lists that an Operator user has the rights to use are always
G_0&G_2&G_3&G_4&G_5&G_6&G_7&G_8&G_9&G_10&G_11&G_12&G_13&G_14 and cannot
be changed.
To add a Custom user who has the rights to use the G_22 command group including the COL
LOG command so that the user can collect log files, perform the following steps:
Step 1 Run the SET CCGN command to configure G_22 as the command group.
Step 2 Run the ADD CCG command to add commands to the G_22 command group. In this step, add
the COL LOG command to the command group.
Step 3 Add a Custom user and configure the rights to use the G_22 command group for the user.
----End
FTP User Management

To configure FTP clients to use encrypted transmission, perform the following step:
Step 1 Run the SET FTPSCLT command with The Encrypted Mode set to ENCRYPTED(SSL
Encrypted).
----End

33
SingleRAN
NOTE
An FTP client refers to a module that has the FTP client function on the OMU. The SET FTPSCLT
command takes effect on all FTP clients.
After SSL encrypted transmission is configured for an FTP client, the FTP server must also be configured
with SSL encrypted transmission before running FTP-related MML commands, Otherwise, the MML
commands fail to be executed.
If the Support SSL Certificate Authentication(BSC6900,BSC6910) parameter is set to YES(Yes), a
digital certificate must be configured for the connected server. Otherwise, file upload and download fail.
For instructions on how to configure digital certificates when the U2000 functions as the FTP server, choose
Security Management > Data Management > Configuring Digital Certificates > Importing Cross
Digital Certificates > Installing a Device Digital Certificate > Activating a Device Digital
Certificate > Follow-up Procedure in the U2000 online help.
You can run the LST FTPSCLT command to query the transmission encryption mode of FTP clients.
To configure the FTP server to use encrypted transmission, perform the following steps:
Step 1 Run the SET FTPSSRV command with Transport Encrypted Mode set to ENCRYPTED
(SSL Encrypted).
NOTE
If the FTP server is configured with the SSL encrypted transmission mode, the same mode must also be
configured for all FTP clients that access the FTP server. The detailed configuration method varies
depending on the third-party FTP client software.
Step 2 Reset the ftp_server module for the encrypted transmission mode to take effect.
1.
Run the DSP OMU command to query the OMU mode. If only one result for Operational
state is displayed, the OMU works in standalone mode. If two results for Operational
state are displayed, the OMUs work in active/standby mode.
2.
Run the RST OMUMODULE command to reset the ftp_server module on the active
OMU. In this step, set Module Name to ftp_server.
If the OMU works in standalone mode, the encrypted transmission mode takes effect after
you perform this step. If the OMU works in active/standby mode, go to 3.
3.
Run the RST OMUMODULE command to reset the ftp_server module on the standby
OMU. In this step, set Module Name to ftp_server.
----End
To configure the port for transmitting data over FTP, perform the following step:
Step 1 Run the SET FTPSSRV command to the value range of ports for transmitting data over FTP.
In this step, set Passive mode data port lower limit and Passive mode data port upper
limit to appropriate values.
----End
NOTE
You can run the LST FTPSSRV command to query the encryption mode of the FTP server and the value
range of ports for transmitting data over FTP.

The transmission encryption mode for FTP clients can be configured using security policy level
configuration on the CME. For details, see the 4.2 Web Security.

34
SingleRAN

N/A
4.4 User Data Anonymization

Wireless networks use the Hash algorithm to makes individual identification fields anonymous
in maintenance and commissioning data to protect individual privacy. For details, see User Data
Anonymization Feature Parameter Description.
4.5 Digital Signature-based Software Integrity Protection

This function is always enabled and is not configurable.
4.6 Time Security

Correct time synchronization guarantees normal operation of O&M systems. A standalone NTP
server needs to be configured and wireless NEs function as NTP clients. NTP security ensures
correct time synchronization. The NTP server is generally configured by operators and therefore
the NTP security policies on wireless NEs are configured based on the interworking requirements
of the NTP server.
4.6.1 Deployment of SNTP Security for Base Station Controllers

Parameters related to time synchronization are configured on the NTP server.
4.6.1.2 Activation
To configure the SNTP security for a base station controller, perform the following step:
Step 1 Run the ADD SNTPSRVINFO command to add the IP address and port number for the SNTP
server on the base station controller and set the SNTP time synchronization security policy.
----End
NOTE
Set Key ID, Encryption Algorithm, and Key if SNTP security is used. Based on the values of these
parameters, the base station controller sends encrypted and authenticated time synchronization requests to
the SNTP server and authenticates the time synchronization responses from the SNTP server.
You can run the LST SNTPCLTPARA command to query information about the SNTP server.

NTP security is activated if the NTP parameters are correctly configured and NTP link status is
normal.

35
SingleRAN
4.6.2 Deployment of NTP Security Authentication for Base Stations

Parameters related to time synchronization are configured on the NTP server.
4.6.2.2 Data Preparation

Table 4-1 describes key parameters that must be set in the NTPCP MO to activate NTP security
authentication.
Table 4-1 Data to prepare before activating NTP security authentication
MO
Parameter
Name
Parameter
ID
Setting Notes
Data Source
NTPCP
IPv4 Address
of NTP Server
IP
This parameter specifies the

IPv4 address of the NTP
server.
Network plan
(negotiation
not required)
Port Number
PORT

number of the time
synchronization port on the
NTP server. The NTP client
synchronizes with the NTP
server through the specified
port.
Network plan
(negotiation
not required)
Synchronizati
on Period
SYNCCYCL
E

NTP time synchronization
interval.
Network plan
(negotiation
not required)
Authenticatio
n Mode
AUTHMOD
EP

NTP authentication mode.
Network plan
(negotiation
not required)
Authenticatio
n Key
KEY

key used for NTP
authentication.
Network plan
(negotiation
not required)
Authenticatio
n Key Index
KEYID

index of the authentication key
on the NTP server. The local
index must be the same as that
on the NTP server.
Network plan
(negotiation
not required)
4.6.2.3 Activation

36
SingleRAN
4.6.2.3.1 Using MML Commands

Step 1 Run the ADD NTPC command to configure an NTP client on a base station.
----End
4.6.2.3.2 MML Command Examples

//Configuring an NTP client
ADD NTPC: MODE=IPV4, IP="192.168.88.168", PORT=123, SYNCCYCLE=10, AUTHMODE=PLAIN;
Using the CME to Perform Single Configuration

On the CME, set the parameters listed in the "Data Preparation" section for a single base station.
For detailed instructions, see CME Single Configuration Operation Guide.
Using the CME to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 4-2 in a summary data file, which also contains
other data for the new base stations to be deployed. Then, import the summary data file into the
CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:
l
The MO in Table 4-2 is contained in a scenario-specific summary data file. In this situation,
set the parameters in the MOs, and then verify and save the file.
The MO in Table 4-2 is not contained in a scenario-specific summary data file. In this
situation, customize a summary data file to include the MO before you can set the
parameters.
Table 4-2 MO related to NTP security
MO
Sheet in the
Summary Data
File
Parameter Group
Remarks
NTP
Common Data
NTP IP, NTP IP

Mask, Port,
SyncCycle,
Authentication
Mode,
Authentication
Key,
Authentication Key
Index, MasterFlag,
IpMode
For instructions about how to perform batch configuration for each type of base stations, see the
following sections in 3900 Series Base Station Initial Configuration Guide.

37
SingleRAN
For a NodeB, see "Creating NodeBs in Batches."
For an eNodeB, see "Creating eNodeBs in Batches."
For a separate-MPT multimode base station, see "Creating Separate-MPT Multimode Base
Stations in Batches."
For an eGBTS and a co-MPT multimode base station, see "Creating Co-MPT Base Stations
in Batches."
Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure. The procedure is as follows:
Step 1 After creating a planned data area, choose CME > Advanced > Customize Summary Data
File (U2000 client mode), or choose Advanced > Customize Summary Data File (CME client
mode), to customize a summary data file for batch reconfiguration.
NOTE
For context-sensitive help on a current task in the client, press F1.
Step 2 Export the base station data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Export Data > Export
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > Export eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Export Data > Export eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data (U2000 client mode), or choose UMTS Application > Export Data > Export Base
Station Bulk Configuration Data (CME client mode).
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Export Data > Export Base Station Bulk Configuration Data
(U2000 client mode), or choose LTE Application > Export Data > Export Base Station
Bulk Configuration Data (CME client mode).
Step 3 In the summary data file, set the parameters in the MOs listed in Table 4-2 and close the file.
Step 4 Import the summary data file into the CME
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Data > Import Base Station Bulk Configuration Data (U2000
client mode), or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data (CME client mode).
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
(U2000 client mode), or choose GSM Application > Import Data > Import eGBTS Bulk
Configuration Data (CME client mode).
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration

38
SingleRAN
Data (U2000 client mode), or choose UMTS Application > Import Data > Import Base
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose
CME > LTE Application > Import Data > Import Base Station Bulk Configuration
Data (U2000 client mode), or choose LTE Application > Import Data > Import Base
----End

To verify that NTP security authentication is activated on a base station, perform the following
steps:
Step 1 Run the LST NTPC command to query the NTP configuration information. Verify that the
parameter settings in the command output are consistent with that configured in the activation
procedure.
Step 2 Run the DSP NTPC command to query the time synchronization information of the base station.
Verify that the value of Link State of Current NTP Server is Available in the command output.
Step 3 Run the LST LATESTSUCCDATE command to query the latest successful time
synchronization of the base station. Verify that the value of Latest Successful Synchronization
Time is the same as the time that time synchronization was recently performed.
----End
If all the preceding verifications are true, NTP security authentication is activated.
4.6.2.5 Reconfiguration
To change the authentication mode for a base station, run the MOD NTPC command and change
the encryption algorithm on the NTP server to be consistent as that on the base station.
4.6.2.6 Deactivation
N/A
4.7 Security Alarms, Events, and Logs

Security alarms, events, and logs are always enabled and do not involve engineering guidelines.
4.8 OMU Anti-attack

4.8.1 When to Use OMU Anti-Attack
OMU anti-attack is supported by base station controllers but not base stations. The IPTable
function of the OS is used to implement OMU anti-attack.
Configuring the whitelist and blacklist for the IPTable function has high risks. To ensure the
normal operation of a base station controller, do not configure the whitelist or blacklist if the
network runs properly.

39
SingleRAN
4.8.2 Required Information

Collect the IP address and port data of the OMU and any peer NE that exchanges service data
with the OMU.
4.8.3 Deployment
None
4.8.3.2 Activation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -A INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
----End
l
Set restricted IP to an IP address to be denied or allowed access. The IP address can be a

single IP address or IP addresses in a network segment.
Set Ethernet adapter to the external network adapter of the OMU.
Set transport protocol to TCP or UDP. This parameter is used with restricted port.
Set restricted port to the port over which access is denied.
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
The following is a command example used to allow only users in the 10.141.148.0 network
segment to access the WebLMT:
iptables -A INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP
NOTE
"!" is a logical negation operator.
----End

Step 1 Log in to the PC whose IP address has been restricted.
Step 2 Run the DOPRA Linux command iptables L to query all filtering criteria on the OMU. Verify
that the new criteria have been added successfully.
l If access over port 80 is denied, you cannot access the WebLMT. In this situation, check
whether you can access the WebLMT on the PC.
l If access over port 22 is denied, you cannot log in to the OMU remotely. In this situation,
check whether you can log in to the OMU using PuTTY on the PC.
NOTE
Execute caution when disabling port 22, because this operation prohibits users from remotely logging in
to the OMU.

40
SingleRAN
l If access over port 21 is denied, you cannot access the ftp_server module on the OMU. In
this situation, check whether you can access the ftp_server module on the OMU using an
FTP client on the PC.
----End
4.8.3.4 Deactivation
Step 1 Log in to the OMU locally or remotely using PuTTY.
Step 2 Run the DOPRA Linux command iptables -D INPUT -s restricted IP -i Ethernet adapter -p
transport protocol --dport restricted port -j DROP. In this step, set parameters as follows:
l Set restricted IP to an IP address to be denied or allowed access. The IP address can be a
single IP address or IP addresses in a network segment.
l Set Ethernet adapter to the external network adapter of the OMU.
l Set transport protocol to TCP or UDP. This parameter is used with restricted port.
l Set restricted port to the port over which access is denied.
If you do not specify the -p transport protocol and --dport restricted port parameters, access
over all ports is denied.
Step 3 Run the DOPRA Linux command iptables L to query all filtering criteria on the OMU. Verify
that the new criteria have been removed successfully.
----End
The following command example is used to deactivate OMU anti-attack.
iptables -D INPUT -s ! 10.141.148.0/255.255.255.0 -i bond1 -p tcp --dport 80 -j DROP
4.9 Security Policy Level Configuration

This function is configured using batch configuration management of common security policies
on the CME. Therefore, no engineering guidelines are involved.

41
SingleRAN
5 Parameters
Parameters
Table 5-1 Parameter description

Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MaxMissTimes
BSC6900
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
password retries
when a user logs
in. When
password retries
by a user exceed
this number, this
user is locked.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3

42
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MaxMissTimes
BSC6910
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
password retries
when a user logs
in. When
password retries
by a user exceed
this number, this
user is locked.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3
MAXMISSTIM
ES
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
SET
PWDPOLICY
None
None
LST
PWDPOLICY
Meaning:Indicates the
maximum times
of attempts with
incorrectly
entered
passwords.If the
times of
attempts with
incorrectly
entered
passwords
exceed this
parameter,the
NE will lock the
operator
account.
GUI Value
Range:1~255
Unit:None
Actual Value
Range:1~255
Default Value:3

43
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AutoUnlockTim
e
BSC6900
SET
PWDPOLICY
None
None
Meaning:Durati
on after which a
locked user is
unlocked
automatically.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30
AutoUnlockTim
e
BSC6910
SET
PWDPOLICY
None
None
Meaning:Durati
on after which a
locked user is
unlocked
automatically.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30
AUTOUNLOC
KTIME
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
SET
PWDPOLICY
None
None
LST
PWDPOLICY
unlocking time
after the account
is locked
because of
incorrect
password inputs.
GUI Value
Range:1~65535
Unit:min
Actual Value
Range:1~65535
Default Value:
30

44
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PwdMinLen
BSC6900
SET
PWDPOLICY
None
None
Meaning:Minim
um length of an
LMT login
password. When
a password is
shorter than this
length, the
password is
invalid.
GUI Value
Range:6~32
Unit:None
Actual Value
Range:6~32
Default Value:8
PwdMinLen
BSC6910
SET
PWDPOLICY
None
None
Meaning:Minim
um length of an
LMT login
password. When
a password is
shorter than this
length, the
password is
invalid.
GUI Value
Range:6~32
Unit:None
Actual Value
Range:6~32
Default Value:8

45
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
Complicacy
BSC6900
SET
PWDPOLICY
None
None
Meaning:Compl
exity of a
password.
LOWERCASE
(Lowercase)
indicates that the
password must
include
lowercase
letters.
UPPERCASE
(Uppercase)
indicates that the
password must
include
uppercase
letters. DIGIT
(Digit) indicates
that the
password must
include digits.
SPECHAR
(Special
character)
indicates that the
password must
include special
characters.
Special
characters are ~!
@#$%^&*()_+{}|[]:<>?./.
GUI Value
Range:LOWER
CASE
(Lowercase),
UPPERCASE
(Uppercase),
DIGIT(Digit),
SPECHAR
(Special
character)
Unit:None
Actual Value
Range:LOWER
CASE,
UPPERCASE,

46
SingleRAN
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
DIGIT,
SPECHAR
Default
Value:LOWER
CASE:
1,UPPERCASE
:1,DIGIT:
1,SPECHAR:0

47
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
Complicacy
BSC6910
SET
PWDPOLICY
None
None
Meaning:Compl
exity of a
password.
LOWERCASE
(Lowercase)
indicates that the
password must
include
lowercase
letters.
UPPERCASE
(Uppercase)
indicates that the
password must
include
uppercase
letters. DIGIT
(Digit) indicates
that the
password must
include digits.
SPECHAR
(Special
character)
indicates that the
password must
include special
characters.
Special
characters are ~!
@#$%^&*()_+{}|[]:<>?./.
GUI Value
Range:LOWER
CASE
(Lowercase),
UPPERCASE
(Uppercase),
DIGIT(Digit),
SPECHAR
(Special
character)
Unit:None
Actual Value
Range:LOWER
CASE,
UPPERCASE,

48
SingleRAN
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
DIGIT,
SPECHAR
Default
Value:LOWER
CASE:
1,UPPERCASE
:1,DIGIT:
1,SPECHAR:0
MaxRepeatChar
Times
BSC6900
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
single character
repeats allowed
in an LMT login
password. When
a single
character in a
password
repeats for more
times than this
number, the
password is
invalid.
GUI Value
Range:2~32
Unit:None
Actual Value
Range:2~32
Default Value:2

49
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MaxRepeatChar
Times
BSC6910
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
single character
repeats allowed
in an LMT login
password. When
a single
character in a
password
repeats for more
times than this
number, the
password is
invalid.
GUI Value
Range:2~32
Unit:None
Actual Value
Range:2~32
Default Value:2
MAXVALIDD
ATES
BSC6900
SET
PWDPOLICY
None
None
Meaning:Days
between the day
when a
password takes
effect and the
day when the
password
expires. The
password
becomes invalid
after being valid
for the days.
GUI Value
Range:1~999
Unit:day
Actual Value
Range:1~999
Default Value:
90

50
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MAXVALIDD
ATES
BSC6910
SET
PWDPOLICY
None
None
Meaning:Days
between the day
when a
password takes
effect and the
day when the
password
expires. The
password
becomes invalid
after being valid
for the days.
GUI Value
Range:1~999
Unit:day
Actual Value
Range:1~999
Default Value:
90
MAXPROMPT
DATES
BSC6900
SET
PWDPOLICY
None
None
Meaning:Longe
st days for which
users are
prompted in
advance to
notice that the
password is
going to expire.
When this day
arrives, users
will be
prompted with
the remaining
days.
GUI Value
Range:1~255
Unit:day
Actual Value
Range:1~255
Default Value:5

51
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MAXPROMPT
DATES
BSC6910
SET
PWDPOLICY
None
None
Meaning:Longe
st days for which
users are
prompted in
advance to
notice that the
password is
going to expire.
When this day
arrives, users
will be
prompted with
the remaining
days.
GUI Value
Range:1~255
Unit:day
Actual Value
Range:1~255
Default Value:5
HISTORYPWD
NUM
BSC6900
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
historical
passwords that
can be saved.
When this
number is
reached, the
earliest
historical
password will be
deleted at the
arrival of a new
one.
GUI Value
Range:1~10
Unit:None
Actual Value
Range:1~10
Default Value:5

52
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
HISTORYPWD
NUM
BSC6910
SET
PWDPOLICY
None
None
Meaning:Maxi
mum number of
historical
passwords that
can be saved.
When this
number is
reached, the
earliest
historical
password will be
deleted at the
arrival of a new
one.
GUI Value
Range:1~10
Unit:None
Actual Value
Range:1~10
Default Value:5
FirstLoginMustModPWD
BSC6900
SET
PWDPOLICY
None
None
Meaning:Switch
for forcing users
to change the
password upon
their first login
to the LMT.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

53
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
FirstLoginMustModPWD
BSC6910
SET
PWDPOLICY
None
None
Meaning:Switch
for forcing users
to change the
password upon
their first login
to the LMT.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

54
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DICTCHKSW
BSC6900
SET
PWDPOLICY
None
None
Meaning:Switch
for checking
whether the
password is in
the weak
password
dictionary when
users add or
modify user's
password. Weak
passwords are
inlcuded in the
weak password
dictionary. After
this switch is
turned on, you
must not use
common words
or combinations
of simple letters
and digits as
passwords, such
as 111111,
aaaaaa, abc123,
linda, and
snoopy.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

55
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DICTCHKSW
BSC6910
SET
PWDPOLICY
None
None
Meaning:Switch
for checking
whether the
password is in
the weak
password
dictionary when
users add or
modify user's
password. Weak
passwords are
inlcuded in the
weak password
dictionary. After
this switch is
turned on, you
must not use
common words
or combinations
of simple letters
and digits as
passwords, such
as 111111,
aaaaaa, abc123,
linda, and
snoopy.
GUI Value
Range:OFF
(Close), ON
(Open)
Unit:None
Actual Value
Range:ON, OFF
Default
Value:OFF
(Close)

56
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AUTHMODE
BSC6900
ADD
SNTPSRVINF
O
None
None
Meaning:Authe
ntication mode
used when the
active OMU
(NTP client)
synchronizes
with the NTP
server.
GUI Value
Range:PLAIN
(PLAIN),
NTPV3
(NTPV3)
Unit:None
Actual Value
Range:PLAIN,
NTPV3
Default
Value:PLAIN
(PLAIN)
AUTHMODE
BSC6910
ADD
SNTPSRVINF
O
None
None
Meaning:Authe
ntication mode
used when the
active OMU
(NTP client)
synchronizes
with the NTP
server.
GUI Value
Range:PLAIN
(PLAIN),
NTPV3
(NTPV3)
Unit:None
Actual Value
Range:PLAIN,
NTPV3
Default
Value:PLAIN
(PLAIN)

57
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AUTHMODE
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
encryption
mode. If this
parameter is set
to PLAIN, data
is transmitted in
plaintext.
MOD NTPC
LST NTPC
GUI Value
Range:PLAIN
(Plain), DES_S
(DES_S),
DES_N
(DES_N),
DES_A
(DES_A), MD5
(MD5)
Unit:None
Actual Value
Range:PLAIN,
DES_S,
DES_N,
DES_A, MD5
Default
Value:PLAIN
(Plain)

58
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
KEY
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
Meaning:Indicates the key

used for NTP
authentication.
The key used in
the DES_S
algorithm is a
hexadecimal
number whose
length is 64 bits
in binary format.
The seven least
significant bits
of each byte are
used to construct
56-bit key data,
and the eighth
bit is the odd
parity bit for
each byte. Any
empty bit is
filled with 0 to
ensure that the
key data is
composed of 16
hexadecimal
digits and has an
odd number for
parity check.
The key used in
the DES_N
algorithm is
similar to the
key used in the
DES_S
algorithm. The
only difference
is that in the key
used in the
DES_N
algorithm, the
most significant
bit is used for
parity check of
each byte. The
key used in the
DES_A
algorithm is an
MOD NTPC
LST NTPC

59
SingleRAN
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
ASCII string of
one to eight
characters. The
seven least
significant digits
of the ASCII
value
corresponding
to each character
are used to
construct 56-bit
key data. For
any ASCII
string of less
than eight
characters, 0s
are appended to
the string to
ensure that the
key data is
composed of 56
bits. The key
used in the MD5
algorithm is an
encrypted
ASCII string of
one to eight
characters.
GUI Value
Range:1~16
characters
Unit:None
Actual Value
Range:1~16
characters
Default
Value:None

60
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
KEYID
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
Meaning:Indicates the serverside index of the

NTP
authentication
key. The index
must be the same
as the setting on
the server.
MOD NTPC
LST NTPC
GUI Value
Range:
1~4294967295
Unit:None
Actual Value
Range:
1~4294967295
Default
Value:None
IP
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
MOD NTPC
RMV NTPC
SET
MASTERNTPS
Meaning:Indicates the IPv4

address of the
NTP server.
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Default Value:
0.0.0.0

61
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PORT
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
Meaning:Indicates the port

number of the
NTP server. An
NTP client
performs time
calibration with
the NTP server
through the port
specified by this
parameter.
MOD NTPC
LST NTPC
GUI Value
Range:
123~5999,6100
~65534
Unit:None
Actual Value
Range:
123~5999,6100
~65534
Default Value:
123

62
SingleRAN
5 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SYNCCYCLE
BTS3900,
BTS3900
WCDMA,
BTS3900 LTE
ADD NTPC
None
None
Meaning:Indicates the period

based on which
NTP time
synchronization
is performed
periodically.
The switch for
periodic NTP
time
synchronization
is turned on
automatically.T
he time of a base
station may have
differences with
the standard
time, and a large
difference
affects the
accuracy of
KPIs. Therefore,
a period must be
configured for
the base station
to perform time
synchronization
with the NTP
server
periodically to
ensure the
accurate time.
The period for
periodic NTP
time
synchronization
must be
configured
based on the
NTP server
performance,
transport
network quality,
and base station
quantity. A
smaller period
for periodic
NTP time
MOD NTPC
LST NTPC

63
SingleRAN
Parameter ID
NE
MML
Command
5 Parameters
Feature ID
Feature Name
Description
synchronization
leads to higher
loads for the
NTP server and
transport
network. A
larger period
leads to lower
loads.
GUI Value
Range:
1~525600
Unit:min
Actual Value
Range:
1~525600
Default
Value:None

64
SingleRAN
6 Counters
Counters
There are no specific counters associated with this feature.

65
SingleRAN
7 Glossary
Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

66
SingleRAN
8 Reference Documents
Reference Documents
1.
GBSS Security Overview Feature Parameter Description for GSM BSS
2.
SSL Feature Parameter Description for SingleRAN
3.
User Data Anonymization Feature Parameter Description for SingleRAN

67

OM Security (SRAN9.0 - Draft A) PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

OM Security (SRAN9.0 - Draft A) PDF

Încărcat de

Drepturi de autor:

Formate disponibile

SingleRAN

OM Security Feature Parameter

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

Huawei Proprietary and Confidential

3.7.3.2 Centralized Log Management................................................................................................................................24

Huawei Proprietary and Confidential

4.8.1 When to Use OMU Anti-Attack................................................................................................................................39

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

1 About This Document

About This Document

MRFD-210305 Security Management

LBFD-004010 Security Management

TDLBFD-004010 Security Management

1.2 Intended Audience

Need to understand the features described herein

Work with Huawei products

1.3 Change History

Huawei Proprietary and Confidential

1 About This Document

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

Operation and maintenance

User data anonymization

Security alarms, events, and

Security policy level

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

3.1 OMCH Security

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

3.2 Web Security

HTTPS-based Data Transmission

3.2.2 User Authentication

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

The authentication module uses a brute-force cracking prevention mechanism to authenticate

The password policies for local users are as follows:

The minimum password length is specified by PwdMinLen(BSC6900,BSC6910).

The password complexity is specified by Complicacy(BSC6900,BSC6910).

The maximum number of single character repetitions is specified by

The period in which a password remains valid is specified by MAXVALIDDATES

The maximum number of login retries is specified by MaxMissTimes

The warning before the password expires (days) is specified by MAXPROMPTDATES

Users can change their passwords.

The maximum number of previously used passwords recorded is specified

If FirstLoginMustModPWD(BSC6900,BSC6910) is set to ON(Open), users are required

If DICTCHKSW(BSC6900,BSC6910) is set to ON(Open), users cannot use the passwords

Password security-related parameters can be configured using the SET PWDPOLICY

3.2.3 HTTPS-based Data Transmission

Issue Draft A (2014-01-20)

Huawei Proprietary and Confidential

Table 3-1 WebLMT login policy

Cross-site scripting attack

Remote file inclusion attack

Directory traversal attack

Issue Draft A (2014-01-20)