Equipment Security(SRAN9.0 04)

SingleRAN

Equipment Security FeatureParameter Description

Issue 04Date 2014-09-15

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.comEmail: [email protected]

Issue 04 (2014-09-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.

i

Contents

1 About This Document..................................................................................................................11.1 Scope..............................................................................................................................................................................11.2 Intended Audience..........................................................................................................................................................21.3 Change History...............................................................................................................................................................21.4 Differences Between Base Station Types.......................................................................................................................42 Overview.........................................................................................................................................63 Technical Description...................................................................................................................73.1 Physical Security............................................................................................................................................................83.2 OS Security.....................................................................................................................................................................83.2.1 OS Hardening..............................................................................................................................................................83.2.2 OS Patches...................................................................................................................................................................93.2.3 Antivirus Software.......................................................................................................................................................93.3 Integrated Firewall........................................................................................................................................................103.3.1 ACL-based Packet Filtering......................................................................................................................................103.3.2 Automatic ACL Rule Configuration.........................................................................................................................113.3.3 Network Attack Prevention.......................................................................................................................................193.4 Physical Port Security...................................................................................................................................................233.4.1 For the Base Station Controller.................................................................................................................................233.4.2 For the Base Station...................................................................................................................................................313.4.3 Port Mirroring Security.............................................................................................................................................323.4.4 Secure USB Flash Drive............................................................................................................................................334 Engineering Guidelines.............................................................................................................344.1 OS Security...................................................................................................................................................................344.2 Integrated Firewall........................................................................................................................................................344.2.1 Required Information................................................................................................................................................354.2.2 Deployment for the Base Station Controller.............................................................................................................354.2.3 Deployment for Base Stations...................................................................................................................................354.3 Physical Port Security...................................................................................................................................................554.3.1 When to Use Physical Port Security..........................................................................................................................554.3.2 Data Preparation........................................................................................................................................................554.3.3 Activation..................................................................................................................................................................56

SingleRANEquipment Security Feature Parameter Description Contents


ii

4.3.4 Activation Observation..............................................................................................................................................594.3.5 Deactivation...............................................................................................................................................................595 Parameters.....................................................................................................................................606 Counters........................................................................................................................................937 Glossary.........................................................................................................................................948 Reference Documents.................................................................................................................95

SingleRANEquipment Security Feature Parameter Description Contents


iii

1 About This Document1.1 Scope

This document describes equipment security, including its technical descriptions, engineeringguidelines, and parameters.This document covers the following features:l GBFD-118601 Abis over IPl WRFD-050402 IP Transmission Introduction on Iub Interfacel MRFD-210102 Operate System Security Managementl MRFD-210305 Security Managementl LBFD-004010 Security Managementl LOFD-003014 Integrated Firewalll LOFD-00301401 Access Control List (ACL)l LOFD-00301402 Access Control List (ACL) Auto Configurationl TDLBFD-004010 Security Managementl TDLOFD-003014 Integrated Firewalll TDLOFD-00301401 Access Control List (ACL)l TDLOFD-00301402 Access Control List (ACL) Auto Configuration

Table 1-1 defines all types of base stations.

Table 1-1 Base station definitionBase StationName

Definition

GBTS GBTS refers to a base station deployed with GTMU.eGBTS eGBTS refers to a base station deployed with UMPT_G.NodeB NodeB refers to a base station deployed with WMPT or UMPT_U.

SingleRANEquipment Security Feature Parameter Description 1 About This Document


1

Base StationName

Definition

eNodeB eNodeB refers to a base station deployed with LMPT or UMPT_L.Co-MPTmultimode basestation

Co-MPT multimode base station refers to a base station deployed withUMPT_GU, UMPT_GL, UMPT_GT, UMPT_UL, UMPT_UT,UMPT_GUL, UMPT_GUT, or UMPT_GULT, and it functionallycorresponds to any combination of eGBTS, NodeB, and eNodeB. Forexample, Co-MPT multimode base station deployed with UMPT_GUfunctionally corresponds to the combination of eGBTS and NodeB.

Separate-MPTmultimode basestation

Separate-MPT multimode base station refers to a base station on whichdifferent modes use different main control boards. For example, basestations deployed with GTMU and WMPT are called separate-MPTGSM/UMTS dual-mode base station.

1.2 Intended AudienceThis document is intended for personnel who:l Need to understand the features described hereinl Work with Huawei products

1.3 Change HistoryThis section provides information about the changes in different document versions. There aretwo types of changes:l Feature change

Changes in features of a specific product versionl Editorial change

Changes in wording or addition of information that was not described in the earlier version

SRAN9.0 04 (2014-09-15)This issue includes the following changes.

ChangeType

Change Description Parameter Change

Featurechange

None None

Editorialchange

Optimized descriptions about the automatic ACLrule configuration function. For details see 3.3.2Automatic ACL Rule Configuration and 4.2.3Deployment for Base Stations.

None



2

ChangeType


Optimized descriptions about ICMP flood attackprevention. For details, see ICMP Flood AttackPrevention.

None


ChangeType


Featurechange

None None

Editorialchange

Optimized descriptions about the engineeringguidelines of automatic ACL rule configuration.For details, see 4.2 Integrated Firewall.

None


ChangeType


Featurechange

None None

Editorialchange

Optimized descriptions about automatic ACLrule configuration. For details, see 3.3.2Automatic ACL Rule Configuration.

None

SRAN9.0 01 (2014-04-26)This is the first commercial release of SRAN9.0. This issue does not include any changes.

SRAN9.0 Draft B (2014-02-28)This issue includes the following changes.



3

ChangeType


Featurechange

None None

Editorialchange

Added the description about the feature andfunction difference between different site types.For details, see 1.4 Differences Between BaseStation Types.

None

SRAN9.0 Draft A (2014-01-20)This document is created for SRAN9.0.This document originates from Base Station and OM Security Feature Parameter Descriptionand Base Station Controller and OM Security Feature Parameter Description of SRAN8.0.Compared with SRAN8.0, SRAN9.0 adds the following sections: Automatic ACL RuleConfiguration Port Mirroring Securityl 3.3.2 Automatic ACL Rule Configurationl 3.4.3 Port Mirroring Security

1.4 Differences Between Base Station TypesLampSite base stations are distributed base stations that provide indoor coverage. In thisdocument, LampSite base stations work in UMTS, LTE, or UMTS+LTE mode, but not in GSMmode.In this document, micro base stations are all integrated entities. They work in UMTS or LTEFDD mode, but not in GSM or LTE TDD mode. Descriptions of boards, cabinets, subracks,slots, and RRUs are not relevant to micro integrated base stations. The following base stationsare single-mode ones, without co-MPT or separate-MPT multimode applications:l BTS3202El BTS3203El BTS3803El BTS3902E



4

Feature Support by Macro, Micro, and LampSite Base StationsFeature ID Feature Name Suppo

rted byMacroBaseStations

Supported byMicroBaseStations

Supported byLampSiteBaseStations

WRFD-050402 IP Transmission Introduction on IubInterface

Yes Yes Yes

GBFD-118601 Abis over IP Yes No NoMRFD-210102 Operate System Security Management Yes Yes YesMRFD-210305 Security Management Yes Yes YesLOFD-003014 Integrated Firewall Yes Yes YesLOFD-00301401 Access Control List (ACL) Yes Yes YesLBFD-004010 Security Management Yes Yes YesLOFD-00301402 Access Control List (ACL) Auto

ConfigurationYes Yes Yes

TDLOFD-003014 Integrated Firewall Yes No NoTDLOFD-00301401

Access Control List (ACL) Yes No No

TDLBFD-004010 Security Management Yes No NoTDLOFD-00301402

Access Control List (ACL) AutoConfiguration

Yes No No

Function Implementation in Macro, Micro, and LampSite Base StationsFunction DifferencePhysical security As integrated entities, micro base stations differ from macro base

stations in physical security and port security.



5

2 OverviewTable 2-1 lists the equipment security measures supported by Huawei network elements (NEs)in SRAN9.0.

Table 2-1 Supported security measuresSecurity Measures MBSC eGBT

SNodeB

eNodeB

MBTS

Physical security Operatingsystem (OS)security

OS hardening - - - -OS patches - - - -Antivirussoftware

- - - -

Integrated firewall Physical port security Hierarchical configuration ofsecurity policies

x

NOTE indicates that the NE supports this security measure. x indicates that the NE does not support this securitymeasure. - indicates that the NE does not involve this security measure.

NOTE

In this document, MBSC is called the base station controller, and eGBTS, NodeB, eNodeB and MBTS arecollectively referred to as the base station. For details about equipment security measures for the GBTS,see GBTS Equipment and OM Security Feature Parameter Description. For details about integratedfirewall measures for the GBTS, see GBTS Integrated Firewall Feature Parameter Description.

SingleRANEquipment Security Feature Parameter Description 2 Overview


6

3 Technical DescriptionEquipment security refers to physical security, OS security, integrated firewall, physical portsecurity, and hierarchical configuration of security policies.

SingleRANEquipment Security Feature Parameter Description 3 Technical Description


7

3.1 Physical SecurityPhysical security refers mainly to physical security measures.Base station controls and indoor base stations are often located at equipment rooms with doorlocks to protect them against illegal intrusion. In addition, they are housed in cabinets with locksand door status switches on top. Only authorized users can open the cabinet, and alarms arereported for unauthorized access to cabinets. They can also be configured with the environmentmonitoring units and sensors to detect the equipment room environment and report related alarms(such as water alarms and smoke alarms).Outdoor base stations are secured in cabinets with door locks.Micro base stations are highly integrated and secured with special screws. Therefore, they arehard to disassemble after being installed.

3.2 OS SecurityBase stations have integrated OSs that are reinforced before delivery. This section focuses onOS security of the base station controller.The OMU acts as the bridge to exchange information between the base station controller andother NEs. The OMU of the base station controller can run any of the following OSs:l SUSE Linux: OS of the BSC6000. After the BSC6000 is upgraded to the BSC6900, the

OS remains unchanged by default.l Windows: OS of the BSC6810. After the BSC6810 is upgraded to the BSC6900, the OS

remains unchanged by default.l DOPRA Linux: OS installed on the OMUs in all base station controllers (BSC6900 and

BSC6910) by default. The BSC6910 supports only DOPRA Linux.Euler Linux: OS required when the BSC6910 must support built-in ECO6910. Base stationcontrollers apply OS hardening, OS patches, and antivirus software to improve OS security.DOPRA Linux is a Huawei-developed OS that does not require antivirus software.

3.2.1 OS HardeningOS software has security holes and risks, which may be exploited by local or remote attackersto impose security threats on the OS and related software, thereby affecting the normal operationof the OS.Huawei provides separate OS hardening solutions for SUSE Linux, Windows, and DOPRALinux. These solutions cover network access, network security, system service, and systeminstallation to improve antivirus and anti-attack capabilities, system reliability, and the servicequality of the entire network. The OS hardening solutions include the following functions:l Disabling unnecessary servicesl Reinforcing Secure Shell (SSH) servicesl Restricting access to files and directoriesl Authorizing system access



8

l Managing user passwordsl Recording operation logsl Detecting system malfunctionsDifferent OSs use different software to implement OS hardening:l Windows OS uses the iPSI SEK SetWin software for OS hardening.

For details about how to implement OS hardening using the iPSI SEK SetWin software,see "Appendix: Installing the iPSI SEK SetWin Software" in BSC6900 UMTS OMUAdministration Guide.

l SUSE Linux OS uses the SEK SetSuse software for OS hardening.For details about how to implement OS hardening using the SEK SetSuse software, see"Appendix: the SEK SetSuse Software" in BSC6900 GSM OMU Administration Guide.

l DOPRA Linux is a Huawei-developed OS. It is reinforced before delivery and thereforedoes not require additional hardening.

NOTE

For details about OS hardening for DOPRA Linux, see Dopra Linux OS Security Feature ParameterDescription of SingleRAN.

3.2.2 OS PatchesThe policies for releasing OS patches are as follows:l Windows OS patches are released twice a year.l DOPRA Linux/SUSE Linux OS patches are released once a year.

NOTE

For details about OS patches for a specific product version, see the corresponding release notes.

Windows basic patch packages or Linux patch packages have been installed on the base stationcontroller before delivery. Users can obtain other patch packages by choosing Wireless >SingleRAN > SRAN O&M tools at http://support.huawei.com. Users can also contact Huaweitechnical support engineers to obtain the patch packages.Users can install patches for a Huawei base station controller in either of the following modes:l In local mode, O&M engineers must log in to the OMU OS to install OS patches.

The O&M engineers can install the patches for only one base station controller at a time.l In remote mode, O&M engineers must use Huawei network management software to install

OS patches.The O&M engineers can simultaneously install the patches for multiple base stationcontrollers.

3.2.3 Antivirus SoftwareIn the demilitarized zone (DMZ) of the O&M network, a virus code update server is deployed.This server obtains the latest virus codes or upgrade packages from the Internet. The antivirusserver (OfficeScan or TMCM) in the internal O&M network is not directly connected to theInternet. Instead, it is connected to the virus code update server for upgrades. After the antivirusserver is upgraded, it automatically upgrades the virus codes and upgrade packages on the entirenetwork.



9

Table 3-1 lists the Huawei antivirus software solution.

Table 3-1 Huawei antivirus software solutionOMU OS WindowsAntivirus Server OfficeScanAntivirus Client OfficeScan

NOTE

l Antivirus client refers to equipment for which antivirus software must be configured. The client maybe a server (such as the CME server or base station controller OMU) or a maintenance terminal (suchas the U2000 client or WebLMT).

l DOPRA Linux OS does not require any antivirus software.l DOPRA Linux and Euler Linux OSs do not require any antivirus software. Antivirus software cannot

be deployed on SUSE Linux OS. Upgrade the SUSE Linux OS to DOPRA Linux OS before deployingany antivirus software.

l All antivirus software must pass the compatibility test before installation.

3.3 Integrated FirewallThe integrated firewall filters attack packets to improve equipment security. Currently, theintegrated firewall provides the following functions:Access control list (ACL)-based packet filteringl ACL-based packet filteringl Automatic ACL rule configurationl Network attack prevention

3.3.1 ACL-based Packet FilteringACLs are used to filter IP packets.The base station can be configured with ACL-based packet filtering to filter out attack packetsand unwanted packets, thereby improving security.Based on ACLs, the base station can determine whether to accept or reject incoming IP packets.An ACL consists of a set of ACL rules.On the base station side, ACL rules are used to filter out unauthorized Layer 2, Layer 3, andLayer 4 packets.l The base station filters out Layer 2 packets by the presence of VLAN tags in the packets.l The base station filters out Layer 3 and Layer 4 packets by combinations of the protocol

type, source IP address, destination IP address, source port number, destination portnumber, and differentiated services code point (DSCP).

The ADD PACKETFILTER command is used to enable packet filtering for a transmissionport. Key parameters in this command are as follows:



10

l PT and PN specify the transmission port type and port number, respectively.l The packets filtering on the transmission port on the base station includes two

configurations: Blacklisting configuration

If the MB parameter in the PACKETFILTER MO and the ACTION parameter in theACLRULE MO are set to PERMIT(Permit) and DENY, respectively, the base stationaccepts only incoming packets that do not match filtering rules. This configuration isreferred to as blacklisting configuration. Whitelisting configuration

If the MB parameter in the PACKETFILTER MO and the ACTION parameter in theACLRULE MO are set to DENY(Deny) and PERMIT, respectively, the base stationdiscards incoming packets that do not match filtering rules. This configuration isreferred to as whitelisting configuration.

l ACLID specifies the ID of an ACL, a set of ACL rules. The ACL must have been definedin the ADD ACL command. An ACL rule is configured using the ADD ACLRULEcommand.ACL rules on the base station side are classified as follows: Layer 3 or Layer 4 ACL rules: The base station filters packets by the source IP address

(specified by the SIP parameter), destination IP address (specified by the DIPparameter), source IP address mask (specified by the SWC parameter), destination IPaddress mask (specified by the DWC parameter), DSCP (specified by the DSCPparameter), protocol type (specified by the PT parameter), source port number(specified by the SPT1 parameter), and destination port number (specified by theDPT1 parameter) Layer 2 ACL rules: The VLANIDOP parameter controls whether the base station filters

packets by VLAN tag. If so, packets are filtered based on the setting of VLANID1.NOTE

If the packet filtering function is to filter out packets without VLAN tags, all Layer 2, Layer 3, and Layer4 packets without VLAN tags will be discarded.

ACL-based packet filtering must be configured based on the outbound transmission interfacesof co-transmission single-mode and multimode base stations. Only the Ethernet interfacessupport ACL-based packet filtering.With the intelligent whitelisting function, the base station controller automatically generates anACL in advance for incoming packets. After receiving a data packet, the base station controlleror eCoordinator checks whether the data packet complies with the ACL rules. If so, the basestation controller or eCoordinator accepts the data packet. If not, the base station controller oreCoordinator discards the data packet. The search criteria for ACL rules include the source IPaddress, destination IP address, port number, protocol type, and DSCP priority. The intelligentwhitelisting function is always enabled and is not configurable.

3.3.2 Automatic ACL Rule ConfigurationBase stations support automatic ACL rule configuration. The automatic configuration is animprovement to communication matrix-based ACL rule configuration for intelligentwhitelisting, which is complex and error prone. In SRAN9.0, ACL rules to be configured forintelligent whitelisting are categorized into the following two groups: Automatically configuredACL rule group



11

l This group is used to ensure setups of basic services. Based on related MOs, base stationsautomatically create the ACL rules applicable to the signaling packets, service packets,O&M packets, clock packets, and security packets. The ACL rules can also apply to FTPconnections and are triggered based on related MOs or maintenance commands forestablishing FTP connections. The ACL rules for FTP connections are dynamicallyconfigured, that is, rules are automatically created when an FTP connection is set up andremoved after an FTP connection is disconnected. The ACL rules in this group arecollectively defined by the source IP address, source port number, protocol type, destinationIP address, and destination port number.

l Manually configured ACL rule group This group is used for maintenance andcommissioning data and other functions that do not affect services and are seldom used.For a separate-MPT multimode base station with co-transmission and a base station on acascaded network, ACL rules must be manually configured for data flows to be forwarded.

Automatic ACL rule configuration applies only to signaling packets, service packets, O&Mpackets, clock packets, and security packets. If a base station or its peer NE (such as the basestation controller, MME, and SGW) is configured with MOs for maintenance and testing, suchas PING, PATH PING, TRACERT, TWAMP, IPPM, BFD, and DHCP RELAY, ACL rulesfor related packets must be manually configured.Automatic ACL rule configuration is controlled by the ACLAUTOSWITCH parameter in theADDPACKETFILTER or MOD PACKETFILTER command. If this parameter is set to ON(ON), automatic ACL rule configuration is enabled. If this parameter is set to OFF(OFF),automatic ACL rule configuration is disabled. In end point configuration mode, this function iscontrolled by the PACKETFILTERSWITCH parameter.After automatic ACL rule configuration is enabled, it is good practice not to change or deletethe automatically configured ACL rules.l If you change an ACL rule in non-end point configuration mode, the rule before the change

will be restored automatically and all changes will be neutralized.l If you change an ACL rule in end point configuration mode, the rule before the change will

not be automatically restored, which may cause link faults. If the X2 link is disconnected, an automatic X2 link setup is triggered, resulting in

automatic ACL rule configuration for the X2 interface. If the S1 link is disconnected, an automatic S1 link setup is not triggered. You need to

trigger automatic ACL rule configuration again by turning off and then turning onEPGROUP.PACKETFILTERSWITCH for the S1 interface.

l If you delete an ACL rule in non-end point configuration mode, the rule before the changewill be restored automatically.

l If you delete an ACL rule in end point configuration mode, the rule before the change willnot be restored automatically, which may cause link faults. If the X2 link is disconnected, an automatic X2 link setup is triggered, resulting in

automatic ACL rule configuration for the X2 interface. If the S1 link is disconnected, an automatic S1 link setup is not triggered. You need to

trigger automatic ACL rule configuration again by turning off and then turning onEPGROUP.PACKETFILTERSWITCH for the S1 interface.

Automatically configured ACL rules are recorded in the configuration database and can bequeried using the LST ACLRULE command. If an ACL rule fails to be recorded, recording



12

retries are initiated until the ACL rule is recorded in the configuration database. Links may bedisconnected due to a recording failure and restores after a successful recording.

Automatic Configuration MechanismWith automatic ACL rule configuration, a base station obtains its IP addresses and its peer NE'sIP address based on the corresponding MO and then creates ACL rules for packets sent fromthe peer NE.The base station checks the setting of only one MO for specific packets, regardless of whetherthe MO is being used or functional.For example:l For O&M packets from the U2000, the base station automatically creates ACL rules based

on the OMCH MO. If two sets of the OMCH MO are configured in active/standby mode,the base station creates ACL rules for both, regardless of whether the active or standbyOMCH is effective.

l For signaling packets from the base station controller or MME, the base stationautomatically creates ACL rules based on the SCTPLNK MO, even if the signaling linksetup fails due to an incorrect configuration or a negotiation failure.

l For security packets from the SeGW, the base station automatically creates all ACL rulesbased on the IKEPEER MO, regardless of whether this MO is referenced by theIPSECPOLICY or IPSECBIND MO.

Before automatic ACL rule configuration is enabled, the OMCH MO must be configured. Anautomatically configured ACL rule for an MO is removed or modified when the MO is removedor modified. The automatic configuration, modification, and removal of ACL rules take aspecific period of time. If other configuration commands are run in the period, a message isnormally displayed, indicating that a configuration is being exported.

Application Scenariosl When a separate-MPT multimode base station with co-transmission works in an RAT, ACL

rules for this RAT are automatically created for signaling packets, service packets, O&Mpackets, clock packets, and security packets. However, ACL rules must be manuallyconfigured for maintenance and commissioning data in this RAT and all data of other RATs.

l For cascaded base stations, the current-level base station automatically creates ACL rulesonly for signaling packets, service packets, O&M packets, clock packets, and securitypackets that it receives. ACL rules must be manually configured for maintenance andcommissioning data of the current-level base station and all data of the lower-level basestations.

Automatically Configured ACL Rule GroupTable 3-2 describes the entire group of ACL rules that are automatically created based on relatedMOs or commands. - indicates that the related packets are not filtered.



13

Table 3-2 Automatically configured ACL rule groupRelatedMO

Peer NE SRCIP SRCPORT

PT DSTIP DSTPORT

OMCH U2000 - - TCP IP addressof theOMCH

6007- - UDP 45300- - TCP 4443- - TCP 443- - TCP 6000- - TCP 6006

All MOs ormaintenancecommandsin FTPconnectionmode

Controlplane

IP addressof theserver

21 bydefault (Theport numbervaries,dependingon theparametersettings intheFTPSCLTDPORTMO.)

TCP IP addressof the basestation

Adynamicallyallocatedport number

Dataplane(PORTmode)


0-65535 TCP IP addressof the basestation


Dataplane(PASVmode)


Adynamically allocatedport number

TCP IP addressof the basestation


IPCLKLINK

PTP IP addressof theserver

319 UDP IP addressof the basestation

319320 UDP 320

Huaweiproprietary protocol

35001 UDP 33003

NTPC NTPserver


PORT UDP IP addressof theOMCH

9051

IKEPEER SeGW IP addressof theSeGW


500



14

RelatedMO

Peer NE SRCIP SRCPORT

PT DSTIP DSTPORT

SeGW(NAT)

IP addressof theSeGW


4500

CA CA server IP addressof theserver

PORT TCP IP addressof the basestation

1024-65535

CRLTSK(with AccessMethod setto LDAP(LDAP))

CR orCRLserver


PORT TCP IP addressof the basestation

1024-65535

SCTPLNK(in linkconfiguration mode)

Basestationcontroller/MME/peer basestation

IP addressof the peerNE

PORT SCTP IP addressof the basestation

PORT

SCTPHOSTandSCTPPEER(in end pointconfiguration mode)

Basestationcontroller/MME/peer basestation(abis/Iub/S1/X2)


- SCTP IP addressof the basestation

-

IPPATH (inlinkconfiguration mode)

Basestationcontroller


1024-65535

UDP IP addressof the basestation

1024-65535

SeGW orpeer basestation


1024-65535

UDP IP addressof the basestation

2152

USERPLANEPEER andUSERPLANEHOST (inend pointconfiguration mode)

Basestationcontroller


- UDP IP addressof the basestation

-

SeGWand peerbasestation(S1/X2)


- UDP IP addressof the basestation

2152

- DHCPserver

- 67 UDP 68



15

NOTEAutomatic ACL rule configuration on the signaling link and the service link differs between the end pointconfiguration mode and link configuration mode. Automatic ACL rule configuration in end pointconfiguration mode does not filter information about the source and destination port numbers of data flows,because only the IP address of the peer NE is obtained during the automatic setup of an X2 link. AutomaticACL rule configuration in link configuration mode filters information about the source and destination portnumbers of data flows.A macro base station is incapable of IPsec-based NAT and does not generate ACL rules for filtering packetsover port 4500. A micro base station supports IPsec-based NAT and generates ACL rules for filteringpackets over port 4500 in NAT scenarios.ACL rules for DHCP relay packets must be manually configured for a base station enabled with both packetfiltering and DHCP relay.For a base station enabled with packet filtering but not DHCP relay, manual ACL rule configuration forDHCP packets is not required because:l During the base station deployment, no ACL rules are required because the packet filtering function

has not taken effect.l When the base station is running, ACL rules are automatically configured in the event of OMCH

disconnections, regardless of the switch status for automatic ACL rule configuration.If the OMCH is disconnected, the base station tries to restore the OMCH, enters the listening state,starts a DHCP detection, and automatically configures an ACL rule (as listed in the last row in thepreceding table) for DHCP packets.After the base station exits the listening state, it deletes this ACL rule. The ID of this automaticallyconfigured ACL rule is 65531. If an existing ACL rule uses the same ID, the existing ACL rule isautomatically modified to allow DHCP packets to reach the base stations. After the DHCP detectionends, the existing ACL rule is restored to the original one.

Currently, a base station enables automatic ACL rule configuration for O&M packets over thefollowing ports: 6007, 45300, 4443, 443, 6000, and 6006. The six ports are enabled by defaultafter the OMCH MO is configured.l Port 6007: Used for connecting the base station to the U2000 for tests, MML control, trace

management, and alarm reportingl Port 45300: Used for receiving OMCH switchover requests from the U2000

During an OMCH switchover, the base station receives an OMCH switchover request fromthe U2000. In the request, the destination port number is 45300. The request is triggeredin any of the following scenarios: The base station is configured with two OMCHs, and the U2000 sends the request to

switch over O&M data from one OMCH to the other. The base station is configured with one OMCH and the U2000 is configured with two

OM IP addresses. When a switchover of OM IP addresses occurs, the U2000 sends therequest. The base station is configured with two OMCHs. When a user removes the active

OMCH, the U2000 sends the request to switch over O&M data to the other OMCH.In order for the base station to receive OMCH switchover requests from the U2000, port45300 is enabled by default after the OMCH MO is configured.

l Port 4443: Used for SSL-type digital certificate authentication initiated by the U2000l Port 443: Used for data configuration and maintenance in secure LMT mode

Currently, base stations use the WebLMT, which uses ports 443 and 80 for HTTPSconnection and HTTP connection to each base station, respectively. HTTPS connection is



16

used by default, and therefore, port 443 instead of port 80 is enabled for automatic ACLrule configuration.

l Port 6000: Used for transmitting maintenance commands and responses (in MML format)between the network information collector (NIC) and a base station

l Port 6006: Used for transmitting maintenance commands and responses (in BIN format)between the network information collector (NIC) and a base station

If the source IP address in the CRLTSK MO uses the default IP address 0.0.0.0, the OM IPaddress of the base station is used as the source IP address during communication. Therefore,the OM IP address is used as the destination IP address (that is, the base station's IP address) inautomatically configured ACL rules. If both active and standby OM IP addresses are configured,separate ACL rules for the CRLTSK MO are configured.For the NTPC MO, the OM IP address of the base station is used as the source IP address duringcommunication. Therefore, the OM IP address is used as the destination IP address (that is, thebase station's IP address) in automatically configured ACL rules. If both active and standby OMIP addresses are configured, separate ACL rules for the NTPC MO are configured.If the local IP address in the IKEPEER MO uses the default IP address 0.0.0.0, an interface IPaddress of the base station is used as the source IP address during communication. The basestation can be configured with multiple interface IP addresses, and therefore 0.0.0.0 is used asthe destination IP address (that is, the base station's IP address) in automatically configured ACLrules, in compliance with the setting in the IKEPEER MO. Therefore, specify an appropriatelocal IP address in the IKEPEER MO when automatic ACL rule configuration is enabled.Based on a base station's communication matrix, automatic ACL rule configuration is used forintelligent whitelisting on the entire base station. The configured ACL rules distinguishingbetween boards or ports. If the IP address of a base station is configured as 0.0.0.0 or a loopbackaddress for data flows, the automatically configured ACL rules are added to the ACL groupswhere the automatic ACL rule configuration switch is enabled for packet filtering. In other cases,the automatically configured ACL rules are added only to the ACL group referenced by packetfiltering enabled for the port where the local IP address resides.ACL-based packet filtering is configured on the transmission ports. With this function, a basestation filters packets from other NEs. If the base station has multiple transmission ports, a dataflow may have different inbound and outbound ports on the base station. Specifically, the dataflow is sent over port 1 in the uplink and received over port 2 in the downlink. In this case, it isrecommended that the base station use a logical IP address.

Automatic ACL Rule Configuration for FTP PacketsACL rules for FTP packets are dynamically configured according to FTP connection status. Therelated parameters of ACL rules can be queried using the DSP ACLRULE command when anFTP connection is active.One FTP connection, composed of one control-plane link and one user-plane link, requires twoACL rules. If automatic ACL rule configuration is enabled for FTP packets, 12 ACL rules areautomatically reserved for new FTP connections. This reservation ensures that six new FTPconnections can be established when the number of automatically configured ACL rules is toreach a limit.During software download on a base station, FTP connections are established multiple times. IfACL-based packet filtering is enabled, the software download process is prolonged. During base



17

station deployment, ACL-based packet filtering does not take effect and therefore does not affecttime required for file download.

ACL Rule ID RangesACL rule IDs range from 1 to 65535 and are divided as listed in Table 3-3. IDs of manuallyconfigured ACL rules range from 1 to 49999 and 60000 to 65535. IDs of automaticallyconfigured ACL rules range from 50000 to 59999. If automatic ACL rule configuration isenabled, users cannot configure ACL rules in the ID range of 50000-59999.When filtering incoming data packets, the base station prioritizes ACL rules in ascending orderof IDs. For example, if the matching ACL rules reside in the ID range of 1-59999, a base stationpreferentially applies the manually configured ACL rules.

Table 3-3 ACL Rule ID divisionACL Rule ID Usage1-49999 Manually configured ACL rules50000-50199 Automatically configured ACL rules for O&M packets50200-50299 Automatically configured ACL rules for IPCLK&NTP

packets50300-50999 Automatically configured ACL rules for security packets51000-52999 Automatically configured ACL rules for signaling packets53000-54999 Automatically configured ACL rules for service packets55000-59999 Reserved for automatically configured ACL rules60000-65535 Manually configured ACL rules

NOTE

If users have configured ACL rules in the ID range of 50000-59999 before automatic ACL ruleconfiguration is enabled, the ID range of these ACL rules must be changed to 1-49999.IDs of all automatically configured ACL rules for FTP connections must be within the OM ID range, thatis, 50000-50199.

SpecificationsA base station can be configured with a maximum of 512 ACL rules.Excess ACL rule configuration affects establishment of the OMCHs and the security, clock,signaling, and service links and results in alarms indicating link failures.Therefore, before automatic ACL rule configuration is enabled, the number of transmission linksand ACL rules must be appropriately planned. If the ACL rule specifications are not adequate,priority is given to ACL rules for O&M packets, security packets, and clock packets and thenthe service packets and signaling packets.



18

3.3.3 Network Attack PreventionThe ACL-based packet filtering function filters out only certain attack packets. Attackers mayuse IP or Media Access Control (MAC) address spoofing, where attack packets appear to bepackets authorized for access. Attackers may also use flood attacks, such as Address ResolutionProtocol (ARP) and Internet Control Message Protocol (ICMP) flood attacks to attack thenetwork. In addition, attackers may launch illegal packet attacks. If NEs receive and identifyunauthorized packets, NEs may experience errors. For example, NEs may allow unauthorizedpackets to enter the network or crash.To address these security risks, flood attack prevention, illegal packet attack prevention, andARP spoofing prevention are introduced. These functions are designed to deny attack packetsthat can bypass ACL-based packet filtering. Without these functions, such attack packets mayeven cause service quality deterioration or interruption.

Rate Limitation on Broadcast PacketsTo resist network storms, Ethernet interface boards support rate limitation on broadcast packetsby monitoring the number of received broadcast packets in real time. An alarm is reported if thebroadcast packet traffic exceeds a threshold. This function is always enabled and is notconfigurable.For the base station controller, this function works as follows:l If the number of broadcast packets received over an interface board per second is greater

than or equal to the value of BCPKTALARMTHD(BSC6900,BSC6910) for 30 consecutiveseconds, ALM-21387 Ethernet Port Broadcast Packets Exceeding Alarm is reported.

l If the number of broadcast packets received over an interface board per second is less thanthe value of BCPKTALARMCLRTHD(BSC6900,BSC6910) for 30 consecutive seconds,ALM-21387 Ethernet Port Broadcast Packets Exceeding Alarm is cleared.

For the base station, this function works as follows:l If the number of broadcast packets received over a port per second is greater than or equal

to the value of RXBCPKTALMOCRTHD for 30 consecutive seconds, ALM-25879Ethernet Port Broadcast Packets Exceeding Alarm is reported.

l If the number of broadcast packets received over a port per second is less than the value ofRXBCPKTALMCLRTHD for 30 consecutive seconds, ALM-25879 Ethernet PortBroadcast Packets Exceeding Alarm is cleared.

ICMP Flood Attack PreventionThe base station controller and base station support ICMP flood attack prevention.For the base station controller, the ADD ICMPGUARD command can be used to configureICMP attack prevention policies. With these policies, interface boards discard the specified typesof ICMP packets sent from IP addresses in the specified network segment.The IPADDR(BSC6900,BSC6910) parameter specifies the source IP address of ICMP attackpackets. The GUARDTYPE(BSC6900,BSC6910) parameter specifies the type of ICMP attackpackets.



19

Interface boards on the base station controllers monitor the traffic of ICMP attack packets inreal time when the ICMPALMSW(BSC6900,BSC6910) parameter in the SET IPGUARDcommand is set to ON(ON).l If the number of ICMP attack packets received over an interface board per second is greater

than or equal to the value of ICMPALMTHD(BSC6900,BSC6910) for 30 consecutiveseconds, the base station controller discards ICMP packets and reports ALM-21388 InvalidPackets Exceeding Alarm.

l If the number of ICMP attack packets received over an interface board per second is lessthan the value of ICMPALMRTHD(BSC6900,BSC6910) for 30 consecutive seconds, thebase station controller clears ALM-21388 Invalid Packets Exceeding Alarm and does notdiscard ICMP packets.

The base station monitors the traffic of ICMP attack packets in real time. If the FLDTYPEparameter is set to ICMP(ICMP) and the DFDSW parameter is set to ENABLE(Enable) byrunning the ADD FLOODDEFEND command, a base station is enabled with ICMP flood attackprevention function and discards ICMP packets when the traffic reaches a threshold. If theALMSW parameter in the ADD FLOODDEFEND command is also set to ENABLE(Enable), the base station checks the number of ICMP flood packets every 10 seconds.l If the number is greater than the value of the ALMTHD parameter, the base station discards

ICMP packets and reports ALM-25950 Base Station Being Attacked.l If the number of flood packets fall below the value of the ALMTHD parameter for 5

consecutive minutes, the base station clears the alarm and does not discard ICMP packets.It is recommended that the value difference between the ALMTHD and DFDTHD parametersbe over 3% greater than the value of DFDTHD.

ARP Flood Attack PreventionInterface boards may experience ARP flood attacks in which attackers send to interface boardsa large number of spoofed ARP packets whose source IP addresses have been tempered with,interrupting the communication.For the base station controller, the ARP entry learning function is used to prevent ARP floodattacks. This function is controlled by the ARPLRNSTRICTSW(BSC6900,BSC6910)parameter in the SET IPGUARD command and is enabled by default. With this function,interface boards record the Media Access Control (MAC) addresses of the ARP response packetsfrom the local system and learn from only the recorded MAC addresses. This enables interfaceboards to reject spoofed ARP packets.The base station monitors the traffic of ARP attack packets in real time. If the FLDTYPEparameter is set to ARP(ARP) and the DFDSW parameter is set to ENABLE(Enable) byrunning the ADD FLOODDEFEND command, the base station is enabled with ARP floodattack prevention function. If the ALMSW parameter in the ADD FLOODDEFEND commandis also set to ENABLE(Enable), the base station checks the number of ARP flood packets every10 seconds. If the number is greater than the value of the ALMTHD parameter, the base stationreports ALM-25950 Base Station Being Attacked. If the number of flood packets fall below thevalue of the ALMTHD parameter for 5 consecutive minutes, the base station clears the alarm.It is recommended that the value difference between the ALMTHD and DFDTHD parametersbe over 3% greater than the value of DFDTHD.



20

ARP Spoofing PreventionPrinciples for preventing ARP spoofing are as follows:l Blacklisting and whitelisting: When an interface board creates an ARP entry, the ARP

entry is added to the blacklist by default. If an ARP entry is not updated by new MACpackets within 1 minute, the ARP table is regarded as credible and is added to the whitelist.

l Blacklisting confirmation: An interface board periodically checks the ARP entries on theblacklist.If the interface board receives an ARP packet from the peer end and the packet attempts toupdate the MAC address in a whitelisted ARP entry, the interface board broadcasts fiveARP requests at intervals of 1 second.

If... Then...The interface board receives three or moreARP response packets from a MACaddress that is in a whitelisted ARP entry

The MAC address is considered ascredible.

The interface board receives three or moreARP response packets from a MACaddress that is not in a whitelisted ARPentry

The MAC address is added to the blacklist.

For the base station controller, ARP spoofing prevention is controlled by theARPANTICHEATSW(BSC6900,BSC6910) parameter in the SET IPGUARD command.If an interface board detects more than 30 ARP entry update attempts (excluding those fromcredible MAC addresses) within 1 minute, the interface board reports ALM-21391 ARPConflict. The alarm parameter Attacker's MAC Address specifies the MAC address that hasthe most ARP entry update attempts within the last credible-ARP-entry decision period beforeALM-21391 ARP Conflict is reported. The source of an ARP spoofing attack can be identifiedin the following ways:l If ALM-21391 ARP Conflict is reported, check the value of Attacker's MAC Address to

find out the source. Run the DSP ARPSPOOFING command to find out the sources ofall ARP spoofing attacks.

l If ALM-21391 ARP Conflict is cleared or the blacklist is aging, check the value ofAttacker's MAC Address in historical alarms to find out the sources of historical ARPspoofing attacks.

If the interface board does not detect any ARP entry update attempts within 1 minute after thisalarm is reported, the alarm is cleared.

NOTE

ALM-21391 ARP Conflict applies to IP addresses in the ARP entry. For IP addresses that are not includedin the ARP entry, for example, IP address of an interface board, ALM-21347 IP Address Conflict applies.

For base stations, the integrated IP protocol stack processing unit starts ARP spoofing detectionwhen receiving ARP packets that attempt to update an ARP entry. If the detection result indicatesthat the original ARP table is credible, the received ARP packets are regarded as spoofed ARPpackets. The base station then adds the MAC address of the such packets to a blacklist and doesnot process ARP packets containing this MAC address before the blacklist expires.



21

ARP spoofing prevention is enabled for a base station controller when theARPSPOOFCHKSW parameter is set to ENABLE(Enable). If the number of discarded spoofedARP packets reaches or exceeds the value of the ARPSPOOFALMTHD parameter after ARPspoofing prevention is enabled, the base station reports ALM-25950 Base Station BeingAttacked. Information about the discarded spoofed ARP packets can be queried using the DSPINVALIDPKTINFO command.

Smurf Attack PreventionEthernet interface boards of the base station controller and base station support Smurf attackprevention, thereby preventing network congestion due to Smurf attacks. An alarm is reportedif the broadcast packet traffic exceeds a threshold.With this function, an interface board checks the destination address of each received ICMPpacket:l If the destination IP address of the packet is a network or broadcast address, the interface

board discards the packet.l If the destination IP address of the packet is the interface board's IP address, the interface

board accepts the packet.

Illegal Packet Attack PreventionAn illegal packet may be an illegal IP packet, multicast MAC packet, or ICMP packet.l Illegal IP packet

An illegal IP packet can be: A malformed UDP packet whose total length is shorter than the length of a standard IP

header A packet whose source IP address or UDP port number is not within the planned range A packet whose protocol type is not supported by the receiver

l A multicast MAC packet is illegal if it is received over an interface board for which theETH Operation, Administration, and Maintenance (ETH OAM) function is not enabled.

l An illegal ICMP packet is defined by the GUARDTYPE(BSC6900,BSC6910,NodeB)parameter.

For the base station controller, the illegal packet attack prevention function is always enabledand is not configurable. An alarm is reported when an interface board receives excessive illegalpackets.l Interface boards monitor the traffic of illegal IP packets in real time when the

VALIDPKTCHKSW(BSC6900,BSC6910) parameter in the SET IPGUARD command isset to ON(ON).

If the number of illegal IP packets received on an interface board per second is greaterthan or equal to the value of INVALIDPKTALMTHD(BSC6900,BSC6910) for 30consecutive seconds, ALM-21388 Invalid Packets Exceeding Alarm is reported. If the number of illegal IP packets received on an interface board per second is less than

the value of INVALIDPKTALMRTHD(BSC6900,BSC6910) for 30 consecutiveseconds, ALM-21388 Invalid Packets Exceeding Alarm is cleared.



22

l Interface boards monitor the traffic of illegal multicast MAC packets in real time when theINVALIDMCASTALMSW(BSC6900,BSC6910) parameter in the SET IPGUARDcommand is set to ON(ON).

If the number of illegal multicast MAC packets received on an interface board persecond is greater than or equal to the value of INVALIDMCASTALMTHD(BSC6900,BSC6910) for 30 consecutive seconds, ALM-21388 Invalid PacketsExceeding Alarm is reported. If the number of illegal multicast MAC packets received on an interface board per

second is less than the value of INVALIDMCASTALMRTHD(BSC6900,BSC6910)for 30 consecutive seconds, ALM-21388 Invalid Packets Exceeding Alarm is cleared.

When users are notified of ALM-21388 Invalid Packets Exceeding Alarm, they can identify theattack source and determine the attack type in the following methods:l Search the operation logs for statistics on illegal packets.l Run the DSP INVALIDPKTINFO command to obtain detailed information about illegal

packets.The base station counters illegal packet attack by checking the characteristics of incomingpackets. Common types of illegal packets include TCP LAND and malformed IP packets (suchas packets without load or with malformed packet headers). The base station directly discardssuch packets. Illegal packet attack prevention is automatically enabled when the base stationstarts. Information about discarded illegal packets can be queried using the DSPINVALIDPKTINFO command. In addition, if the INVALIDPKTCHKSW parameter is set toENABLE(Enable), the base station reports alarms when the number of illegal packets exceedsthe threshold specified by the INVALIDPKTALMTHD parameter.

3.4 Physical Port Security3.4.1 For the Base Station Controller

Table 3-4 describes the function of physical port security provided by boards of the base stationcontroller.



23

Table 3-4 Physical port securityBoard Board

Function

Physical Port PortType

Whether toDisable thePort

AuthenticationMethod

PortFunction

OMUa/OMUb

TheOMUa/OMUbboardconnectstheoperation andmaintenanceterminaland theotherboards.

There are twoCOM serialports: COM0-ALM andCOM1-BMC.Only one ofthem isdisplayedexternally. Thetwo serial portscannot beswitched, andCOM0-ALMis connectedby default.

DB9 Yes OSauthentication

Localcommissioning

One Ethernetport forcommissioning

RJ45 No l Log in toOS: OSauthentication

l Log in totheoperationmaintenanceterminal: O&Mauthentication

Localcommissioning

Two serviceports

RJ45 No O&Mauthentication

Externalservicechannelof theO&Mfunction

OMUc TheOMUcboardconnectstheoperation andmainten

One COMserial port


Localcommissioning



24

Board BoardFunction




PortFunction

anceterminaland theotherboards.




Localcommissioning

Two serviceports



SAUa TheSAUaboardcollectsdatareportedby theNEs andpre-processes thecollecteddata. Thepre-processed data isuploaded to theNastarthroughtheU2000foranalysis.

There are twoCOM serialports: COM0-ALM andCOM1-BMC.Only one ofthem isdisplayedexternally. Thetwo serial portscannot beswitched, andCOM0-ALMis connectedby default.


Localcommissioning



25

Board BoardFunction




PortFunction




Localcommissioning

Two serviceports



SAUc TheSAUcboardcollectsdatareportedby theNEs andpre-processes thecollecteddata. Thepre-processed data isuploaded to theNastarthroughtheU2000foranalysis.

One COMserial port


Localcommissioning




Localcommissioning

Two serviceports





26

Board BoardFunction




PortFunction

SCUa TheSCUaboardprovidesthemaintenancemanagement andGEswitchingplatformfor thesubrackin whichit islocated.Therefore, theBSC6900internalMACswitching isimplemented andtheinternalswitching in turnenablescompleteconnectionbetweenmodulesof theBSC6900.

One COMserial port

RJ45 Yes Noauthentication.This port ispermanently disabled.

Researchandproductioncommissioning

Ethernet ports(including 12electricalports) for inter-subrackconnection

RJ45 l All theports ofthe SCUaboardsinstalledin theMPSsubracksandremotemainsubracksaredisabledbydefault.

l The 0/1ports ofthe SCUaboardsinstalledin theEPS andTCextendedsubracksareenabledbydefault,and theports donotsupportthe SETSCUPORTcommand.

Noauthentication becauseof theinternalinter-subracknetworking

Inter-subrackconnection



27

Board BoardFunction




PortFunction

SCUb TheSCUbboardprovidesthemaintenancemanagement andGEswitchingplatformfor thesubrackin whichit islocated.Therefore, theBSC6910internalMACswitching isimplemented andtheinternalswitching in turnenablescompleteconnectionbetweenmodulesof theBSC6910.

One COMserial port

RJ45 Yes Noauthentication. Thisport ispermanently disabled.

Researchandproductioncommissioning

Ethernet ports(including 8electrical portsand 4 opticalports) for inter-subrackconnection

RJ45(electricalport) SFP+ or LC/PC(opticalport)

l All theports ofthe SCUbboardsinstalledin theMPSsubracksandremotemainsubracksaredisabledbydefault.

l The0/1/8/9ports ofthe SCUbboardsinstalledin theEPS andTCextendedsubracksareenabledbydefault.

Noauthentication becauseof theinternalinter-subracknetworking

Inter-subrackconnection



28

Board BoardFunction




PortFunction

XPUa\XPUb\XPUc

TheXPUa\XPUb\XPUcboard isused tomanagethe GSMuserplaneresources, controlplaneresources, andtransmissionresources in thesystemandprocessthe GSMserviceson thecontrolplane.

Four Ethernetports on thepanel

RJ45 The Ethernetports on thepanel can beenabled byMMLcommandsto connectthe CBS forGSMservices.

Noauthentication.The IPsec-capableexternalsecuritygatewaycan be usedforauthentication for GSMservices.

Nodeconnecting the basestationcontrollerand theCBS forGSMservices



29

Board BoardFunction




PortFunction

SPUa\SPUb\SPUc

TheSPUa\SPUb\SPUcboard isused tomanagetheUMTSuserplaneresources, controlplaneresources, andtransmissionresources in thesystemandprocesstheUMTSserviceson thecontrolplane.

Four Ethernetports on thepanel

RJ45 The Ethernetports on thepanel cannotbe enabledby MMLcommandsfor UMTSserviceswithoutMAC,VLAN, or IPaddressinformation.

Noauthentication. TheEthernetports on thepanelcannot beenabledusingswitches.

Nodeconnecting the basestationcontrollerand theCBS forUMTSservices

Interfaceboards

Theinterfaceboardsprovidethefunctionofprotocolstack oftheserviceinterface.

Service ports(The numbervariesdepending onthe boardtypes.)

Differentservicesusedifferentporttypes.

No Noauthentication.The IPsec-capableexternalsecuritygatewaycan be usedforauthentication.

Externalserviceport of thebasestationcontroller



30

3.4.2 For the Base StationThe base station does not have an independent O&M boards. The O&M function is controlledby the main control board and involves the following physical port types: Ethernet port fortransmission, port for commissioning and USB port.l Ethernet port for transmission

Transmission ports can be disabled remotely.l Port for commissioning

To perform local maintenance, operators can connect the operation and maintenanceterminal to the port for commissioning on a base station. Ports for commissioning are IPports. Some TCP ports (for example, port 4443) and UDP ports are enabled and a basestation may be attacked through these ports.To reduce security risks, a port for commissioning can be disabled by running the SETPORTSECURITY command with the SWITCH parameter set to DISABLE(Disable).After the base station resets, the port is automatically enabled.

NOTE

These following base stations are configured with only one Ethernet port for transmission, insteadof an independent Ethernet port for commissioning. Therefore, the Ethernet port for transmissioncannot be disabled.l BTS3203El BTS3803E

l USB portFor details, see 3.4.4 Secure USB Flash Drive.

Table 3-5 describes the function of physical port security provided a micro base station.

Table 3-5 Physical port security provided by a micro base stationPortType

PhysicalPort

PortManagement

Port Function Model

O&M

Environmentmonitoringport

Enabledby default

Used for environmentmonitoring and physical portsecurity.

BTS3902EBTS3202E

Commissioning

Mini USB port Disabledby default

Only used for output of clocksignals.

BTS3803EBTS3203E

Commissioning

DBG port(RJ45 port)

Disabledby default

Used for commissioning. Theport can be enabled remotely.

BTS3902EBTS3202E



31

PortType

PhysicalPort

PortManagement

Port Function Model

Deployment

USB port Enabledby default

Used for loading of software andconfiguration data. Encryptionand integrity protection areprovided for software andconfiguration data stored in aUSB flash drive.

BTS3902EBTS3202E

Deployment

TF card port Enabledby default

Used for loading of software andconfiguration data. Encryptionand integrity protection areprovided for software andconfiguration data stored in a TFcard. The security scheme of theTF card is the same as that of theUSB flash drive.

BTS3803EBTS3203E

3.4.3 Port Mirroring SecurityWith port mirroring, O&M engineers redirect communication data on a port to another for thepurpose of troubleshooting. To protect network communication against unauthorized access ortheft, port mirroring supports the following functions:l Cause configuration: The cause of enabling port mirroring can be configured using the

REASON parameter in the STR ETHMIRRORPORT command on the base stationcontroller side or the STR PORTREDIRECT command on the base station side. Thecause can be the subscriber complaint ticket number or the trouble ticket number or others,facilitating security audit.

l Redirection duration configuration: The redirection duration can be configured using theTIMEOUT (Time Out(m)) parameter in the STR ETHMIRRORPORT command on thebase station controller side or the STR PORTREDIRECT command on the base stationside. Port mirroring is automatically disabled after the redirection duration elapses.

l Real-time function status reporting: When port mirroring is enabled, the systemautomatically reports an event indicating the function activation. When port mirroring isdisabled, the system automatically reports an event indicating the function deactivation.

l The port mirroring activation and deactivation (either manual or redirection time-baseddeactivation) events are recorded in operation logs and security logs to facilitate securityaudit.

NOTE

These following base stations are configured with only one Ethernet port for transmission. Therefore,port mirroring is not supported.l BTS3203El BTS3803E



32

3.4.4 Secure USB Flash DriveOn the Base Station Side

When a base station is deployed or upgraded using a USB flash drive, disclosure of softwareand configuration files in the USB flash drive poses significant security threats to the base station.Therefore, encryption and integrity protection must be applied to the software and configurationfiles.Before the base station software is related at http://support.huawei.com/, the software integrityhas been forcibly protected. Configuration files are made on site during a base station deploymentor upgrade. Therefore, maintenance personnel must implement encryption and integrityprotection for the configuration files by using the USB protection tool on the U2000. In thisdocument, a USB flash drive with encryption and integrity protection is called a secure USBflash drive.When a secure USB flash drive is inserted into a base station to be deployed or upgraded, adecryption key and an integrity key are generated based on the random number (RAND) andthe base station information in the secure USB flash drive. Integrity verification is performedbefore decryption. Secure USB flash drives support encryption algorithms 3DES, AES192, andAES256. 3DES is not recommended. Secure USB flash drives support integrity protectionalgorithms HMAC_SHA1 and HMAC_SHA256.If a base station is deployed or upgraded using a USB flash drive without encryption and integrityprotection, integrity verification and decryption fail. As a result, the base station cannot upgradeits software or read configuration files.For details about software integrity protection, see "Digital Certificate-based Software IntegrityProtection" in OM Security Feature Parameter Description. For details about how to implementencryption and integrity protection for the configuration files of a base station, see 3900 SeriesBase Station Commissioning Guide.

NOTE

These following base stations are configured with a TF port. Among them, the difference only lies in thephysical port. The security scheme of a TF port is the same as that of a USB flash drive.l BTS3203El BTS3803E



33

4 Engineering Guidelines4.1 OS Security

OS security is the basis on which the service system can run properly and it is good practice toapply all OS security measures.Engineering guidelines for OS security involve only base station controllers.l OS hardening for base station controllers

Windows OS uses the iPSI SEK SetWin software for OS hardening. For details about howto implement OS hardening using the iPSI SEK SetWin software, see "Appendix: Installingthe iPSI SEK SetWin Software" in BSC6900 UMTS OMU Administration Guide.SUSE Linux OS uses the SEK SetSuse software for OS hardening. For details about howto implement OS hardening using the SEK SetSuse software, see "Appendix: the SEKSetSuse Software" in BSC6900 GSM OMU Administration Guide.DOPRA Linux is a Huawei-developed OS. It is reinforced before delivery and thereforedoes not require additional hardening.

l OS patches for base station controllersFor details about how to install OS patches, see the installation guide released with thepatches. The OS patches can be obtained by choosing Wireless > SingleRAN > SRANO&M tools at http://support.huawei.com.

l Antivirus software for base station controllersBase station controllers that run the Windows OS support integrated antivirus software.For details about the deployment, see Deployment Guide to WRAN Windows DeviceSecurity Policy. This guide can be obtained by choosing Wireless Product Line >WCDMA-RAN > WCDMA-RNC > Reconstruction Guide at http://support.huawei.com.

4.2 Integrated Firewall

SingleRANEquipment Security Feature Parameter Description 4 Engineering Guidelines


34

4.2.1 Required InformationWhen to Use ACL-based Packet Filtering and Automatic ACL Rule Configuration

l For a newly deployed base stationIt is good practice to enable ACL-based packet filtering and automatic ACL ruleconfiguration for both signaling links and service links.

l For an existing base station that has been enabled with ACL-based packet filteringIt is good practice to enable automatic ACL rule configuration for both signaling links andservice links.

l For an existing base station that has not been enabled with ACL-based packet filteringThese base stations are working. It is good practice to enable ACL-based packet filteringand automatic ACL rule configuration for both signaling links and service links.

4.2.2 Deployment for the Base Station Controller

Activationl Run the SET ETHPORT command to set a threshold for reporting ALM-21387 Ethernet

Port Broadcast Packets Exceeding Alarm. The BCPKTALARMTHD parameter and theBCPKTALARMCLRTHD parameter specify the alarm reporting threshold and the alarmclearing threshold, respectively.

l Run the SET IPGUARD command with ICMPALMSW set to ON(ON) to enable theICMP flood attack prevention function. Run the ADD ICMPGUARD command to add anICMP flood attack prevention policy. In this step, set IPADDR and GUARDTYPEparameters to the source IP address and the type of ICMP attack packets, respectively.

l Run the SET IPGUARD command with ARPLRNSTRICTSW set to ON(ON) to enablethe ARP flood attack prevention function.

l Run the SET IPGUARD command with ARPANTICHEATSW set to ON(ON) to enablethe ARP spoofing attack prevention function.

l Run the SET IPGUARD command with VALIDPKTCHKSW set to ON(ON) to enablethe illegal packet attack prevention function.

Activation ObservationRun the LST ETHPORT and LST IPGUARD commands to query whether the related policiesare correctly configured.

4.2.3 Deployment for Base Stations

Required InformationCurrently, the ACL rule specifications are less than the specifications sum of the OMCH andthe clock, security, signaling, and service links. Therefore, collect the configured number of theOMCH and the clock, security, signaling, and service links before automatic ACL ruleconfiguration is enabled and ensure that ACL rules to be automatically configured must notexceed the ACL rule specifications.



35

Requirements

LicenseThe operator must have purchased and activated the license for the features listed in the followingtable if the features are to be deployed for the eNodeB.No license is required for the eGBTS or NodeB.

Feature ID FeatureName

LicenseControl Item

NE Sales Unit

LOFD-003014 IntegratedFirewall

IntegratedFirewall

eNodeB(FDD) Per eNodeB

TDLOFD-003014 IntegratedFirewall

IntegratedFirewall

eNodeB(TDD) Per eNodeB

OthersThe base station must use IP over FE/GE transmission. Therefore, the base station must beconfigured with the following transmission boards that support Ethernet ports:l Main control board such as WMPT, LMPT, and UMPTl Extension Transmission Processing Unit (UTRPc)Automatic ACL rule configuration depends on the following:l Main control board such as LMPT and UMPTl LMPT+UTRPc or UMPT+UTRPcThe LMPT and UMPT support packet filtering over the backplane and corresponding automaticACL rule configuration.To activate automatic ACL rule configuration for an existing base station, note the following:l If the base station has not been enabled with ACL-based packet filtering

To ensure ongoing service continuity and signaling link connectivity, it is good practice toperform the following operations: Before the activation, run the ADD ACLRULE command to configure an any-to-any

ACL rule to allow all data flows to flow into the base station.//Configuring an any-to-any ACL ruleADD ACLRULE:ACLID=3000,RULEID=1,PT=IP,SIP="0.0.0.0",SWC="255.255.255.255",DIP="0.0.0.0",DWC="255.255.255.255",MDSCP=NO;

After the activation, run the RMV ACLRULE command to delete the any-to-any ACLrule.//Deleting an any-to-any ACL ruleRMV ACLRULE:ACLID=3000,RULEID=1;

l If the base station has been enabled with ACL-based packet filteringTo ensure ongoing service continuity and signaling link connectivity, it is good practice toperform the following operations:



36

Before the activation, run the ADD ACLRULE command to configure an any-to-anyACL rule to allow all data flows to flow into the base station.//Configuring an any-to-any ACL ruleADD ACLRULE:ACLID=3000,RULEID=1,PT=IP,SIP="0.0.0.0",SWC="255.255.255.255",DIP="0.0.0.0",DWC="255.255.255.255",MDSCP=NO;

Before the activation of automatic ACL rule configuration, manually delete ACL rulesin the ID range of 1-59999 that can be automatically configured based on Table 3-2. Inaddition, delete remaining ACL rules that are manually configured in the ID range of50000-59999 and reconfigure them with the ID set to a value ranging from 1 to 49999.//Querying and recording ACL rules in the ID range of 1-59999, including ACL rules that can be automatically configured and manually configured ACL rules in the ID range of 50000-59999LST ACLRULE;//Deleting ACL rules in the ID range of 1-59999 that can be automatically configured and remaining ACL rules that are manually configured in the ID range of 50000-59999RMV ACLRULE:ACLID=3000,RULEID=50000;//Reconfiguring the deleted ACL rules (in the ID range of 50000-59999) with the ID set to a value ranging from 1 to 49999ADD ACLRULE:ACLID=3000,RULEID=1,PT=IP,SIP="1.1.1.1",SWC="255.255.255.255",DIP="2.2.2.2",DWC="255.255.255.255",MDSCP=NO;

After the activation, run the RMV ACLRULE command to delete the any-to-any ACLrule.//Deleting an any-to-any ACL ruleRMV ACLRULE:ACLID=3000,RULEID=1;

Data Preparation

ACL-based Packet FilteringTable 4-1, Table 4-2, Table 4-3, and Table 4-4 describe key parameters that must be set in theACL, ACLRULE, PACKETFILTER, and EPGROUP MOs respectively before activatingACL-based packet filtering.

Table 4-1 Data to be configured in the ACL MOParameter Name

Parameter ID Setting Notes Data Source

ACL ID ACLID This parameter specifies the ID ofan ACL. If an ACL is referenced bya packet filtering rule, the ACLmust contain at least one ACL rule.It is recommended that an ACL beconfigured for a packet filteringrule and be used only by this rule.

Network plan(negotiationnot required)

Description

ACLDESC This parameter provides a briefdescription of an ACL.

User-defined



37

Table 4-2 Data to be configured in the ACLRULE MOParameter Name


ACL ID ACLID This parameter specifies the ID ofan ACL to which an ACL rulebelongs. Set this parameter to thesame value as the ACLIDparameter in the associated ACLMO.


Rule ID RULEID This parameter specifies the ID ofan ACL rule. An ACL rule musthave a unique ID.


Action ACTION This parameter specifies the ACLaction taken on the matched data.This parameter can be set to DENY(Deny) or PERMIT(Permit).If an incoming packet matches anACL rule, the base stationdetermines whether to accept orrejects the packet based on thevalue of this parameter. In theevent of mismatch, the base stationtries the next ACL rule until allrules in the ACL have been tried.Packets that do not match any ACLrule is processed based on thesetting of the MB parameter in theassociated PACKETFILTERMO.


ProtocolType

PT This parameter specifies theprotocol type to which an ACL ruleapplies.


Source IPAddress

SIP This parameter specifies the sourceIP address of IP packets to whichan ACL rule applies.


Destination IPAddress

DIP This parameter specifies thedestination IP address of IP packetsto which an ACL rule applies.


SourceWildcard

SWC The SWC and DWC parametersspecify wildcards of the source anddestination IP addresses,respectively. A wildcard (alsoknown as inverse mask) consists of32 binary digits. These binarydigits are divided into four groups




38

Parameter Name


DestinationWildcard

DWC with each group containing eightbinary digits. A bit set to 0 requiresprecise match, whereas a bit set to1 does not require a match.Set this parameter to255.255.255.255 if an any-to-anyACL rule is to be configured.


MatchSourcePort

SMPT This parameter specifies whetherto check the source port number ofeach packet. This parameter isvalid only if the PT parameter is setto TCP(TCP), UDP(UDP), orSCTP(SCTP).The MFRG and SMPT parametersin the same ACLRULE MOcannot be both set to YES(Yes).


SourcePortOperate

SOP This parameter specifies thefiltering criteria for the source port.


SourcePort 1

SPT1 This parameter is required only ifthe SMPT parameter is set to YES(Yes).


SourcePort 2

SPT2 This parameter is required only ifthe SOP parameter is set toOP_RANGE(Range).


MatchDestination Port

DMPT This parameter specifies whetherto check the destination portnumber of each packet. Thisparameter is valid only if the PTparameter is set to TCP(TCP),UDP(UDP), or SCTP(SCTP).


Destination PortOperate

DOP This parameter specifies thefiltering criteria for the destinationport.


Destination Port 1

DPT1 This parameter is required only ifthe DMPT parameter is set to YES(Yes).



Issue 04 (2014-09-15) Huawei Propr

Equipment Security(SRAN9.0 04)

Documents

Transcript of Equipment Security(SRAN9.0 04)