03 mn1226eu09mn 0003 security management
DESCRIPTION
describe the security in telecomTRANSCRIPT
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
1
Contents
1 Authorization Concept at SC 3
1.1 Access Restriction 4
1.2 The internal Login at the Network Element 6
1.3 Authentication 8
1.4 User Group Philosophy 10
2 Establishing a First Connection to the Network Element 13
2.1 Preconditions 14
2.2 Management of Network Element User IDs at the Switch Commander 16
2.3 Grant Network Element Access 18
2.4 Communication Link Setup 20
3 Access Restriction at SC Database 23
3.1 Access Restriction at SC and NE 24
3.2 Management of NT Users and User Groups 26
3.3 Management of Switch Commander Users and User Groups 30
3.4 Managing Task Trees 36
4 Access Restriction at the NE 47
4.1 Management of Network Element User ID at the Switch Commander 48
4.2 Access Restriction for DIALG (MML) at CP 52
4.3 Access Restriction for Q3 at MP 56
4.4 File Transfer Security Management 69
4.5 File Transfer Security Management at CP 70
4.6 File Transfer Security Management at MP 73
5 Assign Network Elements to User Groups 83
Security Management
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
2
5.1 Grant Network Element Access 84
5.2 Communication Link Setup 86
5.3 Summary 90
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
3
1 Authorization Concept at SC
Fig. 1
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
4
1.1 Access Restriction
User Authorization / Authentication by WindowsNT
The only password which has to be entered to authorize for the execution of commands is the Windows NT password.
SC User Group
To be a switch commander user, a WinNT user must be member of at least one SC user group.
Network Elements
It is specific for every user group to which specific NEs the members of this user group have access to
Task Group
At the SC database it is specified for every NE-UG combination, which tasks can be executed.
SC Applications
The individual SC applications are assigned to the specific SC / WindowsNT user.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
5
Access Authorization at SC
NT User
SC User
SC
Usergroup
SC
Applications
NE
Task
Group
NE NE NE
SC
Usergroup
Fig. 2 Access authorization at SC
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
6
1.2 The internal Login at the Network Element
Automatic Login
The login at the network element (CP or MP) is not done any longer by the operator himself but automatically by the SC system.
One Userid per User Group
When the first user of a SC user group starts the execution of a command, the SC system opens a session at the network element.
Therefore an internal userid created at the SC and at the NE database is used.
This userid is assigned to the SC user group, which means all users of this user group appear with the same internal userid at the NE internal log file.
internal passwords
The passwords which are used for the internal user IDs have to be administered manually at the first time. This has to be done at the NE and at the SC database.
Later on, every time the NE password expires, the SC system automatically creates new internal passwords using a random figure system. These passwords are invisible.
Network Elements with Q3 interface
At network elements with Q3 interface a special internal user ID is used:
The user ID used in this case is a parameter, specified in the Q3 standard: The Application Entity Title (AET).
The AET consists out of two parts:
The Application Process Title (APT), which specifies a worldwide unique ID for the NE or the communication server (CS);
The Application Entity Qualifier (AEQ), which specifies the individual internal user ID on the NE or CS;
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
7
Internal Login at NE
NT User
Usergroup
Task
Group
Net Element
Login +
Password
NT User
SC UserSC User
internal login
CP Userid
Login +
Password
AET
Fig. 3 Internal Login at NE
SUMMARY In easy "words": APT + AEQ = AET
The APT consists of ten numbers. The first five numbers specify the network provider, the second five numbers are assigned to the specific NE or CS by the network provider.
TIP
At the MP database the internal User ID (AET) is called "Initiator".
The task to create an initiator is "CR INI".
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
8
1.3 Authentication
Access protection is provided in two stages. In the first stage, the user must log on to the terminal (SC, other operating system) and identify himself as an authorized user. This involves the creation of user IDs, passwords and user groups using the resources of the operating systems available on this system. This user must also be configured as a Switch Commander user, so the must be member of at least one Switch Commander user group.
Only when authorized users have logged on under these conditions can they connect with the network node. The second stage of the access protection function, i.e. the Q3 access protection of a GSN or the user ID authentication mechanism of a Classic EWSD.
1. Depending on the kind of Switch Commander system the WindowsNT user ID information is stored on different machines (PDC for Client/Server) or at the same machine (SAM of a Single WS). These information is checked against the information entered during the login attempt. Additional information about access rights, available applications is stored in the oracle database of the File Server. Using this information the according profile (Start -> Programs -> Switch Commander) is recreated after the successful login. This procedure takes some seconds therefore you should patiently wait before you are going to launch a Switch Commander application.
2. Depending on the network element you are going to execute a command at, different authentication mechanism are implemented. At a Q3 based network element, like a GSN or STP, every Switch Commander user group has an initiator and a password to establish a Q3 session. Using e. g allow rules and deny rules for these initiators different Q3 tasks are granted to these user groups. Classic network element accessed via X.25 and MML-commands are using user IDs and passwords, too. Only those Switch Commander user groups having a valid user id/password pair at the network element are allowed to open a session and to execute a command. Like at the Q3 based network elements, these user id must be member of a network element authorization class to be allowed to perform a specific command.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
9
Windows NT Login
1
2
Windows NT Login
CHECK (user/passwd)
3Switch
Commander
CHECK
(user group)
4
Network Element
CHECK (initiator)
CS
4
Network Element
CHECK
(userid/passwd)
CP MP
TCP/IP
X.25
CP
FS
PDC
Fig. 4
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
10
1.4 User Group Philosophy
At the Switch Commander side there exists two different types of user groups:
WinNT User Groups
The Windows NT user groups are automatically generated during the installation of the Primary Domain Controller resp. the Workstation. Every Windows NT user must be member of at least one WinNT user group.
WinNT User Groups for Switch Commander
There are two special WinNT user groups generated during the installation of the Switch Commander. Both user groups are reserved for Switch Commander users and used to grant them access to the different Switch Commander directories.
The name of these user groups depends on the name of the special Switch Commander system. This name is given during the installation of the File Server and is used to identify the different SC systems within one WinNT domain.
Examples for these special user group names are:
SCName-SCAdmins and SCName-SCUsers where SCName is the name of the SC system.
Switch Commander User Groups
More influence on the access rights of a SC user than the membership in a WinNT user group has got the membership in a SC user group.
Via this member ship the access to different commands, directories and files are restricted or granted. Because a user can be a member of more than one group, the access/deny rights are a sum of all access/deny rights of the user groups the user is member of.
The SC user groups are stored at the Oracle database at the fileserver. The configuration of these SC user groups is done from the SC application "SC Administration".
WARNING
Do never assign a WinNT user manually (with the application WinNt User Manager) to the special WinNT user groups! The assignment is done automatically when the WinNT user becomes member of the first SC user group.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
11
SCName-SCAdmins SCName-SCUsers
SC user group
Administrators
SC user group
1
SC user group
2
Windows
NT
Switch
Commander
User A User B User C
Fig. 5 Windows NT and Switch Commander user groups
SUMMARY A Switch Commander user must be member of a NT user group (stored at the PDC) to have access to Windows NT. Additionally he must be member of a Switch Commander user group (stored at the FS) to have access to the Switch Commander application. The commands he is allowed to execute at the network element depends on the SC user group he is member of.
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
12
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
13
2 Establishing a First Connection to the Network Element
Fig. 6
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
14
2.1 Preconditions
This part of the documentation gives you a sequence to establish a first connection to the network element.
This sequence only works if certain preconditions are fulfilled.
This sequence also just establishes a first connection to the network element, but things like security settings or alarm forwarding are not explained in this part. These things will be explained later on.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
15
Preconditions for establishing a first connection to the
Network Element
All services have been activated and started
The corresponding SC users and user groups already exist
The settings for the Switch Commander and for the network element database have been done already
(according to chapter Communication Database)
The security setting of the MP is still in the default mode: Any internal userid (initiator) and any password will be
accepted
The default ftp userid (usually root) with the default password (usually root1#) still exists
Fig. 7
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
16
2.2 Management of Network Element User IDs at the Switch Commander
Providing access to the different NEs is based on internal user IDs which are used for an automatic login by the Switch Commander.
All Switch Commander based security settings and settings for the internal user IDs are done from the application SC administration.
To enable access authorizations at network elements, you create NE user IDs:
To enable MML / DIALG connections to the classical EWSD components (CP) you create CP user authorizations with authorization of FTAM file transfer.
To authorize file transfer via FTP between the SC operations system and SSNC based NE components (MP) you create FTP initiator IDs.
To enable Q3 / CMISE communication between the SC operations system and SSNC based NE components (MP) you create application entity titles (AET - "APT +AEQ = AET") as MP initiators.
WARNING At Q3 based internal user IDs you have to use the AEQ as NE user ID!
The passwords of the NE user authorizations as you enter them at SC Administration are stored in encrypted form.
According to your requirements you create a set of user IDs for each network element, usually. Access right restrictions for these users can be created at the switch commander, using user groups, and at the different network elements using the network element specific commands.
Please take note, all network element user IDs will be assigned to a specific user group, not to a specific Switch Commander user.
TOOLS
SC Administration:
File -> Administer NE User
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
17
SC Administration
Fig. 8 Internal UserIDs
TIP For the first connection to the MP we will use the default setting of the MP security database:
A new MP database will accept any internal user ID (AET) and any password. This means, we can enter any valid user ID at SC Administration. "Valid" means, the APT and the AEQ is already created in the communication database.
The real access restriction will be described later on.
The security settings at the MP become active after the default access restriction has been switched off.
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
18
2.3 Grant Network Element Access
Before a user can execute a command at a network element, the user must be member of a Switch Commander user group. This Switch Commander user group must have this network element assigned, too. These tasks has to be done using the SC Administration tool.
As the modification of the membership of a Switch Commander user, there are different possible ways to start the Switch Commander user group properties.
If you are going to create a new user group, you have to chance so specify whether the task tree of this user group should be "NE based" or "APS based".
NE based task tree:
In this case the network elements available for this user group appear in a tree structure. Every network element has got its own task tree.
APS based user groups:
In this case you have different task trees for different APS versions (software releases) but just one task tree for all network elements running on this software version. Each assigned task is available for all network elements running on the same APS version.
The task tree type you choose for a new user group depends on the task tree the users are allowed. If these task trees should be different you must choose a NE based task tree.
TOOLS
SC Administration -> User Group -> Properties
SC Administration -> User Group -> Create
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
19
Fig. 9 SC Application "SC Administration"
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
20
2.4 Communication Link Setup
Select the network elements the users of the user group should have access to. The Switch Commander application reminds you not to forget to assign some tasks to the network element using . Click to proceed. The "NE Details" window appears.
Here you have to select via which Communication Server you like to access the network element. If possible you should always choose two, to guarantee redundancy. The values you can select depends on the kind of network (X.25 based, Q3 based) and on the values you have entered during the communication database setup. Additionally preconditions are already created network element user ids created using the tool "Administer NE user" explained above.
Primary CS Communication Server usually used to access the network element, e.g. CS4210
APT Application Process Title as entered during the communication database setup, e.g. {1 3 12 2 1107 3 0 2 2 1}
AEQ Application Entity Qualifier as created using the "Administer NE user" tool, makes up the AET, so the initiator at the network element, together with the APT, e.g. 2
Backup CS, should be used if more than one Communication Server is available.
Using different "Primary CS" for different user group you can create a static load sharing, because every user group will use its "own" Communication Server to access the network element, the total load will shared over all Communication Servers.
Selecting , you have to specify the link setting, via which link you like to access the network element. The parameters you can specify are generated during the communication database setup, again. You have to choose the parameters matching, e.g. the AEQ you have specified before. You need to do it twice, once for the "Primary CS", once for the "Backup CS" - hope you have specified one?
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
21
Check the box or do an
double click on the NE
Fig. 10 Assign Communication Server to the user group
Q3 Links
Local Link select the according link description you have entered before
local communication database link of the Communication Server, entered using "SC NE Administration", CS
Remote Link select the according link description you have entered before
remote communication database link to the network element, entered using "SC NE Administration", NE
Double check the parameters shown in the description part of the window.
Now you should be able to execute Q3 tasks at the MP!
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
22
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
23
3 Access Restriction at SC Database
Fig. 11
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
24
3.1 Access Restriction at SC and NE
Access restriction is realized in three Steps
1. The user identification is done by the WinNt authorization concept
2. At the Switch Commander internally the access restriction is done according to tasks (MML commands, Q3 script files, scenarios,)
3. At the NE the access restriction is done according to MML commands at the CP and according to the Q3 standard at the MP
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
25
CP MP
CT WinNT
PDC
FS
WinNt User ID + PasswordNT User -> SC User ->
SC user group (Tasks) ->
internal users IDs
MP: Q3 Security Concept
based on
Q3 Managed Object Classes
(MOCs)
+ allowed actions
(Q3 Request types)
On these MOCs
CP: CP User ID -> Autorization ->
Auth Classes -> MML Commands
AET
CP
UserID
Fig. 12 Access restriction at SC and NE
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
26
3.2 Management of NT Users and User Groups
The Switch Commander application uses the Windows NT security facilities to grant access to the system. Therefore every user must have its own Windows NT login name and password. It is the task of the NT administrator to provide the user ids. Depending on the kind of Switch Commander, Client Server or Single Machine, the Administrator has to use the User Manager tool for Domains or the normal one.
In a client/server environment you should start the User Manager at a Windows NT Server. The User Manager at the Windows NT Workstation are used to manage the local users and user groups, only. If you intend to use a Workstation to manage the Domain you should copy the executable from any server to your local machine; e.g.
copy \\PDC4210\C\winnt\system32\Usmgr.exe C:\winnt\system32
TOOLS
Start the User Manager at a Windows NT Server system:
Start -> Programs -> Administrative Tools (Common) -> User Manager
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
27
Fig. 13 User Manager of the Domain: SCR4210
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
28
A precondition to create a new Switch Commander user is, the user must have a valid Windows NT user account.
Depending on the future tasks of the user, he should become a member of at least one of the following user groups:
NT user group SC User SC Admin Domain Admin
Domain Admins X
Domain Users X X X
SC1-SCAdmins X
SC1-SCUsers X X
Using these NT user groups, the access to directories and files as the access to special applications - like the User Manager - is granted or restricted, As you can see, there is usually no need for a Domain Administrator to be a member of a Switch Commander NT user group.
Additional users, user groups can be created/assigned for special tasks, like
Account Operators
Backup Operators
Server Operators
If you like to create a new Switch Commander user, it might be easier to make a copy of the user profile of an existing Switch Commander user. E.g. Use the default Switch Commander Administrator user id, "SCadmin" to create a new Switch Commander user.
TOOLS
Application: "User Manager"
User -> Copy (F8)
TIP Please note, these user groups mentioned above are "Global Windows NT user groups". The additional mentioned user groups are "Local Windows NT user groups". A global user group can be a member of a local user group, but not the other way round.
A newly created user id is generated at the PDC, if you are using the BDC to check your login, you have to wait until the BDC database is updated before the user id can be used.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
29
Fig. 14 Properties of the user "Scop1
Fig. 15 Copy the existing user profile of the user "SCadmin"
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
30
3.3 Management of Switch Commander Users and User Groups
Special Switch Commander User Groups
As the Domain Administrator of Windows NT is using the "User Manager" to create new user id and assigning user groups to these users, the Switch Commander Administrator has to assign these users to Switch Commander user groups. As a difference these users groups do not grant/restrict the access to certain directories, but to certain network elements and certain command set at these network elements.
Every user who likes to use the Switch Commander must be member of at least on Switch Commander user group. A user who is not a member of any Switch Commander user group but who is going to start a Switch Commander application directly will get an error message only.
During the installation of the Switch Commander there are three SC user groups automatically created.
SC Administrators User being member of this user group are Switch Commander administrators, therefore they can start the SC Administration applications and can modify the database
SC Security All users of these user group will receive security alarm messages and notifications and have the right to modify the password at the network elements manually after they are expired.
SC Routing These users will receive notifications and alarm messages to update the alarm panel and to present them using the Switch Commander application Q3EPS (Q3 Event Presentation Service)
TOOLS
Start the Switch Commander Administration tool (SC Administration)
Start -> Programs -> Switch Commander -> SC Administration
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
31
Fig. 16 Error message of an unauthorized user id attempting to start a Switch Commander application
Fig. 17 SC Administration application
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
32
There are different ways to assign a Windows NT user id to a Switch Commander user group, especially if you are going to modify an existing configuration.
via the properties of a Switch Commander user group
via the properties of a Switch Commander user
via the menu item add NT User
via the menu item add NT User group
The effect will be always the same. Every member of a Switch Commander user group will get the same rights as the user group itself. Therefore all members of a Switch Commander user group will have the same network elements they can access, they will have the same tasks they are allowed to execute at a specific network element and finally they will use the same set of network element user ids to execute all these tasks.
TOOLS
Double Click on a existing Switch Commander user group
Double Click on the existing Windows NT user group
UserGroup -> Add NT User
UserGroup -> Add NT User group
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
33
Fig. 18 Switch Commander user groups - Windows NT user assignment
Independent of the assignment to a specific Switch Commander user group every user has its own profile, Via this profile the Switch Commander administrator is able to specify which Switch Commander application a user is allowed to execute and which applications are not shown to the user.
Because this settings are Windows NT user id specific, there are shown only if you select a user before. You can use e.g. the Windows NT user properties to interrogate the current settings. The list of applications shown in the window depends on the applications installed at the File Server before. All applications are shown in its alphabetical order. For example:
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
34
Fig. 19 SC User- Properties - possible Switch Commander applications
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
35
SC Application Description
Alarm Console Alarm Window for free running text messages
Alarm Surveillance Online Alarm Surveillance of the network elements
BMML Grants the optional BMML input window at a classical network element when using the workbench
DaRRT Upgrader
Floor Plan Editor Administrator tool to create site specific floor plans
GPRS Tracer Service Tool for tracing
Interactive Document Browser
Application to view the interactive online documentation using the Dynatext or the Acrobat Reader format
Log Viewer Tool to access the logging functions of the SC
NE Layer Management Administrator tool to adapt the communication database at the TCP/IP based network elements
ODM OEM Device Manager, used to access the OEM Devices via a telnet session
Panel Editor Administrator tool to create and modify Alarm panels
Q3 Event Presentation Service
Application to receive Q3 notifications from the network element, additionally to interrogate network element
logging files and an ease interface to check the hardware status of different modules
Scenario Upgrader Upgrade tool to upgrade scenarios from a previous version
Scenario Wizard Graphical based application to generate scenarios
Task Analyzer Application to verify the syntax of a task
Task Browser Tree based task browser used to start the workbench
Trace Configuration Service tool to activate software traces
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
36
3.4 Managing Task Trees
Independent of the network element user id, the access rights to a specific network element is granted via the Switch Commander Administration tool. The access rights are granted to a specific Switch Commander user group, and therefore to all the users being member of this user group. Via the tasks the Administrator assigns to this user group, he can restrict the access to a certain subset of tasks, e.g. only DISPlay tasks, Furthermore, the Administrator can generate an own task tree for the all operators. Special network operator specific tasks can be added at any point of the task tree.
The Administrator is in duty to make sure, that all tasks assigned to a Switch Commander user group corresponds to the network element user id assigned to the Switch Commander user group.
TOOLS
1. SC Administrator -> double click on a user group
2. Select to activate the task wizard
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
37
Fig. 20
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
38
3.4.1 User Group Specific Task Trees
The task management is done with Task Wizard, an application to easily assign tasks to a specific user group. Task Wizard supports the creation and management of task templates, which simplify the administrator's job. A task template is a convenient subset of tasks available for the purposes of a specific user group. You can create templates from the tasks provided by Siemens in reference folders and from global tasks.
When you start the task wizard using the "Switch Commander User Group Properties" there will three windows shown:
Reference Window
The reference tree (called Siemens Tree) as displayed in the "Reference" window shows the content of the installed task databases .A task database stores network element version specific data, that is, the tasks provided by Siemens for the operation of network elements (short name, long name, path and file name, help texts), the corresponding reference task tree, and the information needed for working with EMML (menu tree, command forms, help texts). A task database is specific for a network element version and language.
The global task tree (called Imported Tasks) is displayed in the "Reference" window as It contains all new tasks that you imported for all installed NE versions. The global tasks are NE version independent.
Template Window
The template tree is displayed in the "Template" window. It contains all templates and folders you create. These tasks are associated with a single NE version.
User Group Window
The content of the user group window depends on the user group which has started the task wizard. In user group window all network element assigned to the according user group are presented.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
39
Fig. 21
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
40
3.4.2 Task Wizard
When you start the task wizard using the "Switch Commander User Group Properties" there will three windows shown:
Reference Window
The reference tree (called Siemens Tree) as displayed in the "Reference" window shows the content of the installed task databases .A task database stores network element version specific data, that is, the tasks provided by Siemens for the operation of network elements (short name, long name, path and file name, help texts), the corresponding reference task tree, and the information needed for working with EMML (menu tree, command forms, help texts). A task database is specific for a network element version and language.
The global task tree (called Imported Tasks) is displayed in the "Reference" window as It contains all new tasks that you imported for all installed NE versions. The global tasks are NE version independent.
Template Window
The template tree is displayed in the "Template" window. It contains all templates and folders you create. These tasks are associated with a single NE version.
User Group Window
The content of the user group window depends on the user group which has started the task wizard. In user group window all network element assigned to the according user group are presented.
TOOLS
To assign a task, a branch or the whole task tree, select the according part in the "Reference Window" and move it, using drag and drop to the according destination. Only those tasks can be copied having the same network element version as the destination network element, (e.g.: GX7E8X26_3102).
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
41
Fig. 22
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
42
3.4.3 Generating Templates
Using the task wizard it is possible to generate templates of tasks, branches or task trees to provide a predefined task set which can be copied to any existing or new user group. The assigned task can be a part of the template or the reference tree or any combination of it.
You can create and edit task templates by dragging and dropping tasks from the Reference to the Template window. Usually, this operation is only allowed if source and destination network element version are identical. Task Wizard performs network element version compatibility checks, preventing you from dragging tasks meant for a certain network element version to the wrong network element version. The global tasks present in the Imported Tasks tree in the Reference window can be copied to any network element version in the Template window.
TOOLS
SC Administration -> File -> Invoke Task Wizard
You can generate new templates and new folder to build up an own task tree which can be used for all user groups. Tasks and branches can be copied from one template to a second one, or from the "Reference -> Siemens Tree" as long as the network element version is the same. Imported tasks (global tasks) can be copied to any network element version without a version check. The Administrator must make sure, that the according task can be executed at the selected network element.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
43
Fig. 23 Invoke "Task Wizard" to generate templates
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
44
3.4.4 Importing Global Tasks
In the course "SC Operation" it is explained hoe to import so called "private tasks" to your personal task tree.
Such private tasks can be for example: scenarios, Q3 script files, MML command files,...
The Switch Commander system also provides the possibility for a SC Administrator to import a (global) task to the task tree, assigned to a SC user group.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
45
1
2
3
Fig. 24 Import of Global Tasks
The import of a global task has to be done in three steps:
1. Copy the file to the "Global Task Files" folder: \\524sc91\SCBase\Databases\GlobalTaskFiles
2. Start the import with the "Import Task" button at the SC Administration -> task wizard
3. Specify the long and the short name of the task
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
46
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
47
4 Access Restriction at the NE
ConvergedNetworks
MSC
VLRMSC
VLR
EIR
HLR/
AC
SGSN
GGSN
EWSD
Inno-
vation
UMSC
Switch
Commander
GSM
GPRSUMTS
Wireline
Fig. 25
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
48
4.1 Management of Network Element User ID at the Switch Commander
To enable access authorizations at network elements, you create NE user IDs:
To enable dialog connections with EWSD Classic you create CP user authorizations with authorization of FTNEA and FTAM file transfer.
To authorize file transfer between the operations system and GPRS and STP network elements via FTP, you create FTP IDs.
To enable Q3 connections with EWSD STP and PowerNode network elements you create application entity qualifiers (AEQ) as MP user authorization.
The passwords of the NE user authorizations as you enter them in SCR Administration are stored in encrypted form.
According to your needs you create a set of userids for each network element, usually. Access right restrictions for these users can be created at the switch commander, using user groups, and at the different network elements using the network element specific commands. Please take note, all network element userids will be assigned to a specific user group, not to a specific Switch Commander user.
TOOLS
SC Administration:
File -> Administer NE User
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
49
Internal Login at NE
NT User
User Group
Task
Group
Net Element
Login +
Password
NT User
SC UserSC User
internal login
CP Userid
Login +
Password
AET
Fig. 26 Creating NE user authorizations
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
50
Using this menu item the "NE User Administration" window appears. Here you get a list of userids already created. You can use
Control Icon Description
Add to create an additional userid
Modify to modify the password of an existing userid
Delete to cancel a userid
Close to end the "NE User Administration" tool
Help to get some help
Use "Add" to create a new user:
Parameter Value Description
NE Name e.g. GSN1 Symbolic name of the network element as created before
ID Groupings e.g. MP Group of application (protocols) used for the network element
CS Name e.g. CS4210 Communication Server used for the userid
APT Name 1 3 12 1107 3 0 2 2 1 Application Process Title for the network element (Q3 based NE only)
NE User ID e.g. 2 Application Entity Qualifier for MP, resp. userid of a Classic network element
Password e.g. 123
Confirm Password e.g. 123
Password not shown during input
CP, MP, FTP, FTAM, FTNEA
e.g. MP Application released for this userid
TIP User id for FTAM resp. FTNEA have to be created at the network element using the according APPLID (FTAM, NEABD).
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
51
Fig. 27 Assigning a user to a network element
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
52
4.2 Access Restriction for DIALG (MML) at CP
Classic Network Element like a MSC/VLR, HLR/AC or EIR connected via X.25 and managed using MML-Commands are using user authorization classes to restrict the access to a specific command set.
There are 50 authorization classes. Of these, classes 2 through 49 are freely administrable. By default, authorization class 1 contains all MML commands and cannot be changed by the operator. Authorization class 50 contains the commands that can be used to maintain system operation at any time To facilitate their use and establish a more comprehensible structure, authorization classes are grouped in authorizations (max. character string 6 characters). Three of the possible maximum of 51 authorizations are permanently assigned. Authorization 0 does not contain an authorization class, authorization 1 contains the authorization class 1 for all commands. The SYSAUT authorization contains authorization class 50. The remaining 48 authorizations are at the operator's disposal for entering freely definable authorizations.
To every user id exactly one authorization is assigned to. The user will be allowed to execute all commands assign to the authorization classes the authorization is assigned to.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
53
Authorization ClassAUTCL 2
CR LTG, CAN LTG,
DISP LTG, STAT LTG,DIAG LTG, CONF LTG,
MOD LTG, REC LTG
....
Authorization ClassAUTCL 3
DISP LTG, STAT LTG,
DIAG LTG, CONF LTG....
Authorization ClassAUTCL 49
DISP LTG, STAT LTG,
........
User A
Authorization AUT ADMIN
2
Authorization AUT EXPERT
2
3
Authorization AUT DSPUSR
49....
User B User C
Fig. 28 Relationship authorization class, authorization and user id
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
54
Relevant MML commands:
CR USERID
USERID symbolic name, e.g. scrusr#9
AUT authorization, e.g. 1
APPLID additional application, e.g. NEABD
SCOPE REMOTE for Switch Commander
CRYPTPW Cryptic Password, left blank
PERMIT usually NONE
HLRID usually used for Subscriber Administration only
ENTR AUTCL
AUTCL Authorization Class, e.g. 40
CMDCOD commands assigned to the authorization class, e.g.
STATSN&STATMB
ENTR AUT
AUT symbolic name of the authorization, e.g. SCRAUT
AUTCL Authorization Classes, e.g. 40&41
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
55
Creation of CP User IDs
CRUSERID: USERID=SCRUSR#9, AUT=1, APPLID=FTA, SCOPE=REMOTE;
ENTRAUTCL: AUTCL=40,CMDCOD=STATSN&STATMB;
ENTRAUTCL: AUTCL=41, CMDCOD=DISPTIME&STATSSP;
ENTRAUT: AUT=SCRAUT, AUTCL=40&41;
MODUSERID: USERID=SCRUSR#9, AUT=SCRAUT, OAUT=1;
To see the result:
DISPUSERID:USERID=SCRUSR#9;
MSC5/SMTESTEXCH/D2MMPK1V16031298/113 00-08-18 12:20:36
3158 SC SCRUSR#1 2970/06300
DISPUSERID:USERID=SCRUSR#9; EXEC'D
TABLE OF USER-IDENTIFICATIONS:
USERID STATE APPLID SCOPE AUT AUTHORIZATION CLASS
---------+-------+-------+-------+-------+------------------------------
SCRUSR#9 UNLOCK NEABD REMOTE SCRAUT 40& 41
END JOB 3158
Fig. 29 Creation of CP userID
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
56
4.3 Access Restriction for Q3 at MP
As at the MML based network elements there exist a network element based user restriction at the Q3 based network elements, too.
At these network elements there do not exist user id, but so called initiators. Every initiator is identified by his AET (Application Entity Title). The AET consist of the APT (Application Process Title) and the AEQ (Application Entity Qualifier).
The access control function administers access rights on the basis of rules, initiator groups and target groups. An initiator group is a number of initiators (AET), while a target group defines a number of object classes/object model branches and operations. A rule defines the access rights of an initiator group to a target group. In other words, it determines which types of access (operations on one or more object classes/object model branches) may be executed by an initiator.
At the Q3 based network elements a user is identified via its AET. This AET must have its corresponding initiator (INI) at the network element. To ease the restriction settings these initiators are combined in different initiator groups (ACINIGRP). On the other hand you generate some target groups (ACTARGRP) specifying according parts of the management base (object classes) and the access rights. Finally you have to generate the connections between these groups (initiator group and target groups) using different rules. Using allow rules you can specify which commands are granted for the user, using deny rules you can restrict the access.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initiator Initiator Initiator
Access Control Initiator Group
Admins
Access Control Target Group
All Commands
Object Class....
Access Control Target Group
Op Commands
Object Class....
Access Control Target Group
GETLIC
Object Class....
....
Initiator Initiator Initiator
Access Control Initiator Group
Operator
rules
Fig. 30 User groups, target groups and rules at the Q3 based network elements
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
58
4.3.1 Initiators and Initiator Groups
Relevant Task:
CR INI (Create Initiator)
Initiator AET initiator, e.g. 1 3 12 2 1107 3 0 2 2 1 2
Initiator Name symbolic name of the initiator, e.g. OPERATOR
Password type
Replay Protected PW password protected against malicious reusing
Simple PW simple password string, like test#1
No PW no password necessary for the initiator
Password if used, password string, e.g. test#1
Verify password second time to verify input
Accept time range time range of replay protected password are accepted
Start time
Stop time
Daily intervals
Weekly intervals
time duration during the initiators will get access to the system
CR ACINIGRP (Create Access Control Initiator Group)
Initiator Group symbolic name, e.g. SECURITYGRP
AET list list of initiators, e.g.
1 3 12 2 1107 3 0 2 2 1 2
1 3 12 2 1107 3 0 2 2 1 3
1 3 12 2 1107 3 0 2 2 1 4
TIP A replay protected authentication can be used, if the Q3 based network element has to be accessed via an insecure network. Possible traced or snooped authentication sequences cannot be reused for an unauthorized login, because the life time of the password is set to 5 minutes only, by default. During this period, the connection is already in use by the authorized Switch Commander system.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
59
GSN1/GX7E8X26_3102 2000-08-21 11:46:32
3-24996 CS4210/Administrator
DISPACINIGRP; STARTED
Initiator group | AET list
================================================================================
SCRGROUP" | { 1 3 12 2 1107 3 0 2 2 1 54 }
-------------------------------------------------------------------------------- "INIGROUP3" | { 1 3 12 2 1107 3 0 2 2 1 3 }
DISP ACINIGRP executed
ENDJOB
CRACINIGRP: Initiator group=SECURITYGRP,
AET list={ { iso identified-organization ecma(12)
member-company(2) siemens-units(1107) oen(3)
0 2 2 1 99 },{ iso identified-organization ecma(12)
member-company(2) siemens-units(1107) oen(3)
0 2 2 1 2 } }; STARTED
Initiator group | AET list
================================================================================
"SECURITYGRP" | { 1 3 12 2 1107 3 0 2 2 1 99 },
| { 1 3 12 2 1107 3 0 2 2 1 2 }
CR ACINIGRP executedENDJOB
Fig. 31 Interrogating and creating access control initiator groups
CS
LANInternet LAN
MPMP
Insecure Internet Connection
Internet
Snoop & Replay
Replay Protected Password
Fig. 32 Replay protected password
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
60
4.3.2 Target Groups
A Target group is defined via a number of object classes (e.g. LIC, ALI, MP) resp. object models branches and the according operations. Using a target group you can define a certain subset of the network element tasks which can be later assigned to an initiator group using rules.
Relevant Tasks:
CR ACTARGRP (Create Access Control Target Group)
Target group symbolic name of the group, e.g. OPGRP1
Ref. target group symbolic name of a reference group which object classes and operations are taken instead of own settings (kind of template), e.g. REFGRP1
Object class list
Size number of object classes to be added to the group, e.g. 2
Detail
Detail
object class branch in the object model
Scope scope of the object classes/object model branches
Standard
Base Object base object class only, no subtree
First Level first level subordinate base object class
Whole subtree base object class and all subordinate object classes
Level n n level subordinate base object classes
Base to level n base object class and all object classes down to level n
Operation list List of allowed operations on these object class(es)
M-ACTION possible values Enabled or Disabled
M-CREATE possible values Enabled or Disabled
M-DELETE possible values Enabled or Disabled
M-GET possible values Enabled or Disabled
M-SET possible values Enabled or Disabled
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
61
object class
subordinate
object classes
first level
second level
third level
Fig. 33 Example branch of the object model, selection window
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
62
4.3.3 Rules
A rule defines the access rights on an initiator group to a target group. In other words, it determines which types of access - operations on one or more object classes/object model branches - may be executed by an initiator. Initiators as well as target groups can be subject to a number of rules.
Following rule types may exist:
Allow rule authorizes access to objects defined via the target group, provided no deny rule exists
Deny rule rejects any attempted access to objects defined via the target group
Abort rule aborts the link to the initiator when access is attempted
Global rule independent of a target group, a global rule defines the access, or restrictions of an given initiator
Common rule independent of an initiator, a common rule defines the access rights to a particular target group
Relevant Tasks:
CR ACRULE (Create Access Control Rule)
Rule symbolic name of the rule, e.g. DENYRULE1
Rule Type kind of rule you are going to create
Allow allow rule
Deny deny rule
Abort abort rule
Initiator Group symbolic name of the initiator group, e.g. OPERATOR
without a value, a common rule is created
Target group symbolic name of the target group, .e.g. OPGRP1
without a value, a global rule is created
Start time
Stop time
Daily intervals
Weekly intervals
time duration during the rule will be valid
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
63
Initiator Initiator Initiator
Access Control Initiator Group
Admins
CR ACRULE:RULE=GLOBAL1,
RULE TYPE=Allow,Initiator Group=Admins;
Access Control Target GroupCOMGRP1
CR ACRULE:RULE=ALLOW1,
RULE TYPE=Allow,Initiator Group=Admins,
Target Group=ADMGRP1;
GLOBAL RULE ALLOW RULE
Access Control Target GroupADMGRP1
COMMON RULE
CR ACRULE:RULE=COMMON1,
RULE TYPE=Allow,Target Group=COMGRP1;
Fig. 34 Different rules at Q3 based network elements
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
64
4.3.4 Global Access Parameters and Settings
There exist some standard settings for e.g. authentication of unknown initiators, or standard access rights. These standard setting are usually set to "Allow" for initiators and execution of all tasks, by default. These global parameters influences the tasks described above. Because these settings are global, their values overrules individual settings. To active authentication or access control the global definitions must be switched off.
Relevant Tasks:
MOD AUTHDEF (Modify Authentication Defaults)
defaultAuth how to react on a connection attempt of an unknown initiator
allow access to the system is allowed
abortAssociation abort the Q3 association request
denyWithResponse reject the Q3 association request
denialResp how to react on a connection attempt if the authentication fails
abortAssociation abort the Q3 association request
denyWithResponse reject the Q3 association request
WARNING Be extremely careful switching off global allow rights. If there is no valid allow rule for an initiator granting you access to the security tasks, there is no way to switch it on again. Generate at least one backup generate before, to have the chance to fall back.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
65
GSN1/GX7E8X26_3102 2000-08-22 09:55:143-26190 CS4210/Administrator
DISPAUTHDEF; STARTED
Default authent. | Allow
Denial response | Deny with response
DISP AUTHDEF executed
ENDJOB
MODACCFG:Default access={ M-ACTION Deny,
M-CREATE Deny,
M-DELETE Deny,
M-GET Deny,
M-SET Deny },
Denial response=Deny,Rule restriction=grantRules; STARTED
Default access | M-ACTION: Deny
| M-CREATE: Deny
| M-DELETE: Deny
| M-GET : Deny
| M-SET : Deny
Denial response | Deny Access Control Config. | Error
================================================================================= - | Operation not allowed or not possible
MOD ACCFG partly executed
ENDJOB
Fig. 35 Example tasks to modify default authentication
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
66
Relevant Tasks:
MOD ACCFG (Modify Access Control Configuration)
Default Access parameter defines the default access rights for the different Q3 operations
M-ACTION Deny
M-CREATE denyWithOutResponse
M-DELETE Abort
M-GET denyWithFailureResponse
M-SET
}
Allow
Denial Response parameter defines the response to a Q3 request which is rejected due to missing "default access" rights
Deny deny sending Q3 response "Access Denied"
Abort abort the Q3 association
Sec. administrator parameter defines the AET of the security administrator, which can be used after system recovery
Rule restriction which kind of rules are uses - it might make individual settings easier to use e.g. only deny rules
Deny rules only rules of the type deny/abort are supported
Allow rules only rules of the type allow are supported
All rules all rule types are supported
WARNING Remind warning above, be careful modifying global settings. Double check your security database. Verify your rules for .e.g. the M-GET operation only.
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
67
GSN1/GX7E8X26_3102 2000-08-22 10:33:20
3-26192 CS4210/Administrator
DISPACCFG; STARTED
Default access | M-ACTION: Allow
| M-CREATE: Allow
| M-DELETE: Allow
| M-GET : Allow
| M-SET : Allow
Denial response | Deny
Rule restriction | All rules
Sec. administrator | { 1 3 12 2 1107 3 0 2 2 1 99 }
DISP ACCFG executed
ENDJOB
MODACCFG:Default access={ M-ACTION Allow, M-CREATE A
llow, M-DELETE Allow, M-GET Deny, M-SET Al
low },Denial response=Deny; STARTED
Default access | M-ACTION: Allow
| M-CREATE: Allow
| M-DELETE: Allow
| M-GET : Deny
| M-SET : Allow
Denial response | Deny
MOD ACCFG executed
ENDJOB
DISPACCFG; STARTED
Access Control Config. | Error
=======================================================================================
- | Operation not allowed or not possible
Access Control Config. | Error
=======================================================================================
- | Operation not allowed or not possible
DISP ACCFG not executed
ENDJOB
Fig. 36 Example for the task DISP, MOD ACCFG
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
68
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
69
4.4 File Transfer Security Management
TCP/IP
CP MP
FTP
FTAM
FTAM
FTP
Fig. 37
For file transfer to the MP usually FTP via TCP/IP is used. If FTP file transfer to the MP has been configured, it is automatically possible to do FTP file transfer to the CP.
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
70
4.5 File Transfer Security Management at CP
At the CP the authorization to do file transfer is related to the CP user Ids.
Relevant MML commands:
DISP USERID
USERID symbolic name of the user id, e.g. SCRUSR#1
X represents all possible user id
CR USERID
USERID symbolic name, e.g. scrusr#9
AUT authorization, e.g. 1
APPLID additional application for file transfer e.g. NEABD
NEABD for NEAB file transfer both directions
FTAMR for FTAM file transfer OS initiated only
SCOPE REMOTE for Switch Commander
CRYPTPW Cryptic Password, left blank
PERMIT usually NONE
HLRID usually used for Subscriber Administration only
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
71
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MSC5/SMTESTEXCH/D2MMPK1V16031298/414 00-08-22 11:26:29
4074 SC SCRUSR#1 2970/06300
DISPUSERID:USERID=SCRUSR#1; EXEC'D
TABLE OF USER-IDENTIFICATIONS:
USERID STATE APPLID SCOPE AUT AUTHORIZATION CLASS
---------+-------+-------+-------+-------+------------------------------
SCRUSR#1 UNLOCK NEABD REMOTE 1 1
END JOB 4074
MSC5/SMTESTEXCH/D2MMPK1V16031298/414 00-08-22 11:31:00
4134 SC SCRUSR#1 2966/00007
CRUSERID:USERID=SCRUSR#8,AUT=1,APPLID=NEABD,SCOPE=REMOTE; EXEC'D
END JOB 4134
Fig. 38 Display and create user id
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
72
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
73
4.6 File Transfer Security Management at MP
At Q3 based network element the standardized file transfer protocol ftp is used. Because of this, there must be user id created at the network element which has the right to open an ftp session.
FT INI FT INI FT INI
File Security Initiator Group
CR FSRULE:RULE=GLOBAL1,
RULE TYPE=Allow,Initiator Group=Admins;
File SecurityFile Group
CR FSRULE:RULE=ALLOW1,
RULE TYPE=Allow,Initiator Group=Admins,File Group=ADMGRP1;
GLOBAL RULE ALLOW RULE
File SecurityFile Group
COMMON RULE
CR FSRULE:RULE=COMMON1,RULE TYPE=Allow,
File Group=COMGRP1;
File Security Rules
Fig. 39
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
74
File Transfer Initiator
According to the CR INI task for Q3 sessions, there exist a
CR FTINI
task to generate file transfer accounts.
Relevant tasks for file transfer accounts:
CR FTINI (Create File Transfer Initiator)
User identity symbolic name of the file transfer user
Password type
Replay protected PW password protected against malicious reusing
Simple PW simple password string
Password password string, e.g. ftppw#1
Verify Password second time to verify the input
ftType application used
All all applications allowed
FTAM only FTAM application allowed
FTNEA only FTNEA application allowed
FTP only FTP application allowed
Accept time range time range of replay protected password are accepted
Start time
Stop time
Daily intervals
Weekly intervals
time duration during the file transfer accounts are valid
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
75
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GSN1/GX7E8X26_3102 2000-08-22 11:50:333-26197 CS4210/Administrator
CRFTINI:User identity=ftusr1,Password type=Simple PW,Password=*******,Verify password=*******,ftType={ FTP }; STARTED
User identity | ftusr1Password type | Simple PWFile transfer type | FTPAccept time range | -
Availability | -
CR FTINI executedENDJOB
DISPFTINI; STARTED
User identity | Password type | File transfer type | Accept time | Availability============================================================================================= root | Simple PW | All | - | -
--------------------------------------------------------------------------------------------- ftusr1 | Simple PW | FTP | - | -
DISP FTINI executedENDJOB
Fig. 40 File transfer accounts
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
76
4.6.1 File Access Security Mechanism at Q3 based Network Elements
As already explained for the Q3 conversation, there exists the same mechanism for file access security.
Again, these previous created file transfer user ids, so called initiators, are combined using file security initiator groups (FSINIGRP). These groups are mapped to file security file groups (FSFGRP) using rules. File groups are generated specifying up to twenty (fully, partially qualified) filenames. Additionally a operations lists specifies the file operations allowed for this file group. Finally a rule applied to the file group determines whether or not these operations are permitted.
For protocols different to ftp, it is also possible to specify a password for each operation, which makes only sense together with allow rules (file security file group password, FSFGRPPW).
Relevant Tasks:
CR FSINIGRP (Create File Security Initiator Group)
Initiator group symbolic name of the file security initiator group
Initiator list file transfer users (initiators)
Size amount of file transfer users (initiators)
Detail file transfer user, e.g. ftusr1
Detail file transfer user, e.g. ftusr2
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
77
Relevant Tasks (continued):
CR FSFGRP (Create File Security File Group)
File group symbolic name of the file security file group
File list relevant file
Size amount of files (max 20)
File on MP/CP file location
Detail file name (also partially qualified)
Operations list allowed file operations
Size amount of operations
Create create file operation
Delete delete file operation
Read read file operation
Write write file operation
Read attributes read file attributes
CR FSRULE (Create File Security Rule)
Rule symbolic name of the rule, e.g. FSALLOW1
Rule Type kind of rule you are going to create
Allow allow rule
Deny deny rule
Initiator Group symbolic name of the file security initiator group,
e.g. FSOPS1
without a value, a common rule is created
File group symbolic name of the file group, .e.g. FSGRP1
without a value, a global rule is created
Start time
Stop time
Daily intervals
Weekly intervals
time duration during the rule will be valid
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
78
GSN1/GX7E8X26_3102 2000-08-22 13:48:06
3-26205 CS4210/Administrator
CRFSINIGRP:Initiator group=FTUSERS,Initiator list={ "ftusr1"
, "ftusr2" }; STARTED
Initiator group | Initiator list
==========================================================================================
FTUSERS | ftusr1 ftusr2
CR FSINIGRP executed
ENDJOB
CRFSFGRP:File group=FTUSERS1,File list={ File on MP : "\NET.CONFIG" },
Operations list={ { Operation Create }, { Operation Delete },
{ Operation Read
}, }
; STARTED
CR FSFGRP executed
ENDJOB
DISPFSFGRP; STARTED
File group | File list | Operations list | Password
========================================================================================================
FTUSERS1 | File on MP : NET.CONFIG | Create | No
| | Delete | No
| | Read | No
DISP FSFGRP executed
ENDJOB
CRFSRULE:Rule=NETCONFIG,Rule type=Deny,Initiator group=FTUSE
RS,File group=FTUSERS1; STARTED
Rule | Rule type | Initiator group | File group | Availability
| | | | status
=============================================================================
NETCONFIG | Deny | FTUSERS | FTUSERS1 | -
CR FSRULE executed
ENDJOB
Fig. 41 File security tasks, examples
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
79
For the File Transfer Security Management exists, as for the Q3 authentication, some global settings. By default there is no restriction switched on, every user having a valid file transfer account has access to all files.
Relevant Tasks:
MOD FSCFG (Create File Security Configuration)
Default access access right to the files on MP
Create Allow
Deny Deny
Read
Write
Read attributes
Rule restriction possible rule types
grantRules only allow rules
denyRules only deny rules
denyAndGrantRules both rule types are allowed
GSN1/GX7E8X26_3102 2000-08-23 07:06:513-26249 CS4210/Administrator
DISPFSCFG; STARTED
Default access | Rule restriction===============================================
Create Allow | All rules Delete Allow |
Read Allow | Write Allow |
Read attributes Allow |
DISP FSCFG executedENDJOB
Fig. 42 File security global configuration
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
80
GSN1/GX7E8X26_3102 2000-08-23 07:14:013-26253 CS4210/Administrator
MODFSCFG:Default access={ Create Allow, Delete Allow, Read Deny, Write
Allow, Read attributes Allow }; STARTED
Default access | Rule restriction=============================================== Create Allow | -
Delete Allow | Read Deny |
Write Allow | Read attributes Allow |
MOD FSCFG executedENDJOB
Fig. 43 Read access restricted
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
81
C:\>ftp GSN1
Connected to GSN1.
220 SERVICE READY FOR NEW USER. PRO02OC0
User (GSN1:(none)): ftusr1
331 USER NAME OKAY, NEED PASSWORD. PRO01US0
Password:
230 USER LOGGED IN, PROCEED. AUTH0000
ftp> dir
200 COMMAND OKAY. PRO01PT0
553 REQUESTED ACTION NOT TAKEN; FILE NAME NOT ALLOWED. FSI00002
ftp> dir \
200 COMMAND OKAY. PRO01PT0
150 FILE STATUS OKAY; ABOUT TO OPEN DATA CONNECTION. PRO01RS0
SYS:\GT.Q3SECTR.LOG
SYS:\GU.SECADMIN
SYS:\NET.CONFIG
SYS:\NET.RESULT
226 CLOSING DATA CONNECTION; REQUESTED FILE ACTION SUCCESSFUL. PRO03CR0
73 bytes received in 0.14 seconds (0.52 Kbytes/sec)
ftp> get \NET.CONFIG
200 COMMAND OKAY. PRO01PT0
150 FILE STATUS OKAY; ABOUT TO OPEN DATA CONNECTION. PRO01RS0
226 CLOSING DATA CONNECTION; REQUESTED FILE ACTION SUCCESSFUL. PRO03CR0
4450 bytes received in 0.03 seconds (148.33 Kbytes/sec)
ftp> get \NET.CONFIG
200 COMMAND OKAY. PRO01PT0
550 REQUESTED ACTION NOT TAKEN; FILE UNAVAILABLE. FSV31100
ftp>
Fig. 44 No file access after "MODFSCFG"
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
82
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
83
5 Assign Network Elements to User Groups
Fig. 45
-
Siemens Security Management
MN1226EU09MN_0003
2002 Siemens AG
84
5.1 Grant Network Element Access
Before a user can execute a command at a network element, the user must be member of a Switch Commander user group. This Switch Commander user group must have this network element assigned, too. These tasks has to be done using the SC Administration tool.
As the modification of the membership of a Switch Commander user, there are different possible ways to start the Switch Commander user group properties.
If you are going to create a new user group, you have to chance so specify whether to user group should be a "NE based" or a "APS based" user group:
NE based user groups:
these user groups present the available network elements in a tree. Every network element does have its own task tree, having the network element at the top.
APS based user groups:
these user groups having one the task tree for all network elements, the network element APS version at the top. All assigned network elements are available for every task.
The user group type you choose for a new network element depends on the task tree the users are allowed. If these task trees should be different you must choose the NE based user group.
TOOLS
SC Administration -> User Group -> Properties
SC Administration -> User Group -> Create
-
Security Management Siemens
MN1226EU09MN_0003 2002 Siemens AG
85
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . .