huawei cbs v500r005 security technical white paper

CBS Solution

Security Technical White Paper

Issue V2.0

Date 20140831

HUAWEI TECHNOLOGIES CO., LTD.

Issue V2.0 (2014-08-31) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd

ii

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior

written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Tel: 0755-28560000 4008302118

Fax: 0755-28560111

http://www.huawei.com/

mailto:[email protected]

CBS Solution

Security Technical White Paper Contents



iii

Contents

1 Start .................................................................................................................................................. 1

1.1 Document Scope .............................................................................................................................................. 1

1.2 Document Structure .......................................................................................................................................... 1

1.3 Usage Instruction ............................................................................................................................................. 2

1.4 CBS Solution Overview ................................................................................................................................... 2

1.4.1 Software Architecture ............................................................................................................................. 2

1.5 Security Threats................................................................................................................................................ 7

2 CBS Security Solution ................................................................................................................ 11

2.1 Security Solution Overview ........................................................................................................................... 11

2.2 Common Security Policies ............................................................................................................................. 11

2.3 Security Architecture ...................................................................................................................................... 13

2.4 Security Features ............................................................................................................................................ 15

2.4.1 Management Layer Security ................................................................................................................. 15

2.4.2 Application Layer Security ................................................................................................................... 18

2.4.3 Privacy Protection ................................................................................................................................. 23

2.4.4 System Layer Security .......................................................................................................................... 26

2.4.5 Network Layer Security ........................................................................................................................ 27

2.4.6 Virtualization Layer Security ................................................................................................................ 29

3 Security Assurance ...................................................................................................................... 30

3.1 Security Statements and Qualification ........................................................................................................... 30

3.2 Security Assurance Procedures ...................................................................................................................... 30

CBS Solution


Error! Use the Home tab to apply 标题 1 to the text

that you want to appear here.Error! Use the Home tab

to apply 标题 1 to the text that you want to appear

here.



1

1 Start

1.1 Document Scope By analyzing the security threats to the network architecture and service application of

the convergent billing system (CBS) solution, this document describes the security

architecture of the CBS solution and the security policies and measures that are adopted

to ensure the stable and secure running of the CBS solution.

This document assumes that the CBS product is deployed in an environment where the

physical security is ensured. Physical security threats (such as fire disaster, flood, and

theft) of the CBS product are not described in detail. The physical security of the CBS

product depends on carriers' equipment rooms and device deployment.

This document describes the following aspects:

− Network security of core function entities (such as operating systems, databases, and

application components)

− Security threats and measures from the technical dimension (The network security is

an aggregation of the management, processes, technologies, and security

countermeasures.)

− Network security of boundary network elements (NEs), such as the firewall

Security of carriers' internal network devices is not described in detail in this document.

1.2 Document Structure This document first introduces the mapping between the ITU-T X.805 security model and the

CBS security architecture model. Based on the security architecture model that is divided into

the management, application, system, network, and virtualization layers, this document

describes the security threats to the CBS at each layer and provides corresponding security

policies and measures. These security measures ensure that the CBS runs in a secure and

stable manner.

For details about the end-to-end (E2E) CBS security material, see the security document.

CBS Solution





here.



2

1.3 Usage Instruction This document lists only the commonly known security threats and provides corresponding

security measures.

During the actual application process on the live network, the adopted security policies may

be different from those described in this document to comply with the international

telecommunication standards and the security regulations in the local country and region. You

need to determine or supplement the security schemes based on the specific scenario.

Important notes about the CBS security are as follows:

The CBS is not static, which means that not all security problems can be resolved by

implementing fixed deployment policies. Instead, an optimal deployment scheme needs

to be selected based on conditions in the live network environment.

The CBS security is ensured in a continuous process and is subject to the changes and

development of the CBS network, customers, applications, technologies, and intrusion

ways.

The CBS security is an aggregation of the management, processes, technologies, and

security countermeasures. These parts are associated and the changes of each part affect

each other.

1.4 CBS Solution Overview

This section provides an overview of the CBS solution, including the system architecture and

network structure. Readers can have a brief understanding about the target product or solution

before reading the associated security description.

1.4.1 Software Architecture

This section describes the functional architecture and technical architecture of the CBS.

Functional Architecture

Figure 1-1 shows the CBS's functional architecture.

CBS Solution





here.



3

Figure 1-1 CBS's functional architecture

Yellow cells: NEs that are required by the CBS.

White cells: third-party NEs.

Gray area: the CBS's core functional modules and subsystems.

Accounts Receivable

The Accounts Receivable (AR) module provides the following transaction services in a

postpaid service solution or hybrid service solution:

Single services: recharge and payment, recharge and payment reversal, refunding,

account adjustment, account transfer, payment application, write-off, and advance

deposit.

Batch services: payment application, account adjustment, advance deposit, write-off,

prepayment, and payment reversal in batches.

Query services: query for invoices, account balance, outstanding fees, payment records,

deposit details, adjustment logs, and transfer logs.

Billing Configurator

The Billing Configurator module sets the following public parameters and rules for Rating &

Charging and Invoicing:

Basic system data, such as bill cycle, network layer access data, and number analysis

data.

Rules for standard events, charging preprocessing, authentication, payment application,

and call detail record (CDR) extension.

Self-service management services.

Voice, SMS message, multimedia messaging service (MMS) message, notification,

recharge, bill run, and error CDR.

Data synchronization.

CBS Solution





here.



4

Convergent Balance Service

The Convergent Balance Service module is a background functional module in the CBS for

unified balance management. This module provides the following functions:

Balance adjustment and reversal

Prepayment and reversal

Balance transfer and reversal

Account settlement and query

Recharge by recharge card

Balance refunding

Bill Management

The Bill Management (BM) module exports formatted bills, including generating bills in a

special format, converting bill formats, and reprinting bills.

This module provides the following functions:

Bill design

Bill creation

Bill distribution

Currently, BM uses the purchased PrintNet Designer as an outsourced component to

implement the bill design function.

Customer Care

The Customer Care module provides a GUI for customer management operations, including

operations for single services and batch services. This module also provides maintenance

functions, such as viewing operation logs and managing orders.

Customer Management

The Customer Management module performs background tasks for the Customer Care

module. The Customer Management module connects to the CRM system and provides a

reverse work order interface.

Debt Collection

The Debt Collection (DC) module collects payment from subscribers or accounts that have

not paid fees by the due date. DC obtains debt information from AR.

The collection methods include:

Automatic dunning.

Manual dunning. The DC provides a GUI for an operator to upload files, analyze file

content, and perform dunning on subscribers accordingly.

General Ledger

The General Ledger (GL) module provides daily transaction data, generates journals, and

sends post files to external financial systems.

Invoicing

The Invoicing module provides the core functions of bill run calculation, including real billing,

billing redo, test billing, hot billing, and CDR accumulation.

CBS Solution





here.



5

Recharge & Balance Handling

The Recharge & Balance Handling module provides the following transaction services in a

prepaid service solution:

Single services: recharge and payment, recharge and payment reversal, refunding,

account adjustment, and account transfer.

Query services: query for account balance, payment records, adjustment logs, and

transfer logs.

Product Management

The Product Management (PM) module manages offerings, products, plans (such as pricing

plan and notification plan), policies, and reference data (such as brands, free resources, and

time schemes).

Rating & Charging

The Rating & Charging module provides the following functions:

Online rating, offline rating, rerating, billing undoing, error CDR recycling, recurring

charging, and bypass.

Charging for voice, data, content, and messaging services.

Technical Architecture

Technical Features

The technical platform of the CBS has the following features:

Distributed service framework (DSF)

In DSF, services comply with standard specifications and can be loaded and run by

containers. This framework provides the service registration, locating, routing, and

distributed access functions.

Distributed data access framework (DAF)

DAF shields both the data location and access mode differences when applications

access data.

Extensible rules

The various extensible charging rules can meet different requirements of customers on

charging policies in different charging scenarios.

Extensible service and data structure

IDE supports the flexible extension and customization of service and data structure.

Functional Modules of the Technical Platform

Functional modules of the technical platform have the following layers:

Access layer: This layer is the entry for external systems. It manages the connection with

external systems and protocol adaption capabilities and uses BSBus to invoke back-end

services. Adapters and controllers are on this layer.

Service processing layer: This layer provides containers for executing services. It

supports the distributed data access framework and allows one service to access another

service. Containers are on this layer.

CBS Solution





here.



6

Data access layer: This layer provides the distributed data access capability and shields

the data location and data source type from services. DAF, BoCache, GMDB, and PDB

are on this layer.

Table 1-1 lists the key functional modules on the technical platform.

Table 1-1 Key functional modules

Module Description

Adapter Manages the connection with external systems, protocol adaption

capabilities, and overload control. It is the entry for external systems.

Processes external messages and uses BSBus to invoke back-end

services. The CBS provides the following adapters:

DCCAdapter: processes external Diameter messages. For example,

it processes the data communication channel (DCC) charging

message sent by online charging gateway (OCG) when connecting

to OCG.

RCOMMAdapter: processes external RCOMM messages. For

example, it uses the protocol customization capability of the front

end processor (FEP) to adapt to the special protocol requirements

on the site.

BatchController Receives and manages the scheduled tasks delivered by the

management server, and schedules background services in batches.

BSBus Functions as a distributed service bus that connects to multiple nodes,

and separates service access from service deployment. BSBus can be

used to create a message channel between adapters and containers.

Based on BSBus, the module that invokes a service does not need to

know the physical location of the service provider or how the service is

deployed.

Container Functions as the smallest manageable physical unit used for executing

services in DSF. One container instance can load one or more services.

For example, balance management and credit control run in containers.

DAF Shields both the data location and access mode differences when

applications access data. DAF supports the following data source types:

BoCache

GMDB

Oracle PDB

Rule Engine Executes the Charging Rule Language (CRL) provided by the CBS.

Improves the customization capability and flexibility of the CBS.

Increases the speed of responses to customization requirements.

The CBS GUI such as PM and AR allows an operator to use the CRL

to define their own rules, such as authentication rule, rating rule,

notification rule, credit control rule, bill combination rule, and audit

rule.

Rule Engine encapsulates the charging virtual machine (CVM). As the

engine to execute the CRL, CVM executes the bytecode exported by

the CRL compiler.

CBS Solution





here.



7

Module Description

IDE Extends the data model, services, and APIs.

1.5 Security Threats

In this section, the ITU-T X.805 security model describes the security threats that the CBS

solution is confronted with, including the possible security vulnerability, risks, and severe

impact caused when no associated measure is taken.

Security Threats at the Management Layer There is a lack of security management regulations, or the regulations are not strictly

complied with.

Associated personnel lack security awareness.

Security patches are not installed for systems and applications in a timely manner, which

brings security vulnerability.

Multiple persons share an account, and events are not retrospective.

Incomplete security documentation fails to provide sufficient guidance for production

security.

Security Threats at the Application Layer Input validation

Buffer overflow, cross-site scripting, and structured query language (SQL) injection

Authentication

Network eavesdropping, brute force attacks, dictionary attacks, cookie replay, and

credential theft

Authorization

Elevation of privilege, disclosure of confidential data, data tampering, and luring attacks

Configuration management

Unauthorized access to administration interfaces, unauthorized access to configuration

stores, retrieval of clear text configuration data, lack of individual accountability, and

over-privileged process and service accounts

Sensitive data

Access to sensitive data in storage, network eavesdropping, and data tampering

Session management

Session hijacking, session replay, and man in the middle

Cryptography

Poor key generation or management, and weak or custom encryption

Parameter manipulation

Query string manipulation, form field manipulation, cookie manipulation, and Hypertext

Transfer Protocol (HTTP) header manipulation

Exception management

CBS Solution





here.



8

Information disclosure and denial of service (DoS)

Auditing and logging

Users denying operations, attackers exploiting applications without trace, and attackers

covering their tracks

Security Threats at the System Layer Viruses, worms, and Trojan horses

Malicious code comes in several varieties, including:

− Viruses: indicate programs that are designed to perform malicious acts and cause

disruption to an operating system or applications.

− Worms: indicate programs that are self-replicating and self-sustaining. Worms also

increase traffic and take up bandwidth by using networks to spread copies of

themselves to other computers.

− Trojan horses: indicate programs that appear to be useful but actually do damage.

In many cases, malicious code is unnoticed until it consumes system resources and slows

down or halts the execution of other programs. For example, the Code Red worm was

one of the most notorious to afflict Internet information services (IISs), and it relied upon

a buffer overflow vulnerability in an Internet server application programming interface

(ISAPI) filter.

Profiling

Profiling, or host enumeration, is an exploratory process used to gather information

about your server. An attacker uses this information to attack known weak points.

Brute force attacks

A brute force attack is the act of trying every possible account and password until the

attacker finds the right one.

DoS

DoS occurs when your server is overwhelmed by service requests. The threat is that your

Web server will be too overwhelmed to respond to legitimate client requests.

Arbitrary code execution

Code execution attacks occur when an attacker runs malicious code on your server either

to compromise server resources or to mount additional attacks against downstream

systems.

Unauthorized access

Unauthorized access occurs when a user without correct permissions gains access to

restricted information or performs a restricted operation.

Security Threats at the Network Layer Information gathering

Information gathering can reveal detailed information about network topology, system

configuration, and network devices. An attacker uses this information to mount pointed

attacks at the discovered vulnerability.

Sniffing

Sniffing, also called eavesdropping, is the act of monitoring network traffic for data,

such as clear-text passwords or configuration information. With a simple packet sniffer,

all plaintext traffic can be read easily. In addition, lightweight hashing algorithms can be

cracked and the payload that was thought to be safe can be deciphered.

CBS Solution





here.



9

Spoofing

Spoofing, also called identity obfuscation, is a means to hide one's true identity on the

network. A fake source address is used that does not represent the actual packet

originator's address. Spoofing can be used to hide the original source of an attack or to

work around network access control lists (ACLs) that are in place to limit host access

based on source address rules.

Session hijacking

With session hijacking, also known as man in the middle attacks, an attacker uses an

application that masquerades as either a client or a server. This results in either the server

or client being tricked into thinking that the upstream host is the legitimate host.

However, the upstream host is actually the attacker's host that is manipulating the

network so that it appears to be the desired destination. Session hijacking can be used to

obtain login information that can then be used to gain access to a system or to

confidential information.

DoS

A DoS attack is the act of denying legitimate users access to a server or services.

Network-layer DoS attacks usually tries to deny service by flooding the network with

traffic, which consumes the available bandwidth and resources.

Security Threats at the Virtualization Layer

Unauthorized access to the Hypervisor

If the root user of the operating system where the Hypervisor is deployed uses a weak

password and the remote su permission and insecure services such as FTP are allowed, the

Hypervisor is completely exposed on an insecure network and is prone to brute force attacks

and loophole attacks.

Unauthorized access to host resources by malicious VMs

Malicious virtual machines (VMs) illegally access resources (including memory, file, and

storage resources) that belong to other VMs on the host. This will cause serious information

leakage and system faults.

MAC address spoofing, IP address spoofing, and ARP spoofing by malicious VMs

VMs communicate through virtual network devices (such as the TAP and bridge) on the host

and then through physical network devices on the host. During this process, malicious VMs

can hijack all the data packets sent to other VMs through MAC address spoofing, IP address

spoofing, and ARP spoofing. This causes leakage of confidential data and tempering or

destruction of important data.

DoS attacks by malicious VMs

DoS attacks by malicious VMs are similar to network-layer DoS attacks. When launching an

attack, malicious VMs internally run processes to occupy a large number of system resources

until physical resources (such as network I/O, storage I/O, and CPU) on the host are used up.

This affects the normal running of the host and other VMs on the host.

Unauthorized access to VMI storage

Storage resources of VMs are stored on the host as disk images. If the host is being attacked,

the attacker may obtain, tamper with, or destroy information in a virtual machine image

(VMI). This leads to security risks such as VM running failures or confidential data leakage.

Threats from remote access

CBS Solution





here.



10

VMs may be deployed on multiple physical machines that are placed in different physical

locations, and each VM may provide services at different security levels. If VMs are not

effectively isolated on the network or the permission to access the VM network adapter is not

managed, a user who has the remote access permission on a VM at a low security level may

launch stepping-stone attacks, which will reduce the network security.

CBS Solution

Security Technical White Paper 2 CBS Security Solution



11

2 CBS Security Solution

2.1 Security Solution Overview

The CBS security solution comprises five layers:

The management layer security aims to manage all security functions in all systems.

The application layer security aims to protect the applications developed by Huawei, and

it includes access security, data security, communication security, and coding security.

The system layer security aims to protect the operating systems, databases, middleware,

and services that the applications use.

The network layer security aims to protect the entire network.

The virtualization layer security aims to protect the virtualization environment, including

resources such as the hosts, VMs, and virtual network, and the operating system and

service applications that are deployed in the environment.

Security mechanisms from all layers coordinate and ensure that the CBS can provide the

carrier with secure, reliable, and stable convergent charging and billing services, and protect

the carrier's assets and telecom users appropriately.

2.2 Common Security Policies

Security hardening is performed for operating systems, databases, and network devices for the

CBS solution to keep production systems secure. Most of the basic rules are applied to

operating systems, databases, and application systems.

Common security policies include but are not limited to the following:

Password Management

Password policies are configurable. Strong passwords are used to prevent password attack.

Length limitation, composition, and weak password check are applied for passwords.

Password change policies are also applied.

A strong password has the following characteristics:

Has a minimum length of eight characters.

Comprises at least one uppercase letter, one lowercase letter, and one number (special

characters are allowed).

CBS Solution




12

Will expire after 90 days (configurable).

Be different from the previous 12 passwords (configurable) used.

Can be changed by administrators at any time.

Can be changed by the associated user only once within 24 hours.

Password Change Policies includes:

The applications have changing password function.

The changing form includes the old password, the new password and a confirmation of

the new password.

Password lifespan is applied, where

A user must not be authenticated whose password has expired until the user changes the

expired password.

The administrator can set an expiration threshold for every password of a UserID.

Passwords are securely stored and access control to passwords is limited. Passwords are not

permitted to display or transfer, store in plain mode.

Authentication and Session Control

Access to the CBS must be authenticated and necessary session control is applied. For

sensitive transaction, relative messages must contain corresponding authentication code, for

example, when a trusted client send message to a CBS node, IP can be chosen to validate the

request from SCP or MSC; on the other hand, operator ID and operation ID can be used to

authorize a request from business support system.

One-time verification code is used as the enhancement to password to authenticate user login

from browser-like application.

Encryption Algorithms

The CBS uses encryption for sensitive data such as operator password, mobile user servicing

password. Account and password in configuration file used to connecting to database or other

components are encrypted before stored. Maintenance engineers cannot see plain text

passwords in databases or configurations.

Encryption algorithms for encrypt operator password and service password are configurable.

Major popular encryption algorithms such as DES, AES, MD5, SHA256 are supported and

can be chosen via configuration.

Huawei recommends that SHA256 be used to encrypt these passwords.

Secure Interaction Protocols

Interactions between system components are protected by secure interaction protocols. For

example, interaction between business support system and the CBS uses Web Service and

HTTPS is used to protect channel.

Important operation interaction is enforced message protection, for example, system login

message is protected by encryption while recharging messages are requested to be integrity

protected.

As default, interaction protocols use stronger security protection.

CBS Solution




13

Minimized Authorization Rule

Authorization for account, role and group applies minimized authorization rule, that is, an

account / group is assigned necessary roles and privileges and a role is assigned necessary

privileges.

According this rule, system design strictly differentiates account for operating systems,

DBMS and business system, and management roles are separated from working ones.

File Permission Management

File permission must be set explicitly and default is not encouraged.

Different file types are stored into different directory in order to keep direction permission

clear.

Security Logs

System logs security related events (such as logins, user maintenance, authorizations),

important operation events of applications, important running events, resource warning events

into log files.

These security log files are useful to audit.

Auditable Accounts

Operating systems, database, application accounts and their privilege are strictly planned in

order that management accounts are separated from operating ones; on the other hand,

operating accounts are strictly differentiated from application connect account, in order that

flexible and efficient audit strategy can be applied.

Application system can have only inherent super-user account, and common ones must be

created by maintenance. An account cannot be shared by more than one person.

2.3 Security Architecture

Figure 2-1 shows the CBS's security architecture.

CBS Solution




14

Figure 2-1 CBS's security architecture

Management Layer Prevent the risks caused by system vulnerability by using appropriate policies, standards,

procedures, guidelines, patch management processes, and so on.

The administrative control for all administrators is also very important. This must

include management responsibility and "soft" controls. These controls include the

development and publication of policies, standards, procedures, and guidelines, the

screening of personnel, security awareness training, the monitoring of system activity,

and change control procedures.

Application Layer

At the application layer, the security policies and services include but are not limited to the

following:

Authorization and identification mechanism

Authentication mechanism

Cryptography

Log management

Auditing and alarm management

Data protection

SSL/TLS

System Layer Ensure the security of applications that are based on UNIX, SUSE Linux, or Windows by

enhancing the corresponding operating system.

CBS Solution




15

Use Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) to prevent insecure

network traffic.

Network Layer Separate different network traffic and control different ACLs by using appropriate

security zones that are created based on subnet division and firewall technologies.

Separate different virtual local area networks (VLANs).

Virtualization Layer

At the virtualization layer, the following methods prevent the Hypervisor from being exposed

on an insecure network and from brute force attacks and loophole attacks:

Hypervisor security hardening

VM resource isolation

Virtual network security

Security group management

Protection against DoS attacks

These security methods prevent data loss of and DoS attacks on service applications in the

virtualization environment.

2.4 Security Features

2.4.1 Management Layer Security

Regulations and Organizations

Security management organizations must be established and regulations and laws must be

developed. Proper permission must be assigned to the security management organizations to

monitor the CBS. Security management organizations must include engineers who can

maintain the system and troubleshoot emergency faults. It is recommended that the following

roles be available in security management organizations:

Security administrators: Take responsibility for system security and control important

accounts and passwords. Nobody can access devices including hosts, database servers,

and network devices without the consent of security administrators.

System administrators: Periodically perform system maintenance activities and serve as

the primary owners of system management.

System operators: Perform routine system operations, for example, backing up system

data.

Report operators: Periodically generate and check system reports.

All personnel must have the awareness of preventing external attacks.

Software Release Security Before being released, a software package (including patch packages) is scanned by at

least one mainstream virus scanner. No alarm is generated during the scanning. If alarms

CBS Solution




16

are generated in special scenarios, explanation of the alarms is provided. The scanning

records (including the name and version of the scanner, version of the virus library,

scanning time, and scanning results) are archived and delivered to customers with the

software package.

An integrity verification mechanism is provided for software (including software packages

and patch packages) that is based on general operating systems. The software integrity is

verified during installation and upgrade.

Security Technical Documents

Table 2-1 lists the reference documents for security maintenance.

Table 2-1 Reference documents for security maintenance

Applic

ation

Scenar

io

Documen

t Description Intended

Audience Obtain From

Installa

tion

Software

integrity

check

This document describes how to

check the integrity of software

packages before the installation

or upgrade. Content about the

software package integrity check

can be contained in the

installation guide or upgrade

guide.

Huawei

technical

support

engineers

Released with the

CBS version.

Security

Hardenin

g Guide

This document describes how to

perform security hardening on

operating systems and databases

using the MainAst, including the

hardening content, impact,

precautions, preparations,

operations, and rollback, and

FAQs.

Huawei

technical

support

engineers

Released with the

CBS version.

Operat

ion and

mainte

nance

Backup

and

restore

guide

This document describes the

overall CBS backup and restore

scheme (concepts,

implementation mechanism, and

backup and restore scenarios and

policies), each NE's backup and

restore operations (operation

processes, NE-specific backup

prerequisites and verification,

restoration processes and

procedures), and common

backup and restore operations

(operating system, file, and

database backup).

Huawei

technical

support

engineers

Released with the

CBS version.

Password

change

guide


password change suggestions and

policies, password change guide

for the operating systems,

Huawei

technic

al

support

Released with the

CBS version.

CBS Solution




17

databases, application systems,

management access NEs, and

hardware devices, and associated

password change operations.

enginee

rs

Custom

er

Security

maintenan

ce guide

This document describes:

Maintenance rule: describes

the security requirements and

suggestions for maintenance

engineers in terms of the

accounts, passwords,

permission, patches, remote

access, data backup, and

script usage.

Routine maintenance:

includes the maintenance

background and purpose,

reference standard,

precautions, procedures, and

troubleshooting.

Huawei

technical

support

engineers

Released with the

CBS version.

Refere

nce

User list This document describes the

users of the operating systems,

databases, applications, and other

devices in the CBS solution.

Huawei

technic

al

support

enginee

rs

Custom

er

Released with the

CBS version.

Process

list

This document describes system

processes used in the CBS

solution, including processes on

the operating systems and those

in the databases and application

systems.

Huawei

technic

al

support

enginee

rs

Custom

er

Released with the

CBS version.

Service

list

This document describes system

services used in the CBS

solution, including services on

the operating systems and those

in the databases and application

systems.

Huawei

technic

al

support

enginee

rs

Custom

er

Released with the

CBS version.

Communi

cation

matrix


CBS solution communication

matrix.

Huawei

technic

al

support

enginee

rs

Released with the

CBS version.

CBS Solution




18

Custom

er

2.4.2 Application Layer Security

Account Management An account must be unique in the system.

If a new account has the same name as a deleted account, except the account name, the

new account cannot inherit other attribute information such as personal information,

authentication information, and authorization information from the deleted account.

An account cannot be written into the code, and a mechanism must be provided to make

accounts configurable.

Identity Authentication The system provides GUIs for the login authentication and logout functions.

Strong web verification codes are used in web application account authentication and

support high-security features such as background interference and distorted characters.

For the scheme of authentication based on user name and password, the strong password

policy is forcibly used.

When a user requests a restricted resource or performs an operation requires

authentication, the user must be authenticated first. The server performs final

authentication.

After the authentication fails, the system can provide users with only the general

message instead of detailed and definite failure causes.

In B/S applications, the "automatic login/remember me" function is forbidden.

Enhanced Password Policies The minimum password length is configurable and is 6 characters by default

A password must contain at least two types of the following characters:

-lowercase letter

-uppercase letter

-numeral

-space and special character, such as `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

The number of history passwords is configurable.

The maximum validity period of password is configurable.

Before a password expires, the system displays a message indicating that the password

will expire when the user logs in.

Users must provide the old password for verification when changing their passwords.

Only an administrator can change the passwords of others.

When the initial password is the default password or set by the system administrator,

operators/users are forced to change the initial password after successfully logging in by

using the initial password and before accessing the system. They can access the system

only when they change the initial password successfully.

CBS Solution




19

A password cannot be displayed on the GUI, printed on terminals, or stored in the logs in

plain text.

Content in the password text box cannot be copied.

A password must be saved as encrypted text rather than plain text. Irreversible

algorithms are used to encrypt passwords that do not need to be restored.

Password files must be controlled for access so that common users cannot read or copy

passwords.

A user can change the password only after being successfully authenticated.

An account list and a password list must be provided with the product.

In B/S applications, the account whose password is to be changed must be obtained from

the session information on the server and cannot be specified by the client.

A password must be different from the user name.

The default password of the built-in account must meet the password complexity

requirements. User documents must ask users to change the default password.

Authentication Failure When the consecutive login attempts fail within the given time, the account will be

locked.

The given time segment in the policy "locking upon consecutive login failures" is

configurable

The allowed consecutive failure times in the policy "locking upon consecutive login

failures" is configurable.

The locking duration is configurable.

After the policy "locking upon consecutive login failures" is executed and the locking

times out, the system supports automatic unlocking. In addition, the system supports the

manual unlocking by the administrators.

Rights Management The system uses the role-based account right management model.

When an account is created, no role or a role with the least rights is assigned to the

account by default.

In the B/S applications, for each URL request requiring authorization, the system must

check whether the session ID of the user is valid and whether the user is authorized to

perform the operation.

Control horizontal access to prevent users from accessing sensible data of other users

without authorization.

The authorization and user role data must be stored on the server instead of the client.

The authentication must also be performed on the server.

Session Management In B/S applications, session cookies are used to maintain sessions.

In B/S applications, after the user name and password are successfully authenticated, the

session ID must be changed to prevent session fixation.

In B/S applications, the information that cannot be modified in a session must be stored

or maintained as a part of the session status on the server.

CBS Solution




20

If a user does not perform any operations within a specified period, the system

automatically deletes the user's session. The period is configurable.

All the pages that can be accessed only after login must explicitly provide the logout (or

exit) button or menu.

In B/S applications, when a user exits, the session information about the user must be

deleted.

Sensitive Data Protection It is prohibited to store sensitive data in plain text in code.

It is prohibited to store sensitive data in plain text format in the database or files.

It is prohibited to store sensitive data in plain text in logs.

It is prohibited to store sensitive data in plain text in alarms.

It is prohibited to store sensitive data in plain text in cookies.

In the B/S application, it is prohibited to store sensitive data in plain text format in

hidden domains.

In the B/S application, it is prohibited to buffer web pages containing sensitive data.

In the B/S application, sensitive data must be submitted by using the HTTP-POST

method.

Sensitive data (including passwords, bank accounts, and batch personal data) is

transmitted between untrusted networks through secure channels or transmitted after

encryption, unless otherwise specified by standard protocols.

In web applications, only the HTTPS protocol (namely, SSL with the server certificate)

can be used to transfer sensitive data between the client and the server. This function is

applicable only to local access and login but is not used in device management.

In the B/S application, it is prohibited to carry the session ID (such as jessionid) in the

URL.

It is prohibited to transfer the information that should be kept secret to users to clients.

Authentication, authorization, and encryption mechanisms are established to control the

access to sensitive data, such as bank accounts.

Security certificates, bank accounts, service SMS messages are either masked in logs or

not printed in any log.

Service Running Security Use secure protocols, such as SSH v2, TLS1.0, SSL3.0, IPSec/SFTP, and SNMPv3, but

not insecure protocols, such as FTP and Telnet, for system management and among

terminals maintained.

In B/S applications, the CSRF must be prevented for important operations.

Encryption and Decryption Use a non-patented, secure, and public encryption algorithm instead of the patented

encryption algorithm.

Use secure function to generate random numbers.

The key for transmitting sensitive data cannot be fixed in the code.

Security Logs All non-query operations have log recording.

CBS Solution




21

The recorded log content can support subsequent audit. Data including user ID, time,

event type, name of the accessed resource, and access result is recorded in the logs.

The log access control mechanism is provided to prevent unauthorized persons from

accessing, modifying, or deleting logs.

Anti-attack Protection for Protocols and Interfaces All external communication connections are mandatory for system running and

maintenance. If a communication port is used, describe it in the product communication

matrix document.

All communication ports and protocols that manage the system must have the access

authentication mechanism except for the standard protocol without authentication

mechanism.

Verification Code Security The verification code must be a single image in only JPEG, PNG, or GIF format.

The verification code must be generated randomly, and the generated random number

must be secure.

The font, size, and position of each character in the verification code must change

randomly.

Characters in the verification code are distortable and adhesive.

The content of the verification code cannot be associated with information submitted by

the client.

The random number generated by the verification code module cannot appear in the

source code of the static page of the client.

The verification code must have background interference. The color, position, and

quantity of the background interference elements must change randomly.

The verification code becomes invalid once it is used. New verification codes must be

generated for new requests.

The verification code and information (such as the user name and password) must be

sent to the server at the same time. The information is verified only after the verification

code check succeeds.

Web Service Security The invocation of the Web Service interface must be verified.

The confidentiality of sensitive data transferred through the Web Service interface must

be ensured.

The input parameters submitted by the Web Service interface must be checked.

Web Code Security Input verification

o All user input must be verified. When any invalid data is found, inform the user of

the invalid input and ask the user to correct the input. Note: The user input is the

data from the text, password, or textareas fields. All user input is deemed incredible

by default, and the validity of the input must be verified.

o All input produced by servers must be verified. When any invalid data is found,

sessions must be made invalid, and alarm logs must be generated. Note: The input

produced by servers indicates all input except for user input, such as URL parameter

CBS Solution




22

data contained in hidden fields, selection boxes, check boxes, option buttons,

cookies, HTTP headers, and hot spot links or client scripts. All input produced by

servers is deemed falsified and malicious by default. The validity of the input must

be verified. If the input is found invalid, data is falsified by malicious users. For

example: Assume that the Gender field is mandatory in the user information form,

use the option button (1 for male and 0 for female) to restrict the user input. If the

value of Gender received by the application is 2, someone falsifies the data

maliciously.

o It is prohibited to use any non-encrypted information in the HTTP headers as the

security decision basis. Note: The HTTP headers are sent at the beginning stage of

the HTTP request and HTTP response. The web application must not use any

non-encrypted information in HTTP headers as the security decision basis because

attackers easily operate the HTTP headers. For example, the referer field in the

HTTP header contains the URL of the web page from the requester side. Therefore,

do not make any security decision based on the referer field (for example, check

whether the request comes from the page generated by the web application) because

this field is easily falsified.

o Do not rely on the client verification. Instead, the server code must be used for final

verification of the input data. Note: The client verification is used only as an

auxiliary measure to reduce the information interactions between the client and the

server.

o Verify the input that has been verified on the client with the same rules on the server

again. Once the data is found invalid, the sessions must be made invalid and alarm

logs must be generated. Note: Attacks must exist, and the attackers bypass the input

verification on the client. Therefore, sessions must be made invalid, and alarm logs

must be generated.

o If the input can only be certain characters or character combinations, use the

whitelist for input verification. Note: For the input compliant with certain rules,

such as email address, date, and decimal fraction, use the regular expression for

whitelist verification. This method is more effective than using the blacklist for

verification.

o Verify the input data length. Note: If the input data is a string, the length of the

string must be verified. The length verification increases the difficulty of attacks.

o Verify the input data range. Note: If the input data is a numerical value, the range of

the value must be checked. For example, the age should be a positive integer

ranging from 0 to 150.

o The input parameters used for redirection cannot contain carriage returns and

linefeeds to avoid HTTP response splitting attacks. Note: A carriage return has

several expression modes (CR = %0d = \r). A linefeed also has several expression

modes (LF = %0a = \n).

PreparedStatement instead of directly executable statement is used to prevent SQL

injection for non-embedded web applications.

User data must be verified on the server. Data can be transmitted to the client after being

HTML encoded, which avoids the execution of malicious codes and cross-site script

attacks. For untrusted data, the HTML encoding is mandatory before the data is

transmitted to the client.

Code comment

o Comments cannot contain information about the physical path, database connection,

or SQL statement.

o For static pages, comments cannot contain source code information.

CBS Solution




23

o For dynamic pages, common comments are not used, and only hidden comments are

used.

When the application is abnormal, capture the exception, filter the information and return

only the common error messages to the client (do not disclose unnecessary information

to the client), and record the detailed error information in the log.

The whitelist must be used on the server to strictly restrict the types of uploaded or

downloaded files.

The CBS provides privacy protection schemes so that carriers can meet local laws and

regulations and customer requirements on privacy protection.

2.4.3 Privacy Protection

I. Overview

Privacy refers to individuals' identifiable information, including information that is

directly or indirectly related to individuals. Privacy protection is to protect individuals'

identifiable information.

The CBS provides privacy protection for personal data, including but not limited to the

following:

Basic customer information, such as the customer name, customer code,

certificate type, certificate ID, home address, gender, date of birth, customer level,

fax number, and email address.

Account information, such as the account name, account address, account

record, and bank account.

Subscriber information, such as contract signing information, subscription

information, service use records, and subscriber invoices.

Accounting information, such as customer invoices and receipts, payment

records, overdue payment records, and dunning records.

The CBS takes the following measures to protect customer privacy.

Process customers' sensitive information (such as numbers, ages, genders, and

account balances) in an anonymous manner.

Provide a security protection mechanism (such as authentication, permission

control, and log recording) during collection and processing of individual data and

make the mechanism open to customers using product information.

II. Data Protection

The CBS protects sensitive data, which includes but is not limited to the password,

cipher key, bank account, important service data, financial data, enterprise data, and

individual data.

Individual data includes the subscriber name, account, calling and called numbers, CDRs,

and call duration. This type of data can identify or works with other information to

identify a natural person.

The CBS uses different modes to process different types of sensitive data, including data

collection, encrypted storage, encrypted transmission, data display, and backup and

restore.

o Data collection

CBS Solution




24

To enable subscribers to use services and receive system notifications, the CBS collects

individual data based on service information. Carriers and subscribers must sign the data

collection contract so that the system can process subscriber data to generate production

data required by the service system. Without being authorized by subscribers, the CBS

does not collect, store, or process subscriber data.

Registration

During registration, the system collects service-related data including the customer's

name, certificate number, date of birth, phone number, password for query, home address,

email address, and invoice address. The system does not collect service-irrelevant

information, such as, family members and their health status. In the self-registration and

self-service scenarios, the system displays the data collection purpose and notifies the

subscriber of data to be collected. When connecting to a third-party system interface, the

CBS notifies the interface of the mandatory and optional data to be collected.

o Deregistration

The CBS starts a scheduled task to automatically clear all individual data X days after

deregistration.

NOTE: The value of X is configurable and is 30 by default.

o CDR

CDRs record the calling number, called number, communication time, location

information, and other information. The CBS can store CDR files without importing

them to a database or start a scheduled task to automatically clear CDR files a specified

time period after they are stored. The CBS does not import the location and peer number

in CDRs to the database.

NEs in the CBS use SFTP to transfer CDR files. Permission on the files is set as follows:

The owner has read, write, and delete permission, and users in the same group as the

owner has the read permission. Other non-root users have no permission on CDR files.

The CBS records an operation log each time a CDR file is queried.

CDR files in the CBS are used by the Invoicing to accumulate accounts, used by the

report system to collect and analyze statistics, used by the RA to audit and rerate CDRs,

used by the GL for accounting, and used by a third-party system (for example, PRM) to

execute settlement.

o Invoice

Invoices record the customer name, invoice address, calling number, called number,

consumption information, balance, total outstanding amount, and other information. The

information can be customized by carriers, and called numbers are anonymized.

o Receipt

Receipts record information such as the customer name and phone number.

Receipts are compressed before being stored in a database.

o Recharge and payment

CBS Solution




25

The recharge and payment log table records information related to the bank account,

such as, the credit card number, card expiration time, credit card authorization code,

bank account, check number, and check data.

The CBS deducts fees based on the information related to the bank account. Therefore,

the system uses the reversible algorithm AES128 to encrypt and decrypt the information

and then stores it in the database.

o Encrypted storage

The system encrypts sensitive data such as the password, bank account, cipher key, PIN1,

PIN2, PUK1, and PUK2 so that the sensitive data is not displayed in plaintext.

The system uses the irreversible algorithm Hmac-SHA256 to encrypt the login password.

The user name is used as the salt for password encryption, which ensures that different

ciphertexts are obtained for the same password. The ciphertext is stored in the CBS

database and is used for verifying the login password that a subscriber enters.

The system uses AES128 to encrypt and decrypt the authentication passwords transferred

between the client and server. The two ends use the same algorithm and cipher key to

ensure that the peer end can decrypt the received passwords. The passwords are

generally stored in configuration files in ciphertext for applications to query. Cipher keys

are generally stored in configuration files in ciphertext to protect key security.

The system generally uses AES128 to encrypt and decrypt bank accounts.

o Encrypted transmission

Sensitive data is transferred in ciphertext or through an encryption channel such as

HTTPS, VPN, or SFTP. Passwords, bank accounts, and other information requiring

high-level security must be transferred through an encryption channel in ciphertext.

o Data display

Sensitive data is not displayed on web pages, log files, and configuration files in

plaintext. To protect the security of sensitive data such as bank accounts, the system

saves the data in the database in ciphertext, displays the first six or last four digits of

each record on web pages for tracing services or transactions, and displays the

encryption status in log files. If the system does not displays the encryption status in log

files, it displays the first six or last four digits and uses asterisks (*) to mask other digits.

Passwords are masked with asterisks (*) on web pages or text boxes and recorded in

ciphertext in log files and configuration files. Cipher keys are displayed in ciphertext in

configuration files.

Other sensitive data such as PIN1, PIN2, PUK1, and PUK2 is displayed in ciphertext.

Individual data of subscribers such as their names, phone numbers, invoices, and

transaction data is displayed in plaintext on web pages and log files. However, individual

data exported to other systems out of the production system or imported to the

development and test system is anonymized. That is, the system performs transcoding for

individual data such as the name and mobile number to protect subscribers' privacy.

o Backup and restore

CBS Solution




26

Service-related data is backed up based on a backup policy. The backup scope, time, and

interval can be configured in the backup policy. Generally, data generated within a

specified time period is backed up as online backup data for fast restore. By default, the

CBS stores data backed up in the last month as online backup data on disks and stores

data backed up earlier as offline backup data.

Data restore tests must be performed on a regular basis to test the validity of the backup

policy and backup data.

2.4.4 System Layer Security

Operating System Security Security hardening will be performed for all operating systems.

During operating system installation, the latest security patches need to be installed. The

list of verified patches must be released regularly, and these patches must be installed on

the operating system.

After scanned by Nessus without user and password, there must not be any high-risk

security loopholes.

The remote login supports the SSH protocol.

Antivirus solution will be performed for windows-based server.

Highest privilege account such as 'root', ' Administrator' shall not be used for

software/application operating and daily maintenance

Software/application operating account shall not be used for daily maintenance. A

maintenance account will be used for daily maintenance.

The file/path used for application operating or keeping critical data of related shall have

limit permission upon 770Database Security

Security hardening will be performed for all DBs.

During database installation, the latest security patches need to be installed. The list of

verified patches must be released regularly, and these patches must be installed in the

database.

After scanned by Nessus, there must not be any high-risk security loopholes.

Do not use the default password provided by the supplier for the database account cannot.

The password complexity must meet the requirements.

If multiple accounts exist in the database, disable or delete idle accounts.

Use a single operating system account to run the database.

For the database with the listener function (such as listener.ora of Oracle), configure the

listener password or configure the listener to make it verified by the local operating

system.

Highest privilege account such as sys, 'sa' shall not be used for software/application

connecting and daily maintenance

Software/application connecting account shall not be used for daily maintenance. A

maintenance account will be used for daily maintenance.

Administrative privileges shall not be granted to software/application connecting account

CBS Solution




27

Web Container Security Security configuration must be performed on web containers by deleting unnecessary

resources, disabling unnecessary connectors, preventing the leakage of web container

information, minimizing the file directory permission, enabling the shutdown function

for protection, and disabling the content list function. In this way, web containers can

achieve the optimal security status.

After scanned by Appscan, there must not be any high-risk security loopholes.

2.4.5 Network Layer Security

Virtual Network Security Isolation

The design core of the virtual network security isolation lies in the port group and VLAN

configurations. VM ports need to be classified to implement security isolation for various

types of service traffic. VM ports that are assigned to port groups vary according to the traffic

type. Also, VLAN IDs are configured to implement the layer-two isolation for various types

of traffic in the VMs. In addition, VMs bound to different physical network adapters can

access different planes.

Physical Security Isolation

Based on communication features of the CBS services, networks in the standardized network

scheme are divided to the service plane, management plane, and storage plane. All NEs at the

service plane use independent physical ports. On ATAE servers, Fabric network adapters are

used for services, Base network adapters for management, and FC network adapters for

storage. These independent physical ports are isolated from physical ports in other planes.

However, the physical ports are publicly available on devices.

Logical Security Isolation

The CBS adopts various technologies to implement security isolation in various logical levels

to ensure the network security.

Plane division

Based on communication features of the CBS services, networks are divided to the service

plane, management plane, and storage plane.

VLAN isolation

Service servers assigned to VLANs vary according to the service server type. Through the

VLAN plan, broadcast domains reduce and layer-two access between VLANs can be

effectively isolated.

Security zone division

Based on the CBS service security features, the system is divided into the following security

zones:

o Untrust: The security level is 5. The network adapters connected to external

systems are deployed. Multiple security domains of this type can be created based

on the connected system.

o MT: The security level is 40. Maintenance terminals (such as the I2000 client) are

CBS Solution




28

deployed. The management network can be connected only through this zone to

manage system networks.

o DMZ: The security level is 50. Applications (such as the BMP Gateway, EVC

Portal, and SLB) that directly interact with Internet users are deployed to

implement the Internet access and request distribution.

o OIT: The security level is 55. The LBI is deployed and is provided only for

customers' system administrators. The administrators can use the system

reconciliation and report audit functions.

o HA: The security level is 60. The connection heartbeat interfaces for firewalls are

deployed.

o TEST: The security level is 80. NEs for test, training, and environment

development are deployed.

o Trust: The security level is 85. Service NEs including the CBP, BMP, EVC, UVC,

and UAP are deployed to implement core system functions such as charging,

recharge, and service management.

o OM: The security level is 90. The management plane (including network

management systems, management ports of hardware devices, and service

management plane) is located in the OM zone. To access and control the

management plane, an external network management center needs to connect to the

OM zone of the firewall.

Access control between zones

Security isolation is implemented through the firewall for the connection between external

networks and different zones on the network of the CBS.

Access control inside zones

Connection between internal security zones is controlled using the ACL of switches. Also, the

connection relationship between each module needs to be described in detail in the service

communication matrix.

Management Channel Control

The network and devices are maintained and managed in the management plane. Therefore,

strict isolation of the management plane is very important. The following measures are

adopted in the CBS:

Remote management of and login to network devices are supported only in the

management plane. The IP address of only the management plane can be used for remote

management and login. This can effectively prevent invasion and attacks from users.

If network devices need to be managed remotely in the management plane, source IP

addresses that operate the SNMP need to be restricted on the devices.

Network devices access the management network through out-of-band management

ports. SSH is used for remote maintenance and management of devices.

CBS Solution




29

The management plane is a common plane that involves NEs in various security zones.

Security isolation must be implemented in the management plane to prevent NEs in various

security zones from connecting to each other in the management plane.

Network Device Security Hardening

Before service deployment, security hardening is required for network devices based on the

corresponding security hardening guide.

Network Protocol Security

Maintenance engineers can operate servers and databases through remote connection.

Ciphertext protocols for remote logins are used to replace plaintext protocols. The

recommended protocols are as follows:

SSH used to replace Telnet

SFTP used to replace FTP

HTTPS used to replace HTTP

SNMP V3 used to replace SNMPV1/V2

In addition, maintenance engineers are advised to use the VPN to connect to core services and

boundary firewalls of the data domain during remote maintenance. The VPN service can be

enabled in the firewalls. The VPN type is IPSec VPN. The VPN client IP address pool can be

configured in the firewalls, and the VPN service assigns IP addresses to maintenance

engineers' clients. Also, filter policies are configured in the firewalls to enable only IP

addresses in the VPN client IP address pool to connect to servers through the firewalls.

2.4.6 Virtualization Layer Security

The security hardening of the Hypervisor prevents the Hypervisor from being exposed

on an insecure network and from brute force attacks and loophole attacks. In this way,

unauthorized access to the Hypervisor is prevented.

VMs' access to resources on the host is restricted, to prevent a VM from accessing

resources that belong to other VMs on the host.

On the virtualization platform, a layer-two packet filtering scheme is configured to

prevent MAC address spoofing by malicious users.

Using the computing resource uniform allocation module, the virtualization platform

uniformly allocates computing resources and memory resources for the VMs on the host,

to prevent DoS attacks from malicious VMs.

On the virtualization platform, a layer-three packet filtering scheme is configured to

prevent IP address spoofing and ARP spoofing by malicious users.

Under the VMware, the VM provides a private storage security mechanism. Using this

mechanism, the VMI cannot be obtained, tempered with, or destroyed even though the

host is attacked and the attacker has gained control over the host.

The security group management mechanism prevents malicious users from obtaining the

remote access permission on a VM of a low security level and using the VM as a

stepping stone to attack the network.

CBS Solution

Security Technical White Paper 3 Security Assurance



30

3 Security Assurance

3.1 Security Statements and Qualification

Huawei has recognized that security issues are important to our customers and products, and

continuously researches and developments better security functionality and quality.

Huawei got BSS7799 certification in July 2004, and the certification was renewed as

ISO/IEC27001 in August 2007.

Product security assurance procedures have been integrated into Huawei's product

development process, that is, integrated product development (IPD). Security-related issues

including functionality and quality are considered at each phase such as conception, design

and verification, and security-related procedures are applied to installation and onsite support.

The Security Technical Management Group (TMG) has been set up to supervise and guide

security activities during the product development process, and to provide consultancy,

development, and assessment of product security solutions.

Huawei and its development teams and products strictly follow industrial standards, laws and

regulations, and respect carriers' and their customers' business and technology secrecy and

privacy. We respect and comprehend carriers' security policies, and we are ready to help

carriers to enforce their security policies.

3.2 Security Assurance Procedures

Product security has become an important topic on which telecom carriers focus. Even a

security accident percentage of 0.01% implies a complete failure. The most efficient way of

ensuring product security is to follow good methodology.

Figure 3-1 shows the security assurance procedures in Huawei's IPD.

CBS Solution




31

Figure 3-1 Security assurance procedures in Huawei's IPD

Certification

charter

Customer

security

requirements

Security

baseline

Security CBB

(Encryption algorithms library,

PKI platform)

Security test

report

Patch

management

Vulnerability

management

Beta test

report

Implementation guide of

security baseline

Legal,

regulatory

standard

specifications

Security development

standard

Cooperate information security policy and standard

OR

MM

Short-term security

requirements

Long-term security

requirements

Concept Plan Qualify

TR2

Development Launch Lifecycle

TR1TR3 TR4 TR4A TR5 TR6 GA

SDV SIT SVTDesign

specification

LSD

Coding

BBFV

HLDOffering

requirements

Business plan

charterIPD

IPMT: Integrated Portfolio Management Team

PDT: Product Development Team

DCP: decision checkpoint

TR: technical review

EOM: end of marketing

EOP: end of production

EOS: end of support and service

BBFV: build block functional verification

SIT: system integrated test

SVT: system verification test

GA: general availability

UCD: user centered design

OR: offering requirement

MM: market management

IPD: integrated product development

PCR: product change request

CBB: common building block

PKI: Public Key Infrastructure

Baseline

PCR

Security

Documents

Penetration

test

report

Certification

charter

Customer

security

requirements

Security

baseline

Security CBB

(Encryption algorithms library,

PKI platform)

Security test

report

Patch

management

Vulnerability

management

Beta test

report

Implementation guide of

security baseline

Legal,

regulatory

standard

specifications

Security development

standard

Cooperate information security policy and standard

OR

MM

Short-term security

requirements

Long-term security

requirements

Concept Plan Qualify

TR2

Development Launch Lifecycle

TR1TR3 TR4 TR4A TR5 TR6 GA

SDV SIT SVTDesign

specification

LSD

Coding

BBFV

HLDOffering

requirements

Business plan

charterIPD

IPMT: Integrated Portfolio Management Team

PDT: Product Development Team

DCP: decision checkpoint

TR: technical review

EOM: end of marketing

EOP: end of production

EOS: end of support and service

BBFV: build block functional verification

SIT: system integrated test

SVT: system verification test

GA: general availability

UCD: user centered design

OR: offering requirement

MM: market management

IPD: integrated product development

PCR: product change request

CBB: common building block

PKI: Public Key Infrastructure

Baseline

PCR

Security

Documents

Penetration

test

report

Huawei has established a professional security solution department to provide advanced

security solutions for telecom carriers, and to support, guide, and monitor security issues

around all products and solutions. Product line teams and product development teams have

created special teams or roles to take charge of security issues and to ensure security quality

during product development. Each product line team will adjust its short-term and long-term

security plans after reviewing the recent advances in technology and business evolution each

year. The quality assurance (QA) department has set up a special team to monitor and audit

product security plans and progress.

Appropriate organization along with strict and efficient process assurance constructs security

quality for products, satisfies carriers' security requirements, and provides carriers with

high-quality service assurance on a long-term basis.

CBS Solution




32

A Acronyms and Abbreviations

C

CBS convergent billing system

CSRF cross-site request forgery

E

E2E end-to-end

F

FTP File Transfer Protocol

H

HTTP Hypertext Transport Protocol

HTTPS Secure HTTP

N

NFS Network File System

NTP Network Time Protocol

O

OSI open systems interconnection

Q

QoS Quality of Service

R

RBAC Role-Based Access Control

S

SNMP Simple Network Management

Protocol

SSH Secure Shell

T

CBS Solution




33

TFTP Trivial File Transfer Protocol

TLS Transport Layer Security

V

VM Virtual Machine

VMI Virtual Machine Image

VLAN Virtual Local Area Network

huawei cbs v500r005 security technical white paper

Documents

huawei trademarks

huawei proprietary

document scope

document structure

cbs security solution

security solution overview

huawei industrial base

cbs solution overview