idirect security best practices technical note

8/20/2019 iDirect Security Best Practices Technical Note

1/12

Security Best Practices

Technical Note

August 13, 2012


2/12

ii Security Best Practices

Copyright © 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission isprohibited. Information contained herein is subject to change without notice. The specifications and informationregarding the products in this document are subject to change without notice. All statements, information, andrecommendations in this document are believed to be accurate, but are presented without warranty of any kind,express, or implied. Users must take full responsibility for their application of any products. Trademarks, brandnames and products mentioned in this document are the property of their respective owners. All such references

are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product'srightful owner.

Document Name: TN_Security Best Practices_Rev A_08132012 DRAFT.pdf

Document Part Number: T0000468

http://-/?-http://-/?-


3/12

Security Best Practices iii

Revision History

The following table shows all revisions for this document. To determine if this is the latest

revision, check the TAC Web page.

Rev Date Released Reason for Change(s) Who Updated?

A MMM DD, 2012 Initial release of document JVespoli

http://-/?-http://-/?-


4/12

iv Security Best Practices

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Hub and NMS Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Network Isolation and External Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Server Password Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Secure Server Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Disabling SNMP on NMS Servers when not Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Disabling NMS Config Service on Non-Distributed NMS Servers. . . . . . . . . . . . . . . . . . . . . . 2

Encryption of Backup Files Before Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

NMS Client Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

User Passwords and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Console Password Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Clearing Data from Decommissioned Remotes and Line Cards . . . . . . . . . . . . . . . . 4

http://-/?-http://-/?-


5/12

Security Best Practices v

About This Guide

PurposeThis technical note recommends basic security practices to help ensure that all components

of iDirect Networks are secure.

Intended AudienceThis technical note is intended for iDirect Network Operators and System Administrators

responsible for ensuring that iDirect networks are secure.

Contents Of This GuideThis document contains the following major sections:

• “Hub and NMS Server Security”

• “NMS Client Security”

• “Console Password Security”

• “Clearing Data from Decommissioned Remotes and Line Cards”

Document ConventionsThis section describes and illustrates the conventions used throughout the document.

Convention Description Example

Blue

Courier

font

Used when the user is

required to enter a

command at a command

line prompt or in a console.

Enter the command:

cd /etc/snmp/

Courierbold font

Used when showingterminal display

information such as output

from a command or

contents of a file.

crc report all

3100.3235 : DATA CRC [ 1]

3100.3502 : DATA CRC [5818]

3100.4382 : DATA CRC [ 20]

http://-/?-http://-/?-


6/12

vi Security Best Practices

Getting HelpThe iDirect Technical Assistance Center (TAC) is available to help you 24 hours a day, 365 days

a year. Software user guides, installation procedures, a FAQ page, and other documentation

that supports our products are available on the TAC webpage. You can access the TAC

webpage at: http://tac.idirect.net.

If you are unable to find the answers or information that you need, you can contact the TAC at(703) 648-8151.

BoldTrebuchetfont

Used when referring to text

that appears on the screen

on a windows-type

Graphical User Interface

(GUI).

Used when specifying

names of commands,

menus, folders, tabs,

dialogs, list boxes, and

options.

1. If you are adding a remote to an inroute group,

right-click the Inroute Group and select AddRemote.

The Remote dialog box has a number of user-

selectable tabs across the top. The Information tab is

visible when the dialog box opens.

Blue

Trebuchet

font

Used to show hyperlinked

text within a document.For instructions on adding an line card to the network

tree and selecting a Hub RFT for the line card, see

“Adding a Line Card” on page 108.

Bold i t a l ic

Trebuchet

font

Used to emphasize

information for the user,

such as in notes

Note: Several l ine car d model t ypes can beconf igured as receive-only l i ne car ds.

Red italic

Trebuchet

font

Used when the user needs

to strictly follow the

instructions or have

additional knowledge about

a procedure or action.

WARNING! The f ol low ing procedure may causea net work outage.

http://-/?-http://-/?-


7/12

Security Best Practices 1

Security Best Practices

This technical note recommends basic security practices to help ensure that all components

of iDirect Networks are secure. iDirect also recommends implementation of additional

security measures over and above these steps as required for your specific network

configurations.

Hub and NMS Server SecurityAn iDirect installation includes a number of Linux servers used to configure and run the

networks. These servers include:

• NMS servers for network configuration and monitoring

• Protocol Processor Blade servers to manage network traffic at the hub

• GKD servers to manage and distribute encryption keys

iDirect recommends securing all hub and NMS servers from unauthorized physical access.

In addition, iDirect strongly recommends implementing the security measures in the following

sections to protect the servers.

Network Isolation and External Access

In addition to limiting physical access to your servers, iDirect recommends that isolation of all

networks from external access to the extent possible. Access to the iDirect servers should be

protected behind a commercial-grade firewall.

If external access is required, iDirect recommends use of secure private networks.

• For VNO operators, all connections should be established through carefully managed

Virtual Private Networks (VPN).

• All iBuilder and iMonitor clients connecting to the NMS over a Wide Area Network (WAN)

should do so over a private network or VPN.

Server Password Security

iDirect Servers are shipped with default passwords. At installation, the passwords should be

changed from the default on all servers for the following users:

• root

• idirect (iDX Release 2.1 and later)

http://-/?-http://-/?-


8/12

2 Security Best Practices

Hub and NMS Server Security

Thereafter, these passwords should be changed periodically. When selecting new passwords,

iDirect recommends that you follow common guidelines for constructing strong passwords.

Secure Server Connections

iDirect recommends using Secure Shell (SSH) for all remote logins to server machines. SSH wasdesigned as a secure replacement for Telnet and other remote shell protocols that do not

encrypt data by default. Once an SSH connection is established, Telnet can be safely used to

open sessions on the local host.

To further improve security, beginning with iDX Release 2.1, iDirect stopped allowing any

remote sessions (including SSH) to log on directly to the root account of an iDirect server.Instead, use SSH to log on to a less privileged account such as the idirect account. Then entersu - from the command line to log on as root if root access is required.

Disabling SNMP on NMS Servers when not Required

An SNMP Proxy Agent running on the NMS server provides read access to the iDirect MIB and

SNMP traps to an external SNMP Manager. If not used, this service should be disabled on theNMS server that runs the snmpsvr process.

To disable the SNMP service:

1. TBD

2. .....

Need procedure from engineering

Disabling NMS Config Service on Non-Distributed NMS Servers

iDirect recommends disabling the nms_config service on non-distributed NMS servers.

Note: Do not p erf orm t his pr ocedure on a dist r ib ut ed NMS. T he NMS server s in a DNMSconfigurat ion requir e t he nms_config servi ce.

To disable the nms_config service:

1. TBD

2. .....

Need procedure from engineering.

Encryption of Backup Files Before Archiving

iDirect provides a utility that Network Operators can use to back up the NMS databases. Some

operators archive the resulting backup files on external storage. iDirect recommendsencrypting backup files before copying them to external storage. The Linux gpg command,

which is available on the NMS server, is one method that can be used for to encrypt the

backup files before archiving.

http://-/?-http://-/?-


9/12


NMS Client Security

NMS Client SecurityiDirect recommends the following measures to ensure secure access to iDirect networks from

the iBuilder and iMonitor clients.

User Passwords and Permissions

The NMS clients are preconfigured with the following users:

• admin

• guest

At installation, use iBuilder to change the passwords for these users from their default

settings. In addition, iDirect recommends creating NMS users with permissions tailored to the

access level requirements of the network operators. Create strong passwords for all such

accounts and change them periodically. See the iBuilder User Guide for your release for

details on creating users.

Client Access

Access to iBuilder and iMonitor sessions should be strictly controlled. Network operators

should always log out of any NMS clients when leaving workstations to prevent unauthorized

access.

Remote Access

All remote access by NMS client applications to iDirect networks should be established over

secure private networks.

Console Password SecurityThe following iDirect network elements are pre-configured with a user account and an admin account that allow access to the iDirect applications using a console terminal window.

• Remotes

• Line Cards

• Protocol Processor Blades

At installation, these passwords should be changed from the default on each of these network

elements. Thereafter, these passwords should be changed periodically.

All of these passwords can be changed in iBuilder by right-clicking the network element;

selecting the Modify option from the menu; and applying the changes as required. (See the

iBuilder User Guide for details.)

Note: The user and admi n console passwor ds for pr ot ocol processor blades areconf i gured at t he Prot ocol Processor l evel of t he iBui lder t ree and shared by al l

blades conf igured under t hat Prot ocol Processor.

http://-/?-http://-/?-


10/12

4 Security Best Practices

Clearing Data from Decommissioned Remotes and Line Cards

Clearing Data from Decommissioned Remotes and LineCards

iDirect recommends that you execute the zeroize command to erase sensitive data on all

decommissioned remotes and line cards before discarding.1. Open a console session to the remote modem or line card and log on to the admin

account.

2. At the command line prompt, enter the following command to remove all secure data:

zeroize all

I f t he zeroize command is unavai labl e, enter t he command csp enable . T hen execut e

the zeroize command again. I f t he command is st i l l unavai lab le , contact t he iDi r ect

TAC.

http://-/?-http://-/?-


11/12


Clearing Data from Decommissioned Remotes and Line Cards

http://-/?-http://-/?-


12/12

idirect security best practices technical note

Documents