idirect security best practices technical note
TRANSCRIPT
-
8/20/2019 iDirect Security Best Practices Technical Note
1/12
Security Best Practices
Technical Note
August 13, 2012
-
8/20/2019 iDirect Security Best Practices Technical Note
2/12
ii Security Best Practices
Copyright © 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission isprohibited. Information contained herein is subject to change without notice. The specifications and informationregarding the products in this document are subject to change without notice. All statements, information, andrecommendations in this document are believed to be accurate, but are presented without warranty of any kind,express, or implied. Users must take full responsibility for their application of any products. Trademarks, brandnames and products mentioned in this document are the property of their respective owners. All such references
are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product'srightful owner.
Document Name: TN_Security Best Practices_Rev A_08132012 DRAFT.pdf
Document Part Number: T0000468
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
3/12
Security Best Practices iii
Revision History
The following table shows all revisions for this document. To determine if this is the latest
revision, check the TAC Web page.
Rev Date Released Reason for Change(s) Who Updated?
A MMM DD, 2012 Initial release of document JVespoli
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
4/12
iv Security Best Practices
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Hub and NMS Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network Isolation and External Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Server Password Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Secure Server Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Disabling SNMP on NMS Servers when not Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Disabling NMS Config Service on Non-Distributed NMS Servers. . . . . . . . . . . . . . . . . . . . . . 2
Encryption of Backup Files Before Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
NMS Client Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
User Passwords and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Console Password Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Clearing Data from Decommissioned Remotes and Line Cards . . . . . . . . . . . . . . . . 4
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
5/12
Security Best Practices v
About This Guide
PurposeThis technical note recommends basic security practices to help ensure that all components
of iDirect Networks are secure.
Intended AudienceThis technical note is intended for iDirect Network Operators and System Administrators
responsible for ensuring that iDirect networks are secure.
Contents Of This GuideThis document contains the following major sections:
• “Hub and NMS Server Security”
• “NMS Client Security”
• “Console Password Security”
• “Clearing Data from Decommissioned Remotes and Line Cards”
Document ConventionsThis section describes and illustrates the conventions used throughout the document.
Convention Description Example
Blue
Courier
font
Used when the user is
required to enter a
command at a command
line prompt or in a console.
Enter the command:
cd /etc/snmp/
Courierbold font
Used when showingterminal display
information such as output
from a command or
contents of a file.
crc report all
3100.3235 : DATA CRC [ 1]
3100.3502 : DATA CRC [5818]
3100.4382 : DATA CRC [ 20]
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
6/12
vi Security Best Practices
Getting HelpThe iDirect Technical Assistance Center (TAC) is available to help you 24 hours a day, 365 days
a year. Software user guides, installation procedures, a FAQ page, and other documentation
that supports our products are available on the TAC webpage. You can access the TAC
webpage at: http://tac.idirect.net.
If you are unable to find the answers or information that you need, you can contact the TAC at(703) 648-8151.
BoldTrebuchetfont
Used when referring to text
that appears on the screen
on a windows-type
Graphical User Interface
(GUI).
Used when specifying
names of commands,
menus, folders, tabs,
dialogs, list boxes, and
options.
1. If you are adding a remote to an inroute group,
right-click the Inroute Group and select AddRemote.
The Remote dialog box has a number of user-
selectable tabs across the top. The Information tab is
visible when the dialog box opens.
Blue
Trebuchet
font
Used to show hyperlinked
text within a document.For instructions on adding an line card to the network
tree and selecting a Hub RFT for the line card, see
“Adding a Line Card” on page 108.
Bold i t a l ic
Trebuchet
font
Used to emphasize
information for the user,
such as in notes
Note: Several l ine car d model t ypes can beconf igured as receive-only l i ne car ds.
Red italic
Trebuchet
font
Used when the user needs
to strictly follow the
instructions or have
additional knowledge about
a procedure or action.
WARNING! The f ol low ing procedure may causea net work outage.
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
7/12
Security Best Practices 1
Security Best Practices
This technical note recommends basic security practices to help ensure that all components
of iDirect Networks are secure. iDirect also recommends implementation of additional
security measures over and above these steps as required for your specific network
configurations.
Hub and NMS Server SecurityAn iDirect installation includes a number of Linux servers used to configure and run the
networks. These servers include:
• NMS servers for network configuration and monitoring
• Protocol Processor Blade servers to manage network traffic at the hub
• GKD servers to manage and distribute encryption keys
iDirect recommends securing all hub and NMS servers from unauthorized physical access.
In addition, iDirect strongly recommends implementing the security measures in the following
sections to protect the servers.
Network Isolation and External Access
In addition to limiting physical access to your servers, iDirect recommends that isolation of all
networks from external access to the extent possible. Access to the iDirect servers should be
protected behind a commercial-grade firewall.
If external access is required, iDirect recommends use of secure private networks.
• For VNO operators, all connections should be established through carefully managed
Virtual Private Networks (VPN).
• All iBuilder and iMonitor clients connecting to the NMS over a Wide Area Network (WAN)
should do so over a private network or VPN.
Server Password Security
iDirect Servers are shipped with default passwords. At installation, the passwords should be
changed from the default on all servers for the following users:
• root
• idirect (iDX Release 2.1 and later)
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
8/12
2 Security Best Practices
Hub and NMS Server Security
Thereafter, these passwords should be changed periodically. When selecting new passwords,
iDirect recommends that you follow common guidelines for constructing strong passwords.
Secure Server Connections
iDirect recommends using Secure Shell (SSH) for all remote logins to server machines. SSH wasdesigned as a secure replacement for Telnet and other remote shell protocols that do not
encrypt data by default. Once an SSH connection is established, Telnet can be safely used to
open sessions on the local host.
To further improve security, beginning with iDX Release 2.1, iDirect stopped allowing any
remote sessions (including SSH) to log on directly to the root account of an iDirect server.Instead, use SSH to log on to a less privileged account such as the idirect account. Then entersu - from the command line to log on as root if root access is required.
Disabling SNMP on NMS Servers when not Required
An SNMP Proxy Agent running on the NMS server provides read access to the iDirect MIB and
SNMP traps to an external SNMP Manager. If not used, this service should be disabled on theNMS server that runs the snmpsvr process.
To disable the SNMP service:
1. TBD
2. .....
Need procedure from engineering
Disabling NMS Config Service on Non-Distributed NMS Servers
iDirect recommends disabling the nms_config service on non-distributed NMS servers.
Note: Do not p erf orm t his pr ocedure on a dist r ib ut ed NMS. T he NMS server s in a DNMSconfigurat ion requir e t he nms_config servi ce.
To disable the nms_config service:
1. TBD
2. .....
Need procedure from engineering.
Encryption of Backup Files Before Archiving
iDirect provides a utility that Network Operators can use to back up the NMS databases. Some
operators archive the resulting backup files on external storage. iDirect recommendsencrypting backup files before copying them to external storage. The Linux gpg command,
which is available on the NMS server, is one method that can be used for to encrypt the
backup files before archiving.
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
9/12
Security Best Practices 3
NMS Client Security
NMS Client SecurityiDirect recommends the following measures to ensure secure access to iDirect networks from
the iBuilder and iMonitor clients.
User Passwords and Permissions
The NMS clients are preconfigured with the following users:
• admin
• guest
At installation, use iBuilder to change the passwords for these users from their default
settings. In addition, iDirect recommends creating NMS users with permissions tailored to the
access level requirements of the network operators. Create strong passwords for all such
accounts and change them periodically. See the iBuilder User Guide for your release for
details on creating users.
Client Access
Access to iBuilder and iMonitor sessions should be strictly controlled. Network operators
should always log out of any NMS clients when leaving workstations to prevent unauthorized
access.
Remote Access
All remote access by NMS client applications to iDirect networks should be established over
secure private networks.
Console Password SecurityThe following iDirect network elements are pre-configured with a user account and an admin account that allow access to the iDirect applications using a console terminal window.
• Remotes
• Line Cards
• Protocol Processor Blades
At installation, these passwords should be changed from the default on each of these network
elements. Thereafter, these passwords should be changed periodically.
All of these passwords can be changed in iBuilder by right-clicking the network element;
selecting the Modify option from the menu; and applying the changes as required. (See the
iBuilder User Guide for details.)
Note: The user and admi n console passwor ds for pr ot ocol processor blades areconf i gured at t he Prot ocol Processor l evel of t he iBui lder t ree and shared by al l
blades conf igured under t hat Prot ocol Processor.
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
10/12
4 Security Best Practices
Clearing Data from Decommissioned Remotes and Line Cards
Clearing Data from Decommissioned Remotes and LineCards
iDirect recommends that you execute the zeroize command to erase sensitive data on all
decommissioned remotes and line cards before discarding.1. Open a console session to the remote modem or line card and log on to the admin
account.
2. At the command line prompt, enter the following command to remove all secure data:
zeroize all
I f t he zeroize command is unavai labl e, enter t he command csp enable . T hen execut e
the zeroize command again. I f t he command is st i l l unavai lab le , contact t he iDi r ect
TAC.
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
11/12
Security Best Practices 5
Clearing Data from Decommissioned Remotes and Line Cards
http://-/?-http://-/?-
-
8/20/2019 iDirect Security Best Practices Technical Note
12/12