nsp security concepts date issued february 2007 document reference & release version...
TRANSCRIPT
NSP Security Concepts
Date issued February 2007
Document reference & release version
TR-IAS-22-03 - Ed 1.6
These presentation materials describe Tekelec's present plans to develop and make available to its customers certain products, features and functionality. Tekelec is only obligated to provide those deliverables specifically included in a written agreement signed by Tekelec and customer.
Training documentation
Notes
1
NSP Security Training Manual
This Training Manual is in accordance with Tekelec NSP
Issued February 2007 .
Copyright
© 2006 TEKELEC France. All rights reserved
In accordance with its policy of constant product improvement, TEKELEC France reserves the right to change the information in this manual without notice. No part of this manual may be photocopied or reproduced in any form without the prior written permission of TEKELEC France.
Software license notice
Your license agreement with TEKELEC France specifies the permitted and prohibited uses of the product. Any unauthorized duplication or use
of Tekelec NSP, in whole or in part, in print or in any other storage and retrieval system, is prohibited. Trademarks
All product names mentioned are trademarks of their respective owners.
Tekelec France
Headquarters Mulhouse Office Paris Office Le Meltem Parc de la Mer Rouge 60 avenue du Centre 2 allée des Séquoias 20E rue Salomon Grumbach 78180 Montigny le Bretonneux 69578 Limonest Cedex 68059 Mulhouse Cedex (France) (France) (France)
Tel: +33 4 3749 7530 Tel: +33 3 8933 4900 Tel: +33 1 6137 0210 Fax: +33 4 3749 7575 Fax: +33 3 8933 4939 Fax: +33 1 6138 3173
E-mail: [email protected] Website: www.tekelec.com
Training documentation ‘06 | 2
Notes
2
Class outline
•This class is intended to provide you with a full introduction to NSP Security as well as an understanding of its basic concepts and operations.
•Class Outline includes the following sections: - About the Class
Training objectives - Introducing NSP General architecture NSP functional key points - NSP security Concepts NSP security features
Families
Security concepts - Privileges Privileges groups
Feature access example Authorizations
- Privacy Why Privacy ?
Privacy rights for objects - Security Policy - NSP security Learn more NSP security
concepts and configuration Why Users, Groups and roles Security Policy example Security implementation Lesson review
Training documentation ‘06 | 3
Notes
3
Purpose of NSP
•NSP was conceptualized as a software framework
Provide a reusable set of common features Well documented APIs and How-To
•NSP facilitates building of business solutions and products
For Tekelec-CSSG business applications
NSP developed once, applications developed every where
• It is based on a J2EE architecture
Scalability, reliability, portability
Development focused on business
• NSP Allowed creation of a coherent central configuration database
Configuration is applied locally from the central database.
•All applications running on NSP have web based GUI
No installation needed on client side
Training documentation ‘06 | 4
Notes
4
Training objectives
• After this training you will be able to:
Know the main concepts of the security in NSP Know
the concepts of Privileges, Profile and Privacy Know
the Security Policy recommendation
Training documentation ‘06 | 5
Notes
5
Introducin
g NSP
Training documentation ‘06 | 6
Notes
6
General architecture
Workstations
Weblogic Oracle server
LAN / WAN based on IP Maintenance
web browser
Acquisition System
Training documentation ‘06 | 7
Notes
•Acquisition system
All the IAS core part : acquisition servers (MSW, …), xDR processing servers (ICP, ProTraq, …), storage servers (DataServer, xDR DataWarehouse, …)
•Weblogic & Oracle server
It is the main NSP server, Weblogic is the framework for the NSP platform, while Oracle Data Base contains all its configuration.
•Workstations
End-users computers, with web browser installed
•Maintenance web browser
Either one of the end-users computers or a separate one, it only needs a web browser.
7
NSP functional key points
• Centralized Configuration No data entered twice
Consistency guaranteed Applied to remote applications
Automatic mechanism to discover existing configurations
• Security management
Authentication: verification of users’ identity Authorization: access control to resources Confidentiality: privacy to protect sensitive data
• Monitoring List of system alarms bundled as a feature of NSP
• Main IAS business applications exist on NSP xDR Browser, ProPerf, ProTraq configuration, ProAlarm, Alarms Forwarding…
Full set of applications for every days business
Training documentation ‘06 | 8
Notes
8
NSP
security
Concepts
Training documentation ‘06 | 9
Notes
9
NSP security features
• Purpose of NSP security features :
Authentication : Identity verification part. Make sure the user is who he claims to be.
Authorization : Features access control and Privileges part. Make sure that each feature is only granted to the users who have the privilege for it.
Confidentiality : Data Privacy part.
Make sure each data is only available for the users who have the rights to access it.
Training documentation ‘06 | 10
Notes
3 security aspects :
•Authentication : part of user and password management
•Authorization : part of access control to NSP functionalities
- for example : access to an application (ProTraq, …), or to a specific application feature (create new Protraq configurations, …)
•Confidentiality : part of access control on DATA (same principle as authorization but on data objects) - for example : access control on each DataServer sessions, on ProTraq sessions, …
10
Families
• According to the privileges associated to each users, three different families of applications are available from the NSP Portal
Business Family
Configuration Monitoring
Family Family
Training documentation ‘06 | 11
Notes
3 applications families are accessible depending on users privileges :
• Business : all NSP end-user applications are located in this area, this include xDR Browser (formerly ProScan), Properf graphs, ProTraq statistics, …
• Configuration : this part contains all the tools to configure the IAS platform : links monitored, xDR sessions and ProTraq configurations, Alarms configuration, …
• Monitoring : this part is only intended to NSP administrators and permits to check the internal logs (both applicative and system logs)
The access to these areas is made according the users’ Privileges.
11
Security Concepts
• With NSP it is possible to manage the access to The features (through Privileges)
The data (through Privacy)
• To use NSP applications and data
Users are created
Each user is defined by
Login/password to access the NSP A Profile
One or more privileges One or more privacies
Training documentation ‘06 | 12
Notes
12
Security Concepts
CONCEPTS NSPBusinessXXX or WEBLOGIC NSP
NSPConfigurationXXX or
NSPMonitoringXXX
Privileges
Privacy User Profile Privacy
Role
Login Password Privileges Privacy
Profile Privacy Allows to share declared in NSP objects
Training documentation ‘06 | 13
Notes
13
Privileges
Training documentation ‘06 | 14
Notes
14
Privileges Groups
• Access to the features
3 NSP families exist : Business, Configuration and Monitoring Business group gives the possibility to use completely or partially xDR Browser, ProPerf and ProAlarm Viewer
Configuration group gives the possibility to use completely or partially xDR Browser, ProPerf, ProTraq, ProAlarm Configuration and System configuration
Monitoring group gives the possibility to use System alarms and Log Viewer
For each features group, 3 levels are defined with different privileges User : Basic User : can only use the system for exploitation
Power user : User with more privileges than the User Manager : Manager
of the family (Business, Configuration, Monitoring) Plus one Administrator
Administrator of the NSP platform (can do anything, can view anything)
Training documentation ‘06 | 15
Notes
15
Privileges groups
Administrator
BusinessManager ConfigurationManager MonitoringManager
BusinessPowerUser ConfigurationPowerUser MonitoringPowerUser
BusinessUser ConfigurationUser MonitoringUser
Training documentation ‘06 | 16
Notes
Each family has 3 levels of Privileges and with administrator, there are 10 different ones : • Administrator
• Business Users, Business Power Users, Business Managers • Configuration Users, Configuration Power Users, Configuration Managers • Monitoring Users, Monitoring Power Users, Monitoring Managers
16
Features access example
• Example of functions access control :
Creation of queries in xDR Browser requires the BusinessPowerUser Privilege
So a BusinessPowerUser and above (BusinessManager, Administrator) can create queries in xDR Browser
But a BusinessUser can’t create filters, he can only list and execute queries.
BusinessManager The features from a lower level Privilege are all granted to the upper level Privilege
xDR Browser : Create BusinessPowerUser List & Execute queries
List & Execute BusinessUser
Training documentation ‘06 | 17
Notes
17
Authorizations for Business Family
BusinessManager
Application Component Functionality BusinessPowerUser
BusinessUser
List Sessions
HyperLink(Execute )
List
Edit
Queries Add
Delete
HyperLink(Execute ) xDR Browser
Add (Upload )
Results HyperLink(Download )
Delete
Roles Change
Export Export(Execute )
xDR xDRLayout(View )
Full decoding xDRLayout(View )
map All
ProAlarm Terminate an alarm Viewer alarm list Create a filter
Other
ProPerf dashboard view All
Training documentation ‘06 | 18
Notes
Business Power User includes specifics rights and Business User rights.
means rights of role
means rights inherited from the level n-1
18
Authorizations for Configuration Family
ConfigurationManager
Application Component Functionality ConfigurationPowerUser
ConfigUser
ProAlarm ProAlarm All
Configuration configuration
Forwarding Configuration All
List
Edit xDR Browser Schedule
Add
Delete
Consult
Create
Stats configurations Update
Change rights
Delete
ProTraq Consult
Set
Configuration Activate applying Deactivate
Change rights
Delete
Training documentation ‘06 | 19
Notes
Configuration Manager includes specifics rights and Configuration Power UserandConfiguration Userrights.
19
Authorizations for Configuration Family
ConfigurationManager
Application Component Functionality ConfigurationPowerUser
ConfigUser
Consult
Create ProPerf dashboard config
Update
Delete
Consult Host, Application,
Modify Session, Dictionary Delete
System Config Activate
Deactivate Configuration applying Set
Delete
Training documentation ‘06 | 20
Notes
20
Authorizations for Monitoring Family
MonitoringManager
Application Functionality MonitoringPowerUser
MonitoringUser
Terminate an alarm
System Alarms Manage filters
Other
Log Viewer Display
Training documentation ‘06 | 21
Notes
Monitoring User includes specifics rights (System Alarms - Other and Log viewer - Consult).
21
Privacy
Training documentation ‘06 | 22
Notes
22
Why Privacy ?
• To control access to Data
A User (object owner) can share his data objects to another Privacy using the Privacy rights (R, W, X)
It means, the user must have created the object.
Privacy rights are set to objects
Users are assigned to these Privacy through Profiles A User can be associated to one or several Privacies
• Data objects to share :
xDR and statistics sessions Filters
ProTraq configurations ProPerf Dashboards
• Users can create new Privacy for precise data access rights •
Administrator has access to all objects
Training documentation ‘06 | 23
Notes
23
Privacy rights for objects
Application Object Class eXecute Write Read
xDR session Open session N/A View session in list xDR Browser View and read query
queries Execute query Change query Save it with a new name
ProTraq Config Apply/activate/… Change View configuration
ProTraq statistic sessions Open session N/A View session in list Configuration
Alarms
View panel & KPI list of ProPerf dashboard View dashboard Change configuration
dashboard
Forwarding filters
Managed Objects
filters ProAlarm
Maps
Aggregated objects
host Run discover Update and delete view attributes
applications: Data Server, Run discover (when Update and delete view attributes System MSW, ICP, IMF applicable)
Configuration xDR session N/A Update and delete view attributes
Dictionary, Protocol, Stack N/A N/A N/A
Training documentation ‘06 | 24
Notes
24
Security Policy
Training documentation ‘06 | 25
Notes
25
Security policy
• The security policy must be defined for
access to features (through Privileges) access to data (through Privacy)
• Ideally, this should be defined before the configuration on the NSP starts.
• Profiles of Users usage. A Profile will be an easy way to grant Privileges and Privacy to a user.
• The typical way a company is organized is a separation of data between different regions or different departments.
You protect access to your data
You can only use what you need
Within a department of a company, some users will be allowed to do some configuration tasks, and others will only be able to display a dashboard or query xDRs with some predefined queries.
Training documentation ‘06 | 26
Notes
26
NSP
security
Learn more
Training documentation ‘06 | 27
Notes
27
NSP security concepts and configuration
CONCEPTS WEBLOGIC NSP Privileges
Privacy User Profile Privacy
Role
CONFIGURATION Role Privileges
NSPxxx Role
Group NSPxxx
Group Group Privacy User Role
PRFxxx PRIVxxx Role
Training documentation ‘06 | 28
Notes
• The users are defined in the Weblogic console. They are granted access for features and data through the Profiles.
• The NSPxxx roles and groups are already defined and cannot be modified.
• The roles and groups related to Privacy must be created. Only Privacy Roles will be declared manually and appear in the NSP.
28
Why Users, Groups and Roles
• Why groups and roles in Weblogic Configuration
The access to NSP is managed by an embedded LDAP server. LDAP knows groups and users
The application server used by NSP manages the access to the features and data through groups and roles
A link between users and roles must be done This link is made through groups
• Different types of Roles
Predefined Privileges roles for the access to the features (NSPxxx) User defined Privacy Roles for the access to the data Those Roles are not linked together
A Role is always associated to a group
Training documentation ‘06 | 29
Notes
• Roles
•The Privileges roles names NSPxxx are predefined in the system and cannot be modified. They are used by NSP to control the access to the features for the users.
•At least one Privacy role must be created to manage the access to the data. The roles for data access are created in the Weblogic console and then declared in the NSP with the security application
29
NSP Security example
• Example of 2 different departments within a company
NET department: manage SS7 Network surveillance Need for users doing configuration tasks and simple users
QOS department: manage QoS and Fraud
Need for users doing configuration tasks and users for troubleshooting on QoS data
Need to reduce access to a subset of data on fraud, and limit possible operations
This is translated into the following security policy
Training documentation ‘06 | 30
Notes
30
NSP Security example
• NET department: manage SS7 Network surveillance Profile Net Managers
Feature access is configuration and business manager: almost no restriction on feature access Privacy is NET
Profile Net Users Feature access is Business Users: they can execute queries on sessions, view dashboards they have access to Privacy is NET
•QOS department: manage QoS and Fraud Profile Qos&Fraud Managers
Feature access is configuration and business manager: almost no restriction on feature access. Privacy is QOS and FRAUD
Profile QOS Power Users Feature access is Business Power Users. they can create queries, but they can’t create dashboards. Privacy is QOS
Profile FRAUD Users Feature access is Business User: they can execute queries on sessions, view dashboards they have access to Privacy is FRAUD
Training documentation ‘06 | 31
Notes
31
Security policy example
• The different Profiles with features access
NET dept Quality dept
QoS &Fraud Managers Sessions Sessions Net Managers Access & Create Access & Create on everything
on everything
Filters Filters
Access ProTraq Config ProTraq Config & Create
QoS B. Power Users ProPerf ProPerf Access Dashboards Dashboards
Net Users
Access Fraud B. Users
Training documentation ‘06 | 32
Notes
• In each dept :•The managers can do all actions on the objects
•The users can only access to all or only part of the sessions, filters and dashboards. They cannot access to the ProTraq configurations, only to the results if the privacy is applied.
• Specific for the Quality dept :
•The Power users can do everything a simple user can do, as well as creating filters.
32
Security policy example
NET dept CONFIGURATION WEBLOGIC NSP
Group Group Group NSPBusinessManagers NSPConfigManagers NSPMonitoringManagers
Group Users PrfNetManager
Privacy Group Role Role Group PrivNET NET
NSPBusinessUser NET
Group Users PrfNetUsers
Training documentation ‘06 | 33
Notes
33
Security policy example
Quality dept CONFIGURATION WEBLOGIC NSP
Group Group Group NSPBusinessManagers NSPConfigManagers NSPMonitoringManagers
Group Users PrfQOS&FRAUDManager
Group Privacy NSPBusinessPowerUser Group Role Role
PrivFRAUD FRAUD Fraud
Group Users PrfQOSPowerUsers
Privacy Group Role Role PrivQOS QOS
QOS Group
NSPBusinessUser
Group Users PrfFRAUDUsers
Training documentation ‘06 | 34
Notes
34
Security policy example
• Example for Data privacy control
The QOS team wants to share access to one of its dashboard to the FRAUD team.
The owner of the dashboard can give Read & eXecute privilege to FRAUD Privacy.
Access control for the FRAUD group
NET
Training documentation ‘06 | 35
Notes
• In NSP the Privacy roles must be declared BUT the groups (PRIVxxx, PRFxxx, NSPxxx) don’t appear. •They are used to share objects with others users.
35
Security implementation
• During implementation:
1 Administrator for all the operations done by Tekelec User TEKELEC with the role NSPAdmin
1 Administrator for all the administrative operations that could be done by the customer
User CustomerAdmin with the role NSPAdmin
Those Administrators users should be used only for maintenance Should not be owner of any object = should not do a Discover
Privacy names should be prefixed with PRIV Profiles names should be prefixed by PRF Privileges names are prefixed by NSP by default
Training documentation ‘06 | 36
Notes
• Users
•A login is created for each user, because
-The preferences are linked to each user. Preferences in the NSP applications are for Point codes format, directory where to export some results, the alarms presentation, …
-In the logs, the owner of the object appears and it is possible to follow the user activity (today only error, but in a next version all the activity of an user).
• Recommandation
•It is recommended to prefix: -The access privacy groups by Priv -The profiles of users by Prf
- it is easier to manage these different elements in the Weblogic console
36
Security implementation
• During implementation:
For each Department In a small context, only one Privacy is necessary
Otherwise several Privacy Roles have to be created : they can be defined by geographical areas, by services, … (i.e. PrivQOS and PrivFraud) For each Privacy, create a Profile with the Privilege NSPConfigManagers (i.e. PrfNetManagers). These users will do all the necessary discovers (hosts, applications, sessions) and will affect the privacy on the objects for the other users of this group
Create all the other necessary Profiles (i.e. PrfNetUsers, PrfQosPowerUsers…) with at least one Privacy assigned to them Assign users to their corresponding Profile
Training documentation ‘06 | 37
Notes
37
Lesson Review
• Q - What are the 3 elements of the security for NSP ?
• Q - What defines a user ?
• Q - What is the purpose of a NSPxxx Privilege group ?
• Q - What defines the access to data ?
• Q - What is a Profile and what is its purpose ?
Training documentation ‘06 | 38
Notes
38