Nsn Bss Mbss

7/22/2019 Nsn Bss Mbss

1/21

Node Name

BSS__________________________________________________________________________________________________________________

Uninor Internal 1

Minimum Baseline Security StandardBase Station SubsystemMake: NSNPlatform: DX-200O&M unit: OMU (Operation and Maintenance Unit)

Unitech Wireless Tamilnadu (P) Ltd.


2/21

Node Name: BSS Minimum Baseline Security Standard

_______________________________________________________________________________________________________

Uninor Internal 2

Copyright

All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in adatabase or retrieval system, without prior written permission of Unitech Wireless Tamilnadu (P) Ltd. The informationcontained in this document is confidential and proprietary to Unitech Wireless Tamilnadu (P) Ltd. and may not be used ordisclosed except as expressly authorized in writing by Unitech Wireless Tamilnadu (P) Ltd.

Trademarks

Other product names mentioned in this document may be trademarks or registered trademarks of their respective companiesand are hereby acknowledged.


3/21


_______________________________________________________________________________________________________

Uninor Internal 3

Table of Contents

Introduction......................................................................................................................................................................................... 4Use of the Document........................................................................................................................................................................... 4Warning................................................................................................................................................................................................. 4Purpose.................................................................................................................................................................................................. 5General Security Controls.................................................................................................................................................................. 6Control Categories............................................................................................................................................................................... 7

Detailed security controls:................................................................................................................................................................. 8


4/21


_______________________________________________________________________________________________________

Uninor Internal 4

Introduction

This document is to assist operations team to deploy minimum baseline security configuration on the node. These configurationstandard, detail many important items such as user account management, password management, interfaces, ports, audit logging,monitoring or node specific security configuration etc. However, due to the constant changes and variations in operating systemsecurity issues and configurations, this document should be considered a general guideline and starting point.

Use of the Document

The MBSS document is for INTERNAL USE ONLY. They should be kept within the organizations and to be treated as Uninor Internalas per the Information Classification Guidelines mentioned in Uninor Information Security Policy ver 3.0. Not to be distributed to the

Original Equipment Manufacturers and/or to Managed Service Partners.

Warning

This MBSS document and the accompanying guidance material is technically complex and is designed for use by trained securityspecialists performing the work under the direction of either a security partner or manager. Operations teams wishing to have theseservices performed for an organization should contact the designated security support staff within their office or territory. Partners ormanagers should ensure that staff assigned to perform the work have the necessary technical training and have the appropriatetechnical reference materials and specialist support. Staff should, therefore, obtain partner approval before using this material.


5/21


_______________________________________________________________________________________________________

Uninor Internal 5

Purpose

This MBSS document relates to the Base Station Subsyatem (BSS) of Nokia Siemens Network. It is intended for use by technical

security practitioners for implementation of minimum General Security Controls.

A technical environment is comprised of a number of inter-related elements that include:

Applications; Databases; Communications infrastructure elements; and Hardware.

The primary focus of this technical practice aid is to provide minimum baseline security standard for Base Station Subsystem (BSS)that includes properties, features and operating system of the respective product.


6/21


_______________________________________________________________________________________________________

Uninor Internal 6

General Security Controls

General Security Controls work requires the examination of both technology-specific and technology independent controls. For

example, configuration parameter, program and data file security controls will normally be specific to the underlying technicalenvironment, whereas, security process review controls will largely be independent of the technical environment in use.

Often, it is a combination of these two types of controls that provide the most robust approach to the implementation of an effectivecontrol environment. For example, whilst a number of technology-specific auditing controls can be implemented, unless a procedureexists for reviewing and acting upon the logged information, the technical control is ineffective.

To complete a comprehensive general security controls, in addition to the MBSS document, the operations team will require anunderstanding of the following platform independent areas:

Uninor Information security policy and procedures; Change and Problem Management; Incident Management; System Development; Disaster Recovery and Contingency Planning; and Physical Security.


7/21


_______________________________________________________________________________________________________

Uninor Internal 7

Control CategoriesThe following control categories are included in the MBSS document.

Control Category 1: User Accounts and GroupsA control that restricts user access to the technology. This includes account permissions, sensitive systemuser interfaces, and related items.

Control Category 2: Password ManagementA control that must be enabled/implemented to ensure true and authorized users to gain access on asystem. This includes password complexity, aging, account locking, etc. parameters.

Control Category 3: Interface,Ports and ServicesA control that must be performed either manually or automated on a regular basis to disable or deleteunused ports and services and restrict services that transfer data in clear text.

Control Category 4: System UpdatesA control that must be performed either manually or automated on a regular basis. This includes anyprocedure that a security administrator or system administrator would continually or periodicallyperform such as installation of hot fixes, security patches, etc.

Control Category 5: File Access ControlA control that restricts access to critical configuration files, operating systems, etc.

Control Category 6: Audit logging and MonitoringAny control that logs user, administrative or system activity. Any control that assists in, or performs,system event logging or the monitoring of the security of the system.

Control Category 7: Node properties and feature configurations-A control that must be enabled/implemented via a system-level parameter, or upon installation of thenode/device that affects the technology at an overall system level. This includes network servicesenabling/disabling, boot sequence parameters, system interface, etc.


8/21


_______________________________________________________________________________________________________

Uninor Internal 8

Detailed security controls:

SN ControlArea

ControlDescription

ControlObjective/Rationale

Implementation Guidance MitigatingControl, Ifany

ImplementationStatus

1. User Accounts and Groups

1.1 UniqueUser ID

Individual usersshould be assignedwith a separateuser-id for BSCauthentication inaccordance withUninor Security

policy.

The audit trail is of limited orno use if there are sharedaccounts. The use of individualaccounts creates accountabilityfor each individual.

Assign unique IDs for all usershaving access to the system

Implemented.All users haveunique user id.

1.2 Privilegedaccounts

User IDs whichdisclose theprivilegesassociated with it,should not becreated.(For e.g.ADMINISTRATOR,monitor, config,etc.)

Knowing the name of anaccount on a machine can bevaluable information to anattacker. Enforcing this securitycontrol makes it more difficultfor unauthorized users to guessand gain access to the accountssuch as ADMINISTRATOR,monitor, config, etc. andultimately the system.

Delete all the privileged IDs fromthe system and review the systemID periodically.Instead, another user accountwith equal administratorprivileges to be created so thatADMINISTRATOR, etc useraccount can be deleted.

Implemented

1.3 Account

expiry

Third party user

accounts created toaccess the BSCmust have anassociated expirydate.

Attributing expiry date to a

third party user account withrespect to the duration of theservice contract will ensureautomatic disabling of suchaccounts and hence strengthenthe user access management.

Identify and review third party

user ID created on system.Keep documented evidence in aseparate file for the expiry date ofthird party user ID withadministrator.

Implemented

(same is validatedby Uninorpasswordauthorizationform)


9/21


_______________________________________________________________________________________________________

Uninor Internal 9

SN ControlArea

ControlDescription




1.4 Default

Accounts

Factory default user

accounts and guestuser accounts onBSCs such asROOT, SYS,ericsson, zte, etc.must be removedfrom the systems.

Disabling the factory default

user accounts will preventunknown users beingauthenticated as ericsson, zte,SYS, etc. Disabling theseaccounts will reduce thesystem's remoteunauthenticated attack surfaceand ensure that only specificsecurity principals can accessresources on the system.

Delete all the privileged IDs from

the system and review the systemID periodically.In case any of the factory accountis required then a different useraccount with equal privileges canbe created so that factory defaultaccounts can be deleted.

Implemented

(some of theprofile in NSNsystem cannot beremoved due tosystem limitationas those are fix forOSS usage andcritical for KPIs ).Exceptions to beapproved byUninor IS team.

1.5 Dormant

Accounts

Dormant user

accounts should bedeactivated afterthe number of daysthat is specified inthe UninorInformationSecurity Policyguidelines forinactive accounts.

Dormant user accounts increase

the risk that unauthorized userscould potentially use theseaccounts to gain access to thesystem.

Delete all the system/default IDs

from the system and review thesystem ID periodically.

Implemented,

validation, signoffis done quarterly.

1.6 Log ONerrormessage

System errormessage should notdisclose any detailson logon failures.

Logon failure message may actas a source of information foran unauthorized user to accessthe system. Information such asinvalid user ID or invalidpassword would help anunauthorized user tounderstand his mistakes whileaccessing the system. Logon

Configure logon banner on thesystem

Incorrect loginshows: userauthorizationfailure and afterthree consecutivefailure time delay isapplicable.


10/21


_______________________________________________________________________________________________________

Uninor Internal 10

SN ControlArea

ControlDescription




failure messages may further let

an attacker to guess the invalidinput.

1.7 Passwordprompt

Unattendedterminals mustautomatically blankthe screen andsuspend the sessionafter the amount oftime specified in theUninor InformationSecurity Policy. Re-establishment of

the session musttake place only afterthe user hasprovided a validpassword.

Unattended workstations whereusers have left themselveslogged in present a specialattraction for vandals. A vandalcan access the person's fileswith impunity. Alternatively,the vandal can use the person'saccount as a starting point forlaunching an attack against thesystem or the entire network:

any tracing of the attack willusually point fingers backtoward the account's owner, notto the vandal.

This control can be mitigated byusing windows screensaverlockout feature on localworkstations.

NSN system hasauto logout after 15minute; Localworkstationwindow screensaver lockout isalso activated.

2. Password Management

2.1 Complexity

BSC should enforcethat passwordsmust meet thecomplexityrequirements inaccordance toUninor informationsecurity policy.

Enforcing password complexityrequirements reduces theprobability of an attackerdetermining a valid credential.Easily derived passwordsundermine system security bymaking user account easy toaccess. Once an intruder gainsaccess to a user account, theycan modify or delete files or

Implemented


11/21


_______________________________________________________________________________________________________

Uninor Internal 11

SN ControlArea

ControlDescription




processes owned by that user.

2.2 Defaultpasswords

Default temporarypasswords assignedto the users must bechanged after firstlogin.

Requiring new users to changetheir password upon first loginensures that the temporarypassword (recorded in written)will not be in use. Additionally,by having users create their ownpasswords the chance of them

remembering their password issignificantly increased.

Implemented

2.3 PasswordAge

Password should bechanged regularlyin accordance withthe UninorInformationSecurity Policy.

A passwords lifetime should beshort enough to reduce the riskthat the passwords will becompromised and long enoughthat users will not need to keepa written record of thepassword. The risk thatpasswords will be compromisedis reduced by frequentlychanging the password of all the

user accounts created to accessthe BSC.

Strong Password shall --Be at least 10 characters inlength-Contain both upper andlowercase alphabetic characters(e.g. A-Z, a-z)-Have at least one numericalcharacter (e.g. 0-9)-Have at least one specialcharacter (e.g. ~! @#$%^&*()_-

+=)

-Last three passwords will not beused again.-Dates of birth, names of familymembers, and other

Implemented.


12/21


_______________________________________________________________________________________________________

Uninor Internal 12

SN ControlArea

ControlDescription




combinations of such personal

details which can be connected tothe individual or can be easily beguessed should not be used.-Words found in dictionariesshould not be used.

2.4 AccountLock

The account lockoutfeature, disablingan account after anumber of failedlogin attempts,should be enabled

and the relatedparameters shouldbe set in accordancewith the Uninorsecurity policy andguidelines.

Unauthorized users may gainaccess to a system by running aprogram which guesses userpasswords through brute forceattacks. Without the lockoutfeature enabled the chance of

successful compromise ofsystem resources through bruteforce password guessing attacksincreases.

Account lock outfunctionality is notavailable in NSNsystem, but timeduration delay fornext attempt keep

increasing afterthree consecutivefailed login.

2.5 Systempasswordstorage

The Administrativepassword should beprotected using anencryptionalgorithm inaccordance withUninor Securitypolicy. Encrypt theadministrativepassword usinghashing algorithmssuch as MD5

Administrator account isprivileged with highest accessrights. Availability ofAdministrator's password inclear text from systemconfiguration files would let anunauthorized user gain theaccess of Administratoraccount. Impersonification ofAdministrator can be avoidedby encrypting the Administratorpassword.

Implemented


13/21


_______________________________________________________________________________________________________

Uninor Internal 13

SN ControlArea

ControlDescription




2.6 Default

Passwords

Default passwords

on the BSC shouldbe changed uponinstallation. Inaddition thesepasswords shouldbe complex andconform to UninorSecurity Policy.

Application default passwords

are widely known and typicallyinitial targets for attacks. Therisk that unauthorized accesswill be obtained is increased ifthese passwords are notchanged.

Implemented

3. Interfaces, Ports and Services

3.1 Physicalinterfaces

Disable consolelogin used to accessphysically at BSCSite. Only ethernetport should beallowed.

If this type of control is notimplemented then anunauthorized user may get anopportunity to login physicallyon the BSC.

Console login to be restricted tominimum (for emergency useonly).

Implemented.Allowed foremergency casesonly.

3.2 Abis-interface

BSC should containthe configuration(DPC, Signalinglinks, TGs) for onlyauthorized BTS's inthe network.

In absence of this enforcement,an unused BTS configuration onthe BSC can lead to misuse ofnetwork such as DoS attacks,flooding, etc. on the BSC.

Ensure that BSC contain theconfiguration for only approvedand authorized DPC, Signallinglinks and TGs.Maintain an approval copy ofchange management form withadministrator.

Implemented

3.3 STP

interface

BSC should contain

the configuration(point codes andsignaling links) forauthorized STPsonly in the network.

In absence of this enforcement,

an unused STP configuration onthe BSC can lead to misuse ofnetwork such as DoS attacks,flooding, etc. on the BSC.

Ensure that BSC contain the

configuration for only approvedand authorized Point codes andfor identified authorized STPs.Maintain an approval copy ofchange management form withadministrator.

Implemented


14/21


_______________________________________________________________________________________________________

Uninor Internal 14

SN ControlArea

ControlDescription




3.4 MAP E

interface

BSC should contain

the Trunk Groupsconfiguration foronly authorizedBSCs/GBSCs and LIsystems in thenetwork.

In absence of this enforcement,

an unused TG configuration onthe BSC can lead to misuse ofnetwork such as DoS attacks,flooding, etc. on the BSC.

Ensure that BSC contain the

configuration for only approvedand authorized TG for authorizedBSCs and GBSC or LI system.

Maintain an approval copy ofchange management form withadministrator.

Implemented

3.5 O&Minterface

BSC should restrictonly authorizedO&M devices. Nodemust be configuredto identify

authorized devicesusing which O&Mactivities can beperformed.

Enforcing this security controlwill ensure that only legitimateand authorized O&M terminalscan be used to access the BSC.

Ensure that BSC is accessiblefrom only authorized O&Mdevices, Nodes

Maintain an approval copy of

change management form withadministrator.

Implemented

3.6 SystemServices

Disableunauthorizedservices/daemonfrom the nodesbased on UninorInformationsecurity policy.Identify authorizedservices running onthe device viavulnerabilityassessment anddisableunauthorized

Unauthorized services/daemonallows unauthenticated accessto a system and lets users totransfer files, manipulate withthe system functioning, etc. Asystem with services such as ftpenabled can be used as a depotfor the unauthorized transfer ofinformation. A system withTelnet service enabled can beused to run a spurious process(e.g.) in the system leading todead weight on processor load.

Disable and replace FTP andtelnet by SFTP and SSHrespectively.

System restriction:and FTP telnet isused for CDR,license, softwareloading.Exceptions to beapproved byUninor IS team.


15/21


_______________________________________________________________________________________________________

Uninor Internal 15

SN ControlArea

ControlDescription




services. Only

those services thatserve a documentedoperational orbusiness needshould be listeningon the node.

4. System Updates

4.1 Patchupgrade

Upgrade thesystems firmware toa supported stableversionrecommended byOEM after propertesting has beenperformed.Follow OEMsfirmware upgradeprocedures for theBSC model beingupgraded. BSCmust be updatedwith the lateststable patches (bugfixes) specificallyrelated to security.

Operating system securityvulnerabilities are found on aregular basis. These securityholes may pose a significant riskto the internal network.Enforcing this security controlwill help ensure the systemalways has the most recentcritical operating systemupdates and service packsinstalled.

No such patchesrequired for NSNsystem, time totime networkrelated update arebeing implemented


16/21


_______________________________________________________________________________________________________

Uninor Internal 16

SN ControlArea

ControlDescription




4.2 Antivirus Windows based

servers/clients andO&M terminalswhich are used tomanage BSC nodesshall be installedwith latest Antivirussoftware and mustregularly beupdated.

Enabling this feature will let the

systems being prevented by theexecution of unauthorized codessuch as viruses and Trojanhorses.

Deploy updated antivirus on the

node used to access BSC

Implemented(activ

ity is done byUninor IT team)

5. File Access Control

5.1 Restrictfile access

Accesses(Read/Write/Modify) to sensitive BSCsystem andconfiguration filesshould be restrictedfrom unauthorizedpersonnel.

An unrestricted access may letthe unauthorized users tomodify/delete the sensitivesystem and configuration fileswhich may further lead to anunstable performance of theBSC.

Limit access to such configurationfiles to admin level users only.

Implemented.No such files areavailable in NSNsystemconfiguration. It isstored in Systemspecific data fileand cannot bedecoded.

5.2 Restrictfile access

Configurationbackup serverscontaining BSCconfiguration files

such as M2000should be properlyrestricted fromunauthorizedpersonnel. Reviewthe security and

An unrestricted access to thebackup servers may let theunauthorized users to gain thecritical information from

configuration files which maybe further used to gain anunauthorized access to the BSC,impersonify the BSC, etc.

Limit access to such backup filesto admin level users only.

Implemented.OSS is accessiblevia restricted usersonly


17/21


_______________________________________________________________________________________________________

Uninor Internal 17

SN ControlArea

ControlDescription




access requirements

in accordance withthe Uninorinformationsecurity policy.

5.3 Legalnoticebanner

A legal notice andwarning should beimplemented inorder to provideadequate protectionand awareness oflegal issues.Configure Uninor

authorized loginbanner on the BSCas specified in theUninor InformationSecurity Policy.

Displaying a legal warningensures that users are aware ofthe consequences ofunauthorized access and assistsin conveying the protection ofcorporate assets.

No such banner isavailable in NSNsystem.Uninor IS team totake up with NSN.

6. Audit Logging and Monitoring

6.1 Auditlogging

Enable systemlogging inaccordance withUninor InformationSecurity Policy tocapture O&Mactivities, systemfailures, policyviolation,unauthorized accessattempts, system

Enforcing audit logging allowssecurity incidents to be detectedand enough evidence to beavailable for analysis of thoseincidents.Insufficient logging will resultin a lack of an audit trail in theevent of an unauthorized access.With good logging andmonitoring, administrators areoften given early warnings for

Enable recording audit logs forO&M activities, system failures,unauthorized access attempts,etc.

Implemented


18/21


_______________________________________________________________________________________________________

Uninor Internal 18

SN ControlArea

ControlDescription




events, faults, etc. hardware and software errors or

problems.6.2 Command

loggingSecurityconfiguration filechanges should bemonitored andlogged inaccordance withUninor informationsecurity policy.Sensitive files suchas configurationparameters and

audit logs shouldnot be allowed formodification ordeletion.

Any authorized/unauthorizedor known/unknown access tocritical commands used tochange either the database orthe configuration parametersshould be logged so that none ofthe access to these sensitive filesgoes unnoticed. It also ensuresthat all the evidences areavailable for reverse trackingthe source of change. Rolling

back from unstable network dueto improper command fire ispossible.

Command logs arestored at specificlocation

6.3 LogsArchive

Archive all securityrelevant logs for aperiod stipulated asper applicable lawsand regulations.The activity logsneeds to be retainedonline for 12

months and offlinefor 24 months.

Having all audit logs archivedensures that if they are neededthey will be available. At thesame time it ensurescompliance with therequirements of the regulator.

System restriction :all activity logs arestored at specificUninor IT server


19/21


_______________________________________________________________________________________________________

Uninor Internal 19

SN ControlArea

ControlDescription




6.4 Monitorin

g

BSC shutdown and

restarts should bemonitored. Anyunauthorizedshutdown and/orunexpected restartsshould beinvestigated.

The BSC should be rebooted

only by authorized personnel atscheduled times and when userscan be properly notified.Unplanned or unscheduledsystem rebooting will denyusers access to the system andcould allow unauthorized usersaccess to the system.

Keep records of reasons for BSC

shutdown, reboot or restart withthe administrator

Implemented :

RCA for anyunplanned restartis available

6.5 Softwareupdateslogs

Maintain all thesoftware and patchupdates logs sinceinception.

Any changes to the systemsfirmware needs to be logged toensure availability of completelist of changes made to the

firmware. Also this audit loghelps identify any unknown andunauthorized change made tothe system.

Implemented :anexcel sheet ismaintained forrecords

7. BSC Properties and Features Configuration

7.1 Encryption

Cipher must beenabled to ensurethat the signalingand user datacannot beoverheard on theradio interfaces

Cipher is used to ensure theconfidentiality of data, thussensitive signaling informationand data are protected againsteavesdropping attacks

Implemented

7.2 Cipheringwhilehandover

Changing ofciphering algorithmshould not beallowed athandover.

No change in cipheringalgorithm during handoverensures same level ofencryption during a call. If thetarget BTS is configured with

Implemented


20/21


_______________________________________________________________________________________________________

Uninor Internal 20

SN ControlArea

ControlDescription




lower level of ciphering

algorithm (for e.g. A5/0) ascompared to the current servingBTS (for e.g. A5/1) then thiswould result in lowering theencryption level. To maintain asame level of encryption level,change of ciphering algorithmshould be prohibited athandover.

7.3 Clock sync Clocksynchronization tobe configured using

the Network TimeProtocol (NTP).

Configuring NTP for clocksynchronization will ensure thatinternal clocks of all the telecom

nodes in the network are insynchronization and provideCoordinated Universal Time(UTC) including scheduled leapsecond adjustments.

Implemented


21/21


_______________________________________________________________________________________________________

Uninor Internal 21

Author & Reviewer

Created byInformation Security Team Reviewed byRohit VermaDate 13thJan 2013 Date 15thJan 2013

Approvals

Head - Operations HeadNOCDate Date

Head - Managed Services Head - Information Security: Saurabh Agarwal

Date Date 29th

Jan 2013

Nsn Bss Mbss

Documents