Professional Documents
Culture Documents
Overview of Security Policies
Overview of Security Policies
Overview of Security Policies
xls 文档密级
Applicability
Function Name Function Description
eRAN
OM
security
NE log and NE logs include user operation logs, system run logs,
9 auditing and security logs. Yes
Physical port
security This function prevents illegal access to physical ports
3 management by disabling lower-layer physical ports. Yes
USB access policy protects important user data from
USB access being tampered with and protects the base station
policy from being loaded with malicious data or software by
4 configuration encrypting and verifying USB data. Yes
File integrity This function checks whether the key file is tampered
Transmissi check
6 with and reports the check results to the U2020. Yes
on
Security
Applicability
5G RAN Default Configuration Recommended Configuration
NSA SA
Disabled
Local users are rarely used in
routine maintenance. It is
recommended that local users
be disabled to prevent attackers
or malicious users from creating
illegal user accounts on the NE
and reserving illegal access
Yes Yes Enabled channels.
Locked
Local users are rarely used in
routine maintenance. It is
recommended that local users
be locked to prevent attackers or
malicious users from locally
attacking the system or cracking
Yes Yes Unlocked system configurations.
On live networks, define and
assign user accounts based on
user roles. Assign proper
operation rights based on user
Yes Yes User admin is used. roles.
A Huawei-issued device
certificate is preconfigured.
SSL connection is used. That
is, the NE (SSL server)
authentication mode is set to
compatible mode, and the
EMS/LMT (SSL client) uses
SSL connection by default.
TLS1.1 and later versions are Disable SSLv2 and SSLv3.
supported by default. The Disable TLS1.0.
SSL connection in Replace operator's certificate.
anonymous authentication Change the SSL authentication
mode is used by default. mode to PEER(Verify Peer
The SSL renegotiation Certificate).
function is enabled by Retain the default configurations
Yes Yes default. of SSL renegotiation.
FTPS connection is used by
default when the FTP server
uses the compatible mode
and the FTP client uses
FTPS connection. When
FTPS connection fails, the
FTP client automatically
switches to FTP connection
(Note: Automatic switching
cannot be performed in the
case of communication
Yes Yes interruption). Use FTPS connection.
If the NTPCP.AUTHMODE
parameter is not set to
PLAIN(Plain), NTP security
NTP communication is not authentication is performed in
Yes Yes authenticated. encryption mode.
Base station:
Serial port:
LMPT: The jumper cap is
closed.
UMPT: No serial port on the Base station:
panel. Serial port: Retain the default
Serial ports on the RRU: configuration.
Disabled by default. Local network interface:
Local network interface: Disabled after eNodeB/gNodeB
Enabled by default for the deployment.
eNodeB/gNodeB. USB ports: It is recommended
USB ports: Enabled by that USB ports be disabled after
Yes Yes default. the deployment is complete.
Enabled by default
Recommended algorithm
configuration order: AES >
Control plane: Snow3G > ZUC >
Yes N/A NULL/EEA0 Retain the default configuration.
Encryption: Enabled by
default
Recommended algorithm
configuration order: AES >
Snow3G > ZUC >
NULL/NEA0
Integrity protection: Enabled
by default
Recommended algorithm
configuration order: AES >
User plane: Yes Yes Snow3G > ZUC Retain the default configuration.
Function
Upgrade Rule Network Impact Related Feature
Dependency
Basic feature
OSS: WOFD-040300 Security
Policy
Inherit the configuration RAN: MRFD-210305 Security
from the source version. None Management None
OSS:
WOFD-100370 Centralized
Authentication Based on LDAP
WOFD-100380 Centralized
Inherit the configuration Authentication Based on
from the source version. None RADIUS None
Basic feature
OSS:
WOFD-050100 U2020 Log
Management
Inherit the configuration WOFD-050300 NE Log
from the source version. None Management None
Basic feature
Inherit the configuration OSS: WOFD-110100 NE
from the source version. None Software Management None
Signaling tracing is
affected. User ID
information such as Basic feature
pseudonymous IMSI WOFD-081400: Tracing Task
Inherit the configuration must be entered during Management and Message
from the source version. the tracing. Browse None
A PKI system is
deployed on the
Inherit the configuration OSS: WOFD-070100 Local operator's
from the source version. None Maintenance Agent network.
Basic feature
RAN: MRFD-210305 Security A PKI system is
Management deployed on the
Inherit the configuration U2020: WOFD-210100 operator's
from the source version. None Encrypted Transmission network.
Base station:
Serial port: none
Inherit the configuration Local network interface:
from the source version. none Basic feature None
Software packages and
configuration files
without signature
Inherit the configuration cannot be loaded to the
from the source version. system. Basic feature None
Basic features
LTE: LBFD-003003
VLAN Support (IEEE 802.1p/q)
Inherit the configuration NR: FBFD-010019
from the source version. None VLAN Support (IEEE 802.1p/q) None
If the performance of
the peer security
gateway cannot meet LTE: TDLOFD-003009 IPsec
the service performance TDLOFD-003024
requirements, the IPsec for IPv6
Inherit the configuration overall network traffic NR: FOFD-010080 Security gateway
from the source version. decreases. IPsec and PKI
Basic feature
LTE: LOFD-001010 Security
Mechanism
LOFD-00101001 AES This function
LOFD-00101002 SNOW 3G requires support
Inherit the configuration LOFD-00101003 ZUC from the CN and
from the source version. None LBFD-002004 UEs.
Basic feature:
NR: FBFD-010013 Radio
Interface Ciphering
Integrity Protection
This function
requires support
Inherit the configuration from the CN and
from the source version. None UEs.
Related Operations
Protocols Supported
None
None
None
None
None
None
IETF RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax
Definitions
IETF RFC 2256 A Summary of the X.500(96) User Schema for use with
LDAPv3
IETF RFC 2865 Remote Authentication Dial In User Service (RADIUS)
None
None
None
None
None
None
None
None
None
None
None
None
None
Applicability
Function Name Function Description Base
Station
Controller
OM Security
NE log and NE logs include user operation logs, system run logs,
9 auditing and security logs. Yes
Operating system
2 hardening Operating system hardening Yes
Physical port
security This function prevents illegal access to physical ports
3 management by disabling lower-layer physical ports. Yes
USB access policy protects important user data from
USB access being tampered with and protects the base station
policy from being loaded with malicious data or software by
4 configuration encrypting and verifying USB data. Yes
File integrity This function checks whether the key file is tampered
6 check with and reports the check results to the U2020. Yes
Transmissio
n Security
VLANs separate services onto different planes of the
base station and base station controller. This isolates
the user, management, and control planes from each
other.
If VLAN is not used and one link is attacked, data flow
on all the planes may be attacked. VLAN can be used
1 VLAN to prevent the preceding issue. Yes
Applicability
Disabled
Local users are rarely used in
routine maintenance. It is
recommended that local users
be disabled to prevent attackers
or malicious users from creating
illegal user accounts on the NE
and reserving illegal access Inherit the configuration
Yes Enabled channels. from the source version.
Locked
Local users are rarely used in
routine maintenance. It is
recommended that local users
be locked to prevent attackers or
malicious users from locally
attacking the system or cracking
system configurations. Inherit the configuration
Yes Unlocked On live networks, define and from the source version.
assign user accounts based on
user roles. Assign proper
operation rights based on user Inherit the configuration
N/A User admin is used. roles. from the source version.
A Huawei-issued device
certificate is preconfigured.
SSL connection is used. That
is, the NE (SSL server)
authentication mode is set to
compatible mode, and the
EMS/LMT (SSL client) uses
SSL connection by default.
TLS1.1 and later versions are Disable SSLv2 and SSLv3.
supported by default. Disable TLS1.0.
The SSL connection in Replace operator's certificate.
anonymous authentication Change the SSL authentication
mode is used by default. mode to PEER(Verify Peer
The SSL renegotiation Certificate).
function is enabled by Retain the default configurations Inherit the configuration
Yes default. of SSL renegotiation. from the source version.
FTPS connection is used by
default when the FTP server
uses the compatible mode
and the FTP client uses
FTPS connection. When
FTPS connection fails, the
FTP client automatically FTPS connection is forcibly used
switches to FTP connection when the BSC or U2020 serves
(Note: Automatic switching as the FTP server. When the NE
cannot be performed in the or EMS serves as the FTP client,
case of communication FTPS connection is used by Inherit the configuration
Yes interruption). default. from the source version.
NTP communication is not Set the NTP authentication Inherit the configuration
Yes authenticated. policy. from the source version.
Function
Dependency
Network Impact Related Feature
OSS: WOFD-040100
None
Centralized User Management
and Authentication None
Basic feature
None OSS: WOFD-040300 Security
Policy
RAN: MRFD-210305 Security
Management None
None
OSS:
WOFD-100370 Centralized
Authentication Based on LDAP
None
WOFD-100380 Centralized
Authentication Based on
RADIUS None
None
OSS: WOFD-040100
Centralized User Management
and Authentication None
Basic feature
OSS:
None WOFD-050100 U2020 Log
Management
WOFD-050300 NE Log
Management None
None
Basic feature
OSS: WOFD-110100 NE
Software Management None
Signaling tracing is
affected. User ID
information such as Basic feature
pseudonymous IMSI WOFD-081400 Tracing Task
must be entered during Management and Message
the tracing. Browse None
A PKI system is
None deployed on the
OSS: WOFD-070100 Local operator's
Maintenance Agent network.
None
Basic feature
RAN: MRFD-210305 Security A PKI system is
Management deployed on the
U2020: WOFD-210100 operator's
Encrypted Transmission network.
None
Basic feature None
None
GBSS: GBFD-118601 Abis over
IP
UMTS: WRFD-050402 IP
Transmission Introduction on
Iub Interface None
None
GBSS: GBFD-118601 Abis over
IP
UMTS: WRFD-050402 IP
Transmission Introduction on
Iub Interface None
If the performance of
the peer security
gateway cannot meet
the service performance GBSS: GBFD-113524 BTS
requirements, the Integrated IPsec
overall network traffic UMTS: WRFD-140209 NodeB Security gateway
decreases. Integrated IPSec and PKI
The UE and CN
must support the
corresponding
encryption
algorithm.
A5/1 Encryption
Flow
Optimization
requires A5/1.
The Flex
MAIO/Flex TSC
function in A5/1
Basic feature Encryption Flow
GBSS: Optimization is
UEs that do not support GBFD-113503 A5/3 Ciphering mutually
A5/1 or A5/3 algorithm Algorithm exclusive with
cannot access the GBFD-113521 A5/1 Encryption the VAMOS
network. Flow Optimization feature.
None
UMTS: WRFD-011402
Encryption None
None
Related Operations
Protocols Supported
None
None
None
None
None
None
IETF RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax
Definitions
IETF RFC 2256 A Summary of the X.500(96) User Schema for use with
LDAPv3
IETF RFC 2865 Remote Authentication Dial In User Service (RADIUS)
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
3GPP TS 55.216 Specification of the A5/3 encryption algorithms for GSM and
ECSD, and the GEA3 encryption algorithm for GPRS; Document 1: A5/3 and
GEA3 specification
3GPP TS 43.020 3rd Generation Partnership Project;
Technical Specification Group Services and system Aspects;
Security related network functions