Overview of Security Policies

470055268.
xls 文档密级
Applicability
Function Name Function Description
eRAN
OM
security
NE local user is an O&M user whose user name and

password are managed locally. This function is used
NE local user for local O&M or for scenarios where the element
1 management management system (EMS) cannot manage the NE. Yes
This function can be used on the U2020 to specify

whether non-default NE local users can create,
Disabling NE local modify, and delete users on the NE. Non-default NE
2 user management local users are NE local users other than user admin. Yes

Locking of non- whether non-default NE local users can log in to the
default NE local NE through the LMT. Non-default NE local users are
3 users NE local users other than user admin. Yes
Domain users are O&M users centrally managed on
the U2020. The management includes creating,
EMS domain user modifying, deleting, and authorizing a user or user
4 management group. Yes
This function manages password complexity for O&M
users. This function can be used to set password
complexity and password update period to prevent
users from setting too simple passwords or retaining
passwords for a long period of time, thereby
improving system access security. Password policies
Password policy apply to all users after they are set by security
5 management administrators. Yes
This function monitors the sessions and operations of

OM users and NE local users. If the operations of a
user may jeopardize system security, security
administrators can kick the user out of the system and
Online status terminate the sessions. The users monitoring user
monitoring for sessions and operations cannot kick themselves out
6 users of the system. Yes
04/14/2020 华为保密信息,未经授权禁止扩散第1页，共75页

470055268.xls 文档密级
This function supports interconnection with third-party

Northbound user management system over the U2020 northbound
centralized user interface. It authenticates users during user login by
authentication by using standard protocols such as Lightweight
the third-party on Directory Access Protocol (LDAP) and Remote
7 the U2020 Authentication Dial In User Service (RADIUS). Yes
The LMT is a local operation and maintenance system

for NEs. For the convenience of operations, the
U2020 enables the user to start the LMT of an NE on
the topology view.
For details about how to start the NE's LMT, see the
8 SSO LMT user guide in the NE's documentation package. Yes
Security administrators can regularly audit NE user's

operations to check for any illegal operations.
NE log and NE logs include user operation logs, system run logs,
9 auditing and security logs. Yes
The Hash algorithm and RSA public key cryptography

are used to digitally sign software packages to ensure
that the source of NE and EMS software packages is
Digital signature reliable. This function protects the system against
for software illegal and malicious software or preventing software
10 packages from being tampered with. Yes
To ensure the security of user's sensitive information

such as IMSI, IMEI, MSISDN and MAC address
during signaling trace/monitoring, the U2020 provides
the password pseudonymization policy.
You can enable the pseudonymization policy and set
a key for the pseudonymization policy algorithm to
ensure that sensitive information remains
pseudonymous while being transmitted between NEs
User data and the U2020 and while being displayed on the
11 pseudonymization U2020 during input and output. Yes
Users can use the U2020 server as the proxy while

logging in to the NE through the LMT. The U2020
Setting LMT Proxy server can be set on the U2020 client to specify
Connection whether to authenticate the identity of the peer end
12 Strategies while setting up SSL connections. Yes

470055268.xls 文档密级
Setting security connections is used to determine

whether to enable SSL for the connections between
NEs and the EMS. Enabling SSL ensures that data is
sent to a trusted peer communicating party and
protects data confidentiality and integrity. If SSL is
O&M transmission enabled, all O&M services, except FTP services, run
13 channel security over SSL. Yes
The FTP policy between an NE and the U2020

indicates that files between the U2020 and the NE are
transferred based on the preset parameters when the
NE functions as an FTP server and the U2020
functions as an FTP client. The FTP policy between
FTP security the NE and the U2020 can be set to the plaintext FTP
14 configuration mode and SSL-based FTPS mode. Yes
NTP time synchronization supports authentication

defined in RFC1305 and supports authentication and
integrity protection for NTP communication.
NTP security authentication protects the integrity and
authenticates the source of NTP packets received by
base stations to ensure that base stations use valid
reference clocks. The NTPCP.AUTHMODE,
NTPCP.KEY, and NTPCP.KEYID parameters on a
base station functioning as an NTP client must be set
to the same values as those on the NTP server. NTP
security authentication supports Data Encryption
Standard (DES) and MD5. DES has been cracked
and is not recommended. NTP security authentication
uses digital signatures to verify NTP packets to
Secure NTP time ensure the validity of the reference time received by
15 synchronization base stations. Yes
Equipment
Security
Base station patches are released to resolve the

Security patch system security loopholes (including the OS) and
1 installation ensure system security (including the OS). Yes

470055268.xls 文档密级
OS security hardening improves OS security by using

the following measures: adjusting system security
Operating system configurations, disabling unnecessary services, and
2 hardening adding security mechanisms. Yes
Physical port
security This function prevents illegal access to physical ports
3 management by disabling lower-layer physical ports. Yes
USB access policy protects important user data from
USB access being tampered with and protects the base station
policy from being loaded with malicious data or software by
4 configuration encrypting and verifying USB data. Yes
Physical device locking includes outdoor base station

Physical device locking, indoor cabinet locking, and indoor alarm from
5 locking the door status sensor. Yes
File integrity This function checks whether the key file is tampered
Transmissi check
6 with and reports the check results to the U2020. Yes
on
Security

470055268.xls 文档密级
VLANs separate services onto different planes of the

base station. This isolates the user, management,
and control planes from each other.
If VLAN is not used and one link is attacked, data flow
on all the planes may be attacked. VLAN can be used
1 VLAN to prevent the preceding issue. Yes
This function performs ACL filtering on IP data

packets (including O&M and service data) designated
for the base station devices before they enter these
devices. This avoids unauthorized access or
attempted attacks and thereby, ensuring radio device
security. ACL is short for access control list.
If this function is disabled, radio devices are
vulnerable to attacks from illegal data packets, which
ACL configuration may degrade device processing capabilities or the
2 policy devices may be attacked by denial of service (DoS). Yes
This function checks whether IP data packets
designated for the base station devices over the
S1/X2/Xn/F1/OMCH/eX2 are illegal attacking packets
before they enter these devices. If yes, these packets
are filtered out to ensure radio device security.
vulnerable to attacks from illegal packets, malformed
packets, Address Resolution Protocol (ARP) spoofing,
and floods. This may degrade device processing
capabilities or incorrect messages may be
Device IP address intercepted, causing transmission links to be
3 attack defense disconnected. Yes

470055268.xls 文档密级
Huawei base station devices support the IPsec

networking, which provides secure data transmission,
integrity protection, and authentication. If this function
is disabled, data packets are transmitted in plaintext in
the bearer network. As a result, data packets are
vulnerable to eavesdropping and malicious
IPsec policy modification, which causes user information to be
4 configuration disclosed or affects user services. Yes
When IPsec is enabled, this function protects IPsec

protocols from replay attacks and protects devices
from replay attacks caused by illegally intercepted
packets. If this function is disabled, devices are
vulnerable to replay attacks, which may degrade
IPsec protocol device processing capabilities. In serious cases,
5 attack defense devices may be paralyzed. Yes
This function protects 1588 clock frequency

synchronization data from being tampered with by
Secure using encryption and integrity protection provided by
configuration for IPsec. If clock synchronization data is tampered with,
1588 clock transmission performance degrades. In serious cases,
6 synchronization data transmission may be interrupted. Yes
Radio
Security

470055268.xls 文档密级
In LTE networks, the Uu interface is the interface

between the UE and eNodeB. It is a standard
interface defined in 3GPP protocols and an open air
interface. Malicious users can eavesdrop or tamper
with user-plane and control-plane information over the
Uu interface. To protect the integrity and
confidentiality of user-plane and control-plane data
over the Uu interface, 3GPP protocols define
encryption and integrity protection algorithms to
protect user-plane and control-plane data over the Uu
interface.
The eNodeB supports integrity protection and
encryption.
Integrity protection: The integrity protection algorithm
calculates the values of Message Authentication
Code for Integrity (MAC-I) and Expected MAC-I (X-
MAC) at both the sending and receiving parties and
then compares the values to ensure that data is not
tampered with.
LTE Uu interface Encryption: The encryption algorithm transforms data
encryption/integrit from plaintext into ciphertext to prevent data from
1 y protection being disclosed. Yes
In NR networks, the Uu interface is the interface

between the UE and gNodeB. It is a standard
with user-plane and control-plane information over the
Uu interface. To protect the integrity and
confidentiality of user-plane and control-plane data
over the Uu interface, 3GPP protocols define
NR Uu interface
encryption and integrity protection algorithms to
2 encryption/integrit
protect user-plane and control-plane data over the Uu
y protection
interface.
Integrity protection: The integrity protection algorithm
calculates the values of MAC-I and X-MAC at both the
sending and receiving parties and then compares the
values to ensure that data is not tampered with.
Encryption: The encryption algorithm transforms data
from plaintext into ciphertext to prevent data from
being disclosed.
N/A

470055268.xls 文档密级
Applicability
5G RAN Default Configuration Recommended Configuration
NSA SA
Change the default password for

user admin (Batch modification
is recommended after base
station deployment).
On live networks, create user
accounts and assign proper
operation rights to them based
Yes Yes User admin is used. on user roles.
Disabled
Local users are rarely used in
routine maintenance. It is
recommended that local users
be disabled to prevent attackers
or malicious users from creating
illegal user accounts on the NE
and reserving illegal access
Yes Yes Enabled channels.
Locked
be locked to prevent attackers or
malicious users from locally
attacking the system or cracking
Yes Yes Unlocked system configurations.
On live networks, define and
assign user accounts based on
user roles. Assign proper
operation rights based on user
Yes Yes User admin is used. roles.
Password complexity check

is enabled by default and the
password must have at least
eight characters. The account
is locked after three
consecutive failed login
Yes Yes attempts. Modify the default password.
Retain the default configuration

Online status of O&M users (the system monitors the online
Yes Yes is monitored. status of O&M users by default).

470055268.xls 文档密级
Yes Yes Disabled Retain the default configuration.
The LMT right-click startup

function supports single sign-
on (SSO) and password is
not required during the LMT
Yes Yes startup. Retain the default configuration.
Start synchronization tasks for

Log synchronization is NE operation logs, system run
Yes Yes disabled. logs, and security logs.
Yes Yes Forcibly enabled Unconfigurable
Yes Yes Disabled Enable this function
Huawei device certificate is Replace operator's certificate

preset and the identity of the and change the SSL
peer end is not authentication mode to
Yes Yes authenticated. PEER(Verify Peer Certificate).

470055268.xls 文档密级
A Huawei-issued device
certificate is preconfigured.
SSL connection is used. That
is, the NE (SSL server)
authentication mode is set to
compatible mode, and the
EMS/LMT (SSL client) uses
SSL connection by default.
TLS1.1 and later versions are Disable SSLv2 and SSLv3.
supported by default. The Disable TLS1.0.
SSL connection in Replace operator's certificate.
anonymous authentication Change the SSL authentication
mode is used by default. mode to PEER(Verify Peer
The SSL renegotiation Certificate).
function is enabled by Retain the default configurations
Yes Yes default. of SSL renegotiation.
FTPS connection is used by
default when the FTP server
uses the compatible mode
and the FTP client uses
FTPS connection. When
FTPS connection fails, the
FTP client automatically
switches to FTP connection
(Note: Automatic switching
cannot be performed in the
case of communication
Yes Yes interruption). Use FTPS connection.
It is recommended that NTP

authentication be performed.
If the NTPCP.AUTHMODE
parameter is not set to
PLAIN(Plain), NTP security
NTP communication is not authentication is performed in
Yes Yes authenticated. encryption mode.
Patches that match the Patches that match the version

version of network equipment of network equipment are
are downloaded from downloaded from
http://support.huawei.com http://support.huawei.com and
Yes Yes and automatically installed. automatically installed.

470055268.xls 文档密级
Huawei base station OSs are

hardened before delivery.
The solutions cover network
access, network security, and
system services to improve Huawei base station OSs are
antivirus and anti-attack hardened before delivery. The
capabilities, system reliability, solutions cover network access,
and the service quality of the network security, and system
entire network. services to improve antivirus and
The OS hardening solutions anti-attack capabilities, system
include the following reliability, and the service quality
functions: of the entire network.
Disabling unnecessary The OS hardening solutions
services include the following functions:
Restricting access to files Disabling unnecessary services
and directories Restricting access to files and
Authorizing system access directories
User management Authorizing system access
Operation log recording User management
Detecting system Operation log recording
malfunctions Detecting system malfunctions
Yes Yes OS integrity protection OS integrity protection
Base station:
Serial port:
LMPT: The jumper cap is
closed.
UMPT: No serial port on the Base station:
panel. Serial port: Retain the default
Serial ports on the RRU: configuration.
Disabled by default. Local network interface:
Local network interface: Disabled after eNodeB/gNodeB
Enabled by default for the deployment.
eNodeB/gNodeB. USB ports: It is recommended
USB ports: Enabled by that USB ports be disabled after
Yes Yes default. the deployment is complete.
USB encryption and

signature detection are
Yes Yes enabled by default. Retain the default configuration.
Indoor cabinet locking
Indoor alarm from the door
status sensor
Yes Yes Outdoor base station locking Retain the default configuration.
You are advised to create a

periodic or instant file integrity
check task on the U2020 as
required.
You can set the task on Integrity
Yes Yes Disabled by default Monitoring on the U2020.

470055268.xls 文档密级
Yes Yes Not configured Configure the VLAN.
Yes Yes Disabled by default Configure the ACL policy.
By default, malformed packet

detection, broadcast packet
rate limiting, and smurf
prevention are enabled and
cannot be disabled.
The ARP spoofing prevention Enable flood attack prevention
Yes Yes function is disabled. and ARP spoofing prevention.

470055268.xls 文档密级
1. Deploy the CA system.

2. Deploy IPsec for digital
certificate authentication.
3. Configure the parameters by
referring to the recommended
values in the operation guide
Yes Yes Not configured and parameter reference.
Enable the IPsec replay attack

Yes Yes Not configured defense function.
Use IPsec to encrypt 1588 clock

Yes Yes Not configured data.

470055268.xls 文档密级
Enabled by default
Recommended algorithm
configuration order: AES >
Control plane: Snow3G > ZUC >
Yes N/A NULL/EEA0 Retain the default configuration.
Encryption: Enabled by
default
Snow3G > ZUC >
NULL/NEA0
Integrity protection: Enabled
by default
User plane: Yes Yes Snow3G > ZUC Retain the default configuration.

470055268.xls 文档密级
Function
Upgrade Rule Network Impact Related Feature
Dependency
Inherit the configuration

from the source version. None Basic features None
When local users are

disabled, only user
admin has the right to Basic feature
add, delete, and modify OSS: WOFD-040100 Centralized
Inherit the configuration user accounts on the User Management and
from the source version. NE. Authentication None
Local users other than Basic feature

admin are locked and OSS: WOFD-040100 Centralized
Inherit the configuration therefore, cannot log in User Management and
from the source version. to the NE. Authentication None
OSS: WOFD-040100 Centralized

Inherit the configuration User Management and
from the source version. None Authentication None
Basic feature
OSS: WOFD-040300 Security
Policy
Inherit the configuration RAN: MRFD-210305 Security
from the source version. None Management None
Inherit the configuration OSS: WOFD-040700 Online NE

from the source version. None User Monitoring None

470055268.xls 文档密级
OSS:
WOFD-100370 Centralized
Authentication Based on LDAP
Inherit the configuration Authentication Based on
from the source version. None RADIUS None
OSS: WOFD-040100 Centralized

Inherit the configuration User Management and
from the source version. None Authentication None
Basic feature
OSS:
WOFD-050100 U2020 Log
Management
Inherit the configuration WOFD-050300 NE Log
from the source version. None Management None
Basic feature
Inherit the configuration OSS: WOFD-110100 NE
from the source version. None Software Management None
Signaling tracing is
affected. User ID
information such as Basic feature
pseudonymous IMSI WOFD-081400: Tracing Task
Inherit the configuration must be entered during Management and Message
from the source version. the tracing. Browse None
A PKI system is
deployed on the
Inherit the configuration OSS: WOFD-070100 Local operator's
from the source version. None Maintenance Agent network.

470055268.xls 文档密级
Basic feature
RAN: MRFD-210305 Security A PKI system is
Management deployed on the
Inherit the configuration U2020: WOFD-210100 operator's
from the source version. None Encrypted Transmission network.
The plaintext FTP mode Basic feature

Inherit the configuration cannot be used for file OSS: WOFD-000200 File
from the source version. transmission. Transfer Management None
The NTP server

Basic feature must support
Inherit the configuration OSS: WOFD-070800 Network NTP
from the source version. None Time Synchronization authentication.
Base Station: Restart

Inherit the configuration the main control board
from the source version. after patch installation. Basic feature None

470055268.xls 文档密级

from the source version. None Basic feature None
Base station:
Serial port: none
Inherit the configuration Local network interface:
from the source version. none Basic feature None
Software packages and
configuration files
without signature
Inherit the configuration cannot be loaded to the
from the source version. system. Basic feature None


from the source version. None Basic feature

470055268.xls 文档密级
Basic features
LTE: LBFD-003003
VLAN Support (IEEE 802.1p/q)
Inherit the configuration NR: FBFD-010019
from the source version. None VLAN Support (IEEE 802.1p/q) None
The network impact is

related to the number of
configuration rules. The
more the configuration
rules, the greater the
impact on performance. Basic features
Fewer than six rules are LTE: LBFD-001010
usually configured to Security Mechanism
Inherit the configuration limit the performance NR: FBFD-010023
from the source version. impact to 8%. Security Mechanism (PKI) None


470055268.xls 文档密级
If the performance of
the peer security
gateway cannot meet LTE: TDLOFD-003009 IPsec
the service performance TDLOFD-003024
requirements, the IPsec for IPv6
Inherit the configuration overall network traffic NR: FOFD-010080 Security gateway
from the source version. decreases. IPsec and PKI
LTE: TDLOFD-003009 IPsec

TDLOFD-003024
Network performance IPsec for IPv6
Inherit the configuration may degrade by about NR: FOFD-010080
from the source version. 1%. IPsec IPsec
Too many cascaded

IPsec links may affect LTE: TDLOFD-003009 IPsec
clock precision (only TDLOFD-003024
frequency IPsec for IPv6
Inherit the configuration synchronization data is NR: FOFD-010080
from the source version. transmitted at present). IPsec IPsec

470055268.xls 文档密级
Basic feature
LTE: LOFD-001010 Security
Mechanism
LOFD-00101001 AES This function
LOFD-00101002 SNOW 3G requires support
Inherit the configuration LOFD-00101003 ZUC from the CN and
from the source version. None LBFD-002004 UEs.
Basic feature:
NR: FBFD-010013 Radio
Interface Ciphering
Integrity Protection
This function
requires support
Inherit the configuration from the CN and
from the source version. None UEs.

470055268.xls 文档密级
Related Operations
Base station: 3900 & 5900 Series Base Station

Product Documentation > Operation and
Maintenance > General Management > 3900 &
5900 Series Base Station LMT User Guide >
Getting Started with the LMT > Managing Rights
U2020: U2020 Product Documentation >

Operation and Maintenance > Security
Management > User Management > NE User
Management > User Monitoring

U2020: Operation and Maintenance > Security

Management
Base > User
station: 3900 & Management > OSS
5900 Series Base User
Station
Management
Getting Started with the LMT > Managing Rights >
Managing Login Passwords
Management > User Management > OSS User
Management > Security Policies

Management > User Management > User
Permission Management > User Monitoring

470055268.xls 文档密级

Management > User Management > Remote
Authentication Configuration

Operation and Maintenance > Configuration
Management > NE Configuration Data
Management > Starting the NE LMT on the
U2020 Client

Management > Log Management > NE Log
Management > Synchronizing NE Logs
OM Security Feature Parameter Description for

SingleRAN
Installation and Commissioning > U2020
Commissioning Guide > FAQ > U2020 Application
FAQs > How Do I Install the U2020 Server
Software > Installing the U2020 Server Software

Operation and Maintenance > Fault Management
> FARS > Pseudonymization Policy Management

Management > Data Management > Setting Data
Security Transmission

470055268.xls 文档密级

Getting Started with the LMT > Logging In to and
Exiting the LMT


Operation and Maintenance > OSS Management
> U2020 Administrator Guide > Managing the
U2020 Server Time
SingleRAN OM Security Feature Parameter
Description -> Base Station NTP Security
Authentication
Base station: release notes

470055268.xls 文档密级
SingleRAN: Base Station RTOS Security Feature

Parameter Description
SingleRAN: Equipment Security Feature


Alarm from the door status sensor: Monitoring
signal cables must be installed for the door status
sensor and the cable installation must be
supported by the operator.


LTE: 3900 & 5900 Series Base Station Product470055268.xls 文档密级
Documentation > Operation and Maintenance >
Configuration Management > eRAN
Reconfiguration Guide > Security Networking
Data Reconfigurations > Adjusting the VLAN
NR: 3900 & 5900 Series Base Station Product
Configuration Management > 5G RAN
Reconfiguration Guide > Security Networking
Data Reconfigurations > Adjusting a VLAN



470055268.xls 文档密级
SingleRAN: IPsec Feature Parameter Description

470055268.xls 文档密级
eRAN: Radio Security Feature Parameter

Description
5G RAN: Radio Security Feature Parameter

Description

470055268.xls 文档密级
Protocols Supported
None
None
None
None
None
None

470055268.xls 文档密级
IETF RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax
Definitions
IETF RFC 2256 A Summary of the X.500(96) User Schema for use with
LDAPv3
IETF RFC 2865 Remote Authentication Dial In User Service (RADIUS)
None
None
IETF RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA

Cryptography Specifications Version 2.1
None
None

470055268.xls 文档密级
IETF RFC 2246 The TLS Protocol Version 1.0

IETF RFC 3546 Transport Layer Security (TLS) Extensions
IETF RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1
IETF RFC 2228 FTP Security Extensions
IETF RFC 1305 Network Time Protocol (Version 3) Specification,

Implementation and Analysis
None

470055268.xls 文档密级
None
None
None
None
None

470055268.xls 文档密级
IEEE 802.1Q Virtual LANs

IEEE 802.1p Priority Levels
None
None

IPsec related protocols:
3GPP TS 33.210 3G security; Network Domain Security (NDS); IP network
layer security 470055268.xls 文档密级
3GPP TS 33.401 3GPP System Architecture Evolution (SAE); Security
architecture
3GPP TS 33.501 Security architecture and procedures for 5G system
IETF RFC 2401 Security Architecture for the Internet Protocol
IETF RFC 2402 P Authentication Header
IETF RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
IETF RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
IETF RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
IETF RFC 2406 IP Encapsulating Security Payload (ESP)
IETF RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
IETF RFC 2408 Internet Security Association and Key Management Protocol
(ISAKMP)
IETF RFC 2409 The Internet Key Exchange (IKE)
IETF RFC 4302 IP Authentication Header
IETF RFC 4306 Internet Key Exchange (IKEv2) Protocol
IETF RFC 2367 PF_KEY Key Management API, Version 2
IETF RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
IETF RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key
Exchange (IKE) Peers
IETF RFC 3948 UDP Encapsulation of IPsec ESP Packets
IETF RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec
Encapsulating Security Payload (ESP)
IETF RFC 5903 Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE
and IKEv2
IETF RFC 6379 Suite B Cryptographic Suites for IPsec
IETF RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2)
PKI related protocols:

3GPP TS 33.310 Network Domain Security (NDS); Authentication Framework
(AF)
IETF RFC 5280 Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile
IETF RFC 3279 Algorithms and Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List (CRL) Profile
IETF RFC 4210 Internet X.509 Public Key Infrastructure Certificate
Management Protocol (CMP)
IETF RFC 4211 Internet X.509 Public Key Infrastructure Certificate Request
IETF RFCFormat
Message 4302 IP(CRMF)
Authentication Header
IETF RFC 4303 IP
IETF RFC 2315 PKCS Encapsulating SecurityMessage
#7: Cryptographic Payload Syntax
(ESP) Version 1.5
None

470055268.xls 文档密级

architecture
3GPP TS 35.215 Specification of the 3GPP Confidentiality and Integrity
Algorithms UEA2 & UIA2; Document 1: UEA2 and UIA2 specifications
3GPP TS 35.216 Specification of the 3GPP Confidentiality and Integrity
Algorithms UEA2 & UIA2; Document 2: SNOW 3G specification
3GPP TS 36.300 "(E-UTRAN);
Overall description"
3GPP TS 36.331 "Radio Resource Control (RRC);
Protocol specification"

architecture
3GPP TS 33.501 Security Architecture and Procedures for 5G System

470055268.xls 文档密级
Applicability
Function Name Function Description Base
Station
Controller
OM Security
NE local user is an O&M user whose user name and

password are managed locally. This function is used
NE local user for local O&M or for scenarios where the element
1 management management system (EMS) cannot manage the NE. Yes

whether non-default NE local users can create,
Disabling NE local modify, and delete users on the NE. Non-default NE
2 user management local users are NE local users other than user admin. Yes

Locking of non- whether non-default NE local users can log in to the
default NE local NE through the LMT. Non-default NE local users are
3 users NE local users other than user admin. Yes
Domain users are O&M users centrally managed on
the U2020. The management includes creating,
EMS domain user modifying, deleting, and authorizing a user or user
4 management group. N/A
This function manages password complexity for O&M
users. This function can be used to set password
complexity and password update period to prevent
users from setting too simple passwords or retaining
passwords for a long period of time, thereby
improving system access security. Password policies
Password policy apply to all users after they are set by security
5 management administrators. Yes
This function monitors the sessions and operations of

OM users and NE local users. If the operations of a
user may jeopardize system security, security
administrators can kick the user out of the system and
Online status terminate the sessions. The users monitoring user
monitoring for sessions and operations cannot kick themselves out
6 users of the system. Yes

470055268.xls 文档密级
This function supports interconnection with third-party

U2020 user management system over the U2020 northbound
northbound interface. It authenticates users during user login by
centralized user using standard protocols such as Lightweight
authentication by Directory Access Protocol (LDAP) and Remote
7 the third-party Authentication Dial In User Service (RADIUS). Yes
The LMT is a local operation and maintenance system

for NEs. For the convenience of operations, the
U2020 enables the user to start the LMT of an NE on
the topology view.
For details about how to start the NE's LMT, see the
8 SSO LMT user guide in the NE's documentation package. Yes
Security administrators can regularly audit NE user's

operations to check for any illegal operations.
NE log and NE logs include user operation logs, system run logs,
9 auditing and security logs. Yes
The Hash algorithm and RSA public key cryptography

are used to digitally sign software packages to ensure
that the source of NE and EMS software packages is
reliable.
Digital signature This function protects the system against illegal and
for software malicious software or preventing software from being
10 packages tampered with. Yes
To ensure the security of user's sensitive information

such as IMSI, IMEI, MSISDN and MAC address
during signaling trace/monitoring, the U2020 provides
the password pseudonymization policy.
You can enable the pseudonymization policy and set
a key for the pseudonymization policy algorithm to
ensure that sensitive information remains
pseudonymous while being transmitted between NEs
User data and the U2020 and while being displayed on the
11 pseudonymization U2020 during input and output. Yes
Users can use the U2020 server as the proxy while

logging in to the NE through the LMT. The U2020
Setting LMT Proxy server can be set on the U2020 client to specify
Connection whether to authenticate the identity of the peer end
12 Strategies while setting up SSL connections. Yes

470055268.xls 文档密级
Setting security connections is used to determine

whether to enable SSL for the connections between
NEs and the EMS. Enabling SSL ensures that data is
sent to a trusted peer communicating party and
protects data confidentiality and integrity. If SSL is
O&M transmission enabled, all O&M services, except FTP services, run
13 channel security over SSL. Yes
The FTP policy between an NE and the U2020

indicates that files between the U2020 and the NE are
transferred based on the preset parameters when the
NE functions as an FTP server and the U2020
functions as an FTP client. The FTP policy between
FTP security the NE and the U2020 can be set to the plaintext FTP
14 configuration mode and SSL-based FTPS mode. Yes
NTP time synchronization supports authentication

Secure NTP time defined in RFC1305 and supports authentication and
15 synchronization integrity protection for NTP communication. Yes
Equipment
Security
Installing operating system (OS) security patches for

the base station controller can eliminate system
security loopholes and ensure system security. Yes
Base station patches are released to resolve the

Security patch system security loopholes (including the OS) and
1 installation ensure system security (including the OS). N/A

470055268.xls 文档密级
Operating system
2 hardening Operating system hardening Yes

470055268.xls 文档密级
Physical port
security This function prevents illegal access to physical ports
3 management by disabling lower-layer physical ports. Yes
USB access policy protects important user data from
USB access being tampered with and protects the base station
policy from being loaded with malicious data or software by
4 configuration encrypting and verifying USB data. Yes
Physical device locking includes outdoor base station

Physical device locking, indoor cabinet locking, and indoor alarm from
5 locking the door status sensor. N/A
File integrity This function checks whether the key file is tampered
6 check with and reports the check results to the U2020. Yes
Transmissio
n Security
VLANs separate services onto different planes of the
base station and base station controller. This isolates
the user, management, and control planes from each
other.
If VLAN is not used and one link is attacked, data flow
on all the planes may be attacked. VLAN can be used
1 VLAN to prevent the preceding issue. Yes

470055268.xls 文档密级

for the base station devices before they enter these
devices. This avoids unauthorized access or
attempted attacks and thereby, ensuring radio device
security. ACL is short for access control list.
may degrade device processing capabilities or the
devices may be attacked by denial of service (DoS). N/A
for the base station controller devices before they
enter these devices. This avoids unauthorized access
or attempted attacks and thereby, ensuring radio
device security.
ACL configuration may degrade device processing capabilities or the
2 policy devices may be attacked by DoS. Yes
designated for the base station or devices are illegal
attacking packets before they enter these devices. If
yes, these packets are filtered out to ensure radio
device security.
packets, Address Resolution Protocol (ARP) spoofing,
and floods. This may degrade device processing
Device IP address capabilities or incorrect messages may be
attack defense for intercepted, causing transmission links to be
3 base stations disconnected. Yes

designated for the base station controller devices are
illegal attacking packets before they enter these
devices. If yes, these packets are filtered out to
ensure radio device security.
Device IP address packets, ARP spoofing, and floods. This may degrade
attack defense for device processing capabilities or incorrect messages
base station may be intercepted, causing transmission links to be
4 controllers disconnected. Yes

470055268.xls 文档密级
Huawei base station controller and base station

devices support the IPsec networking, which provides
secure data transmission, integrity protection, and
authentication. If this function is disabled, data
packets are transmitted in plaintext in the bearer
network. As a result, data packets are vulnerable to
eavesdropping and malicious modification, which
IPsec policy causes user information to be disclosed or affects
5 configuration user services. N/A
When IPsec is enabled, this function protects IPsec

protocols from replay attacks and protects devices
from replay attacks caused by illegally intercepted
packets. If this function is disabled, devices are
vulnerable to replay attacks, which may degrade
IPsec protocol device processing capabilities. In serious cases,
6 attack defense devices may be paralyzed. N/A
This function protects 1588 clock frequency

synchronization data from being tampered with by
Secure using encryption and integrity protection provided by
configuration for IPsec. If clock synchronization data is tampered with,
1588 clock transmission performance degrades. In serious cases,
7 synchronization data transmission may be interrupted. N/A
Radio
Security

470055268.xls 文档密级
In GSM networks, the Um interface is the interface

between the MS and base station. It is a standard
with user-plane information such as calls and data
over the Um interface. To protect the confidentiality
and integrity of user-plane data over the Um interface,
3GPP protocols define A5 series algorithms to encrypt
data over the Um interface.
After encryption is enabled over the Um interface, the
MS and BTS use the same key to encrypt and decrypt
data to be transmitted to or received from the Um
interface. This prevents user-plane data from
malicious eavesdropping or tampering, ensuring the
GSM Um interface confidentiality and integrity of user data over the Um
1 encryption interface. Yes
In UMTS networks, the Uu interface is the interface

between the UE and NodeB. It is a standard interface
defined in 3GPP protocols and an open air interface.
Malicious users can eavesdrop user-plane information
such as calls and data over the Uu interface. To
protect the confidentiality of user-plane data over the
Uu interface, 3GPP protocols define encryption
algorithms to encrypt data over the Uu interface.
After encryption is enabled over the Uu interface, the
UE and NodeB use the same key to encrypt and
decrypt data to be transmitted to or received from the
UMTS Uu Uu interface. This prevents user-plane data from
interface malicious eavesdropping, ensuring the confidentiality
2 encryption of user data over the Uu interface. Yes
In UMTS networks, the Uu interface is the interface

between the UE and base station. It is a standard
interface. Malicious users can tamper with and replay
control-plane information over the Uu interface. To
protect the integrity of signaling data over the Uu
interface, 3GPP protocols define integrity protection
algorithms to protect the integrity of signaling data
over the Uu interface. After integrity protection is
enabled over the Uu interface, the UE and NodeB use
the same key to authenticate the signature of data to
be transmitted to or received from the Uu interface.
UMTS Uu This prevents signaling messages from being
interface integrity tampered with, ensuring the integrity of signaling data
3 protection over the Uu interface. Yes

470055268.xls 文档密级
Applicability
Base Default Configuration Recommended Configuration Upgrade Rule

Station
Change the default password for

user admin (Batch modification
is recommended after base
station deployment).
On live networks, create user
accounts and assign proper
operation rights to them based Inherit the configuration
Yes User admin is used. on user roles. from the source version.
Disabled
be disabled to prevent attackers
or malicious users from creating
illegal user accounts on the NE
and reserving illegal access Inherit the configuration
Yes Enabled channels. from the source version.
Locked
be locked to prevent attackers or
malicious users from locally
attacking the system or cracking
system configurations. Inherit the configuration
Yes Unlocked On live networks, define and from the source version.
assign user accounts based on
user roles. Assign proper
operation rights based on user Inherit the configuration
N/A User admin is used. roles. from the source version.
Password complexity check

is enabled by default and the
password must have at least
eight characters. The account
is locked after three
consecutive failed login Inherit the configuration
Yes attempts. Modify the default password. from the source version.
Online status of O&M users Inherit the configuration

Yes is monitored. Subscribe to NE user operations. from the source version.

470055268.xls 文档密级

Yes Disabled Retain the default configuration. from the source version.
The LMT right-click startup

function supports single sign-
on (SSO) and password is
not required during the LMT Inherit the configuration
Yes startup. Retain the default configuration. from the source version.
Start synchronization tasks for

Log synchronization is NE operation logs, system run Inherit the configuration
Yes disabled. logs, and security logs. from the source version.

Yes Forcibly enabled Unconfigurable from the source version.

Yes Disabled Enable this function from the source version.
Huawei device certificate is Replace operator's certificate

preset and the identity of the and change the SSL
peer end is not authentication mode to Inherit the configuration
Yes authenticated. PEER(Verify Peer Certificate). from the source version.

470055268.xls 文档密级
A Huawei-issued device
certificate is preconfigured.
SSL connection is used. That
is, the NE (SSL server)
authentication mode is set to
compatible mode, and the
EMS/LMT (SSL client) uses
SSL connection by default.
TLS1.1 and later versions are Disable SSLv2 and SSLv3.
supported by default. Disable TLS1.0.
The SSL connection in Replace operator's certificate.
anonymous authentication Change the SSL authentication
mode is used by default. mode to PEER(Verify Peer
The SSL renegotiation Certificate).
function is enabled by Retain the default configurations Inherit the configuration
Yes default. of SSL renegotiation. from the source version.
FTPS connection is used by
default when the FTP server
uses the compatible mode
and the FTP client uses
FTPS connection. When
FTPS connection fails, the
FTP client automatically FTPS connection is forcibly used
switches to FTP connection when the BSC or U2020 serves
(Note: Automatic switching as the FTP server. When the NE
cannot be performed in the or EMS serves as the FTP client,
case of communication FTPS connection is used by Inherit the configuration
Yes interruption). default. from the source version.
NTP communication is not Set the NTP authentication Inherit the configuration
Yes authenticated. policy. from the source version.
The Linux patch package has

been installed before
delivery.
OS patch packages that
match the version of network
equipment are downloaded
from
http://support.huawei.com Inherit the configuration
N/A and automatically installed. None from the source version.
Patches that match the Patches that match the version
version of network equipment of network equipment are
are downloaded from downloaded from
http://support.huawei.com http://support.huawei.com and Inherit the configuration
Yes and automatically installed. automatically installed. from the source version.

470055268.xls 文档密级
1. Base station controller

(1) SUSE Linux: not
hardened by default
(2) DOPRA Linux
RTOS Linux
EULER Linux:
A. Security hardening has
been performed by default.
B. Remote OMU login of the
root user is disabled.
2. Base station
Huawei base station OSs are
hardened before delivery.
The solutions cover network
access, network security, and 1. Base station controller
system services to improve (1) SUSE Linux: The SEK
antivirus and anti-attack setSuse software is used for OS
capabilities, system reliability, hardening.
and the service quality of the (2) DOPRA Linux
entire network. RTOS Linux
The OS hardening solutions EULER Linux:
include the following A. Remote OMU login of the root
functions: user is disabled.
Disabling unnecessary B. OMU route forwarding is
services disabled.
Restricting access to files C. The function of recording
and directories OMU OS access information in
Authorizing system access real time is configured. The
User management server to which files are
Operation log recording uploaded must exist.
Detecting system 2. Base stations
malfunctions Security hardening is not Inherit the configuration
Yes OS integrity protection required. from the source version.

470055268.xls 文档密级
Base station controller:
Serial port: Password

verification.
Local network interface:
Enabled by default.
USB ports: Enabled by
default.
Base station:
Serial port:
GTMU: The jumper cap is
closed. Base station controller:
WMPT: The jumper cap is Serial port: Retain the default
closed. configuration.
LMPT: The jumper cap is Local network interface: Retain
closed. the default configuration.
UMPT: No serial port on the USB ports: It is recommended
panel. that USB ports be disabled.
RRU: Disabled by default Base station:
Local network interface: Serial port: Disabled
Disabled by default after Local network interface:
GBTS deployment; enabled Disabled after eGBTS/NodeB
by default for the deployment.
eGBTS/NodeB USB ports: It is recommended
USB ports: Enabled by that USB ports be disabled after Inherit the configuration
Yes default. the deployment is complete. from the source version.
Base station: USB encryption

and signature detection are Inherit the configuration
Yes enabled by default. Retain the default configuration. from the source version.
Indoor cabinet locking
Indoor alarm from the door
status sensor Inherit the configuration
Yes Outdoor base station locking Retain the default configuration. from the source version.
You are advised to

create a periodic or
instant file integrity
check task on the
U2020 as required.
You can set the task on
Integrity Monitoring
Yes Yes Disabled by default on the U2020.

Yes Not configured Configure the VLAN. from the source version.

470055268.xls 文档密级
Base station: disabled by Inherit the configuration

Yes default Configure the ACL policy. from the source version.
Base station controller: The

intelligent whitelisting function Inherit the configuration
N/A is enabled by default. Configure the ACL policy. from the source version.

cannot be disabled.
The ARP/ND spoofing Enable flood attack prevention
prevention function is and ARP/ND spoofing Inherit the configuration
Yes disabled. prevention. from the source version.

cannot be disabled.
The ARP spoofing prevention Enable flood attack prevention Inherit the configuration
Yes function is disabled. and ARP spoofing prevention. from the source version.

470055268.xls 文档密级
1. Deploy the CA system.

2. Deploy IPsec for digital
certificate authentication.
3. Configure the parameters by
referring to the recommended
values in the operation guide Inherit the configuration
Yes Not configured and parameter reference. from the source version.
Enable the IPsec replay attack Inherit the configuration

Yes Not configured defense function. from the source version.
Use IPsec to encrypt 1588 clock Inherit the configuration

Yes Not configured data. from the source version.

470055268.xls 文档密级
Enable A5/1 Encryption Flow

Optimization and A5/3 Ciphering Inherit the configuration
Yes Disabled Algorithm. from the source version.

N/A Enabled (UEA0, UEA1) Retain the default configuration. from the source version.

N/A Enabled (UIA1) Retain the default configuration. from the source version.

470055268.xls 文档密级
Function
Dependency
Network Impact Related Feature
None Basic features None
When local users are

disabled, only user
admin has the right to Basic feature
add, delete, and modify OSS: WOFD-040100
user accounts on the Centralized User Management
NE. and Authentication None
Local users other than Basic feature

admin are locked and OSS: WOFD-040100
therefore, cannot log in Centralized User Management
to the NE. and Authentication None
OSS: WOFD-040100
None
Centralized User Management
and Authentication None
Basic feature
None OSS: WOFD-040300 Security
Policy
RAN: MRFD-210305 Security
Management None
OSS: WOFD-040700 Online NE

None
User Monitoring
None

470055268.xls 文档密级
OSS:
Authentication Based on LDAP
None
Authentication Based on
RADIUS None
None
OSS: WOFD-040100
Centralized User Management
and Authentication None
Basic feature
OSS:
None WOFD-050100 U2020 Log
Management
WOFD-050300 NE Log
Management None
None
Basic feature
OSS: WOFD-110100 NE
Software Management None
Signaling tracing is
affected. User ID
information such as Basic feature
pseudonymous IMSI WOFD-081400 Tracing Task
must be entered during Management and Message
the tracing. Browse None
A PKI system is
None deployed on the
OSS: WOFD-070100 Local operator's
Maintenance Agent network.

470055268.xls 文档密级
None
Basic feature
RAN: MRFD-210305 Security A PKI system is
Management deployed on the
U2020: WOFD-210100 operator's
Encrypted Transmission network.
The plaintext FTP mode Basic feature

cannot be used for file OSS: WOFD-000200 File
transmission. Transfer Management None
None The NTP server

Basic feature must support
OSS: WOFD-070800 Network NTP
Time Synchronization authentication.
Restart the OMU after

the OS patch package
is installed. Basic feature None
Restart the main control

board after patch
installation. Basic feature

470055268.xls 文档密级

Remote OMU login of
the root user is
disabled, and a
common user must be
switched to the root
user to run commands
with which the root user
has permissions.
On live networks that
require OMU route
forwarding, disabling
the OMU leads to
disconnections. Basic feature None

470055268.xls 文档密级

Serial port: none
none
Base station:
Serial port: none
none Basic feature None
Software packages and
configuration files
without signature
cannot be loaded to the
system. Basic feature None
None
Basic feature None

from the source version. None Basic feature
None None None

470055268.xls 文档密级
Base station: The

network impact is
related to the number of
configuration rules. The
more the configuration
rules, the greater the
impact on performance. GBSS: GBFD-118601 Abis over
Fewer than six rules are IP
usually configured to UMTS: WRFD-050402 IP
limit the performance Transmission Introduction on
impact to 8%. Iub Interface None
GBSS: GBFD-118601 Abis over

IP
UMTS: WRFD-050402 IP
Base station controller: Transmission Introduction on
none Iub Interface None
None
IP
Transmission Introduction on
Iub Interface None
None
IP
Transmission Introduction on
Iub Interface None

470055268.xls 文档密级
If the performance of
the peer security
gateway cannot meet
the service performance GBSS: GBFD-113524 BTS
requirements, the Integrated IPsec
overall network traffic UMTS: WRFD-140209 NodeB Security gateway
decreases. Integrated IPSec and PKI
GBSS: GBFD-113524 BTS

Network performance Integrated IPsec
may degrade by about UMTS: WRFD-140209 NodeB
1%. Integrated IPSec IPsec
Too many cascaded

IPsec links may affect
clock precision (only GBSS: GBFD-118620 Clock
frequency over IP Support 1588V2
synchronization data is UMTS: WRFD-050501 Clock
transmitted at present). Sync on Ethernet in NodeB IPsec

470055268.xls 文档密级
The UE and CN
must support the
corresponding
encryption
algorithm.
A5/1 Encryption
Flow
Optimization
requires A5/1.
The Flex
MAIO/Flex TSC
function in A5/1
Basic feature Encryption Flow
GBSS: Optimization is
UEs that do not support GBFD-113503 A5/3 Ciphering mutually
A5/1 or A5/3 algorithm Algorithm exclusive with
cannot access the GBFD-113521 A5/1 Encryption the VAMOS
network. Flow Optimization feature.
None
UMTS: WRFD-011402
Encryption None
None
UMTS: WRFD-011401 Integrity

Protection None

470055268.xls 文档密级
Related Operations
Base station controller: BSC6900 GU Product

Documentation/BSC6910 GU Product
General > BSC69X0 GU LMT User Guide >
Operation Rights Management
Getting Started with the LMT > Managing Rights


U2020: Operation and Maintenance > Security

Management
Base > User
station: 3900 & Management > OSS
5900 Series Base User
Station
Management
Getting Started with the LMT > Managing Rights >
Managing Login Passwords
Management > Security Policies

Management > User Management > User
Permission Management > User Monitoring

470055268.xls 文档密级

Management > User Management > Remote
Authentication Configuration

Operation and Maintenance > Configuration
Management > NE Configuration Data
Management > Starting the NE LMT on the
U2020 Client

Management > Log Management > NE Log
Management > Synchronizing NE Logs
OM Security Feature Parameter Description for

SingleRAN
Installation and Commissioning > U2020
Commissioning Guide > FAQ > U2020 Application
FAQs > How Do I Install the U2020 Server
Software > Installing the U2020 Server Software

Operation and Maintenance > Fault Management
> FARS > Pseudonymization Policy Management


470055268.xls 文档密级
Base station controller: BSC6900 GU Product

Documentation/BSC6910 GU Product
General > BSC69X0 GU LMT User Guide >
Introduction to LMT > Logging In to and Logging
Out of the LMT
Getting Started with the LMT > Logging In to and
Exiting the LMT


Operation and Maintenance > OSS Management
> U2020 Administrator Guide > Managing the
U2020 Server Time
SingleRAN OM Security Feature Parameter
Description > NTP Security Authentication for the
Base Station
Base station controller: release notes
Base station: release notes

470055268.xls 文档密级

BSC6900 GU Product Documentation/BSC6910
GU Product Documentation > Operation and
Maintenance > General > BSC69X0 GU OMU
Administration Guide > Configuring OMU Security
Functions
Base station:
Base Station RTOS Security Feature Parameter
Description

470055268.xls 文档密级


Alarm from the door status sensor: Monitoring
signal cables must be installed for the door status
sensor and the cable installation must be
supported by the operator.

GSM: 3900 & 5900 Series Base Station Product
Configuration Management > GBSS
Reconfiguration Guide > Reconfiguring an eGBTS
> Adjusting eGBTS Transmission Data
UMTS: 3900 & 5900 Series Base Station Product
Configuration Management > RAN
Reconfiguration Guide > Reconfiguring the
NodeB > Modifying the VLAN Configuration Mode

470055268.xls 文档密级





470055268.xls 文档密级

470055268.xls 文档密级
GBSS: Ciphering Feature Parameter Description
RAN: Data Integrity Protection and Encryption

Feature Parameter Description
RAN: Data Integrity Protection and Encryption

Feature Parameter Description

470055268.xls 文档密级
Protocols Supported
None
None
None
None
None
None

470055268.xls 文档密级
IETF RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax
Definitions
IETF RFC 2256 A Summary of the X.500(96) User Schema for use with
LDAPv3
IETF RFC 2865 Remote Authentication Dial In User Service (RADIUS)
None
None
IETF RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA

Cryptography Specifications Version 2.1
None
None

470055268.xls 文档密级
IETF RFC 2246 The TLS Protocol Version 1.0

IETF RFC 3546 Transport Layer Security (TLS) Extensions
IETF RFC 2228 FTP Security Extensions
IETF RFC 1305 Network Time Protocol (Version 3) Specification,

Implementation and Analysis
None
None

470055268.xls 文档密级
None

470055268.xls 文档密级
None
None
None
None
IEEE 802.1Q Virtual LANs

IEEE 802.1p Priority Levels

470055268.xls 文档密级
None
None
None
None

IPsec related protocols:
3GPP TS 33.210 3G security; Network Domain Security (NDS); IP network
layer security 470055268.xls 文档密级
architecture
3GPP TS 33.501 Security architecture and procedures for 5G system
IETF RFC 2402 P Authentication Header
IETF RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
IETF RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
IETF RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
IETF RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
IETF RFC 2408 Internet Security Association and Key Management Protocol
(ISAKMP)
IETF RFC 2409 The Internet Key Exchange (IKE)
IETF RFC 4302 IP Authentication Header
IETF RFC 4306 Internet Key Exchange (IKEv2) Protocol
IETF RFC 2367 PF_KEY Key Management API, Version 2
IETF RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
IETF RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key
Exchange (IKE) Peers
IETF RFC 3948 UDP Encapsulation of IPsec ESP Packets
IETF RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec
Encapsulating Security Payload (ESP)
IETF RFC 5903 Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE
and IKEv2
IETF RFC 6379 Suite B Cryptographic Suites for IPsec
IETF RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2)
PKI related protocols:

3GPP TS 33.310 Network Domain Security (NDS); Authentication Framework
(AF)
IETF RFC 5280 Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile
IETF RFC 3279 Algorithms and Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List (CRL) Profile
IETF RFC 4210 Internet X.509 Public Key Infrastructure Certificate
Management Protocol (CMP)
IETF RFC 4211 Internet X.509 Public Key Infrastructure Certificate Request
IETF RFCFormat
Message 4302 IP(CRMF)
Authentication Header
IETF RFC 4303 IP
IETF RFC 2315 PKCS Encapsulating SecurityMessage
#7: Cryptographic Payload Syntax
(ESP) Version 1.5
None

470055268.xls 文档密级
3GPP TS 55.216 Specification of the A5/3 encryption algorithms for GSM and
ECSD, and the GEA3 encryption algorithm for GPRS; Document 1: A5/3 and
GEA3 specification
3GPP TS 43.020 3rd Generation Partnership Project;
Technical Specification Group Services and system Aspects;
Security related network functions
3GPP TS 33.102 3G security; Security architecture

3GPP TS 33.103 3rd Generation Partnership Project;
Technical Specification Group Services and System Aspects;
3G security;
Integration guidelines
3GPP TS 33.105 Cryptographic algorithm requirements
3GPP TS 35.201 Specification of the 3GPP confidentiality and integrity
algorithms; Document 1: f8 and f9 specification
3GPP TS 35.202 Specification of the 3GPP confidentiality and integrity
algorithms; Document 2: Kasumi specification

Overview of Security Policies

Uploaded by

Copyright:

Available Formats

You might also like

Overview of Security Policies

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Overview of Security Policies

Uploaded by

Copyright:

Available Formats

470055268.

NE local user is an O&M user whose user name and

This function can be used on the U2020 to specify

This function can be used on the U2020 to specify

This function monitors the sessions and operations of

04/14/2020 华为保密信息,未经授权禁止扩散 第1页，共75页

This function supports interconnection with third-party

The LMT is a local operation and maintenance system

Security administrators can regularly audit NE user's

The Hash algorithm and RSA public key cryptography

To ensure the security of user's sensitive information

Users can use the U2020 server as the proxy while

04/14/2020 华为保密信息,未经授权禁止扩散 第2页，共75页

Setting security connections is used to determine

The FTP policy between an NE and the U2020

NTP time synchronization supports authentication

Base station patches are released to resolve the

04/14/2020 华为保密信息,未经授权禁止扩散 第3页，共75页

OS security hardening improves OS security by using

Physical device locking includes outdoor base station

04/14/2020 华为保密信息,未经授权禁止扩散 第4页，共75页

VLANs separate services onto different planes of the

This function performs ACL filtering on IP data

04/14/2020 华为保密信息,未经授权禁止扩散 第5页，共75页

Huawei base station devices support the IPsec

When IPsec is enabled, this function protects IPsec

This function protects 1588 clock frequency

04/14/2020 华为保密信息,未经授权禁止扩散 第6页，共75页

In LTE networks, the Uu interface is the interface

In NR networks, the Uu interface is the interface

04/14/2020 华为保密信息,未经授权禁止扩散 第7页，共75页

Change the default password for

Password complexity check

Retain the default configuration

04/14/2020 华为保密信息,未经授权禁止扩散 第8页，共75页

Yes Yes Disabled Retain the default configuration.

The LMT right-click startup

Start synchronization tasks for

Yes Yes Forcibly enabled Unconfigurable

Yes Yes Disabled Enable this function

Huawei device certificate is Replace operator's certificate

04/14/2020 华为保密信息,未经授权禁止扩散 第9页，共75页

It is recommended that NTP

Patches that match the Patches that match the version

04/14/2020 华为保密信息,未经授权禁止扩散 第10页，共75页

Huawei base station OSs are

USB encryption and

You are advised to create a

04/14/2020 华为保密信息,未经授权禁止扩散 第11页，共75页

Yes Yes Not configured Configure the VLAN.

Yes Yes Disabled by default Configure the ACL policy.

By default, malformed packet

04/14/2020 华为保密信息,未经授权禁止扩散 第12页，共75页

1. Deploy the CA system.

Enable the IPsec replay attack

Use IPsec to encrypt 1588 clock

04/14/2020 华为保密信息,未经授权禁止扩散 第13页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第1页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第2页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第3页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第4页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第5页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第6页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第7页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第8页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第9页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第10页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第11页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第12页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第13页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第14页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第15页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第16页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第17页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第18页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第19页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第20页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第21页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第22页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第23页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第24页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第25页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第26页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第27页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第28页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第29页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第30页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第31页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第32页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第33页，共75页

04/14/2020 华为保密信息,未经授权禁止扩散第34页，共75页