Encrypted Network Management

Encrypted Network Management
GBSS12.0
Feature Parameter Description
Issue 01
Date 2010-06-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
GSM BSS
Encrypted Network Management Contents
Contents
1 Introduction ................................................................................................................................1-1
1.1 Scope ............................................................................................................................................ 1-1
1.2 Intended Audience ........................................................................................................................ 1-1
1.3 Change History.............................................................................................................................. 1-1
2 Overview of Encrypted Network Management .................................................................2-1

3 Technical Description ..............................................................................................................3-1
3.1 Overview ....................................................................................................................................... 3-1
3.2 Setting the Connection Policy Between the M2000 and a BSC ................................................... 3-4
3.3 Setting the SSL Authentication Policy ........................................................................................... 3-4
3.4 Managing the Digital Certificate .................................................................................................... 3-5
3.5 Setting SSL Encryption for FTP .................................................................................................... 3-7
3.6 Specifications ................................................................................................................................ 3-7
4 Parameters .................................................................................................................................4-1
5 Counters ......................................................................................................................................5-1
6 Glossary ......................................................................................................................................6-1
7 Reference Documents .............................................................................................................7-1
Issue 01 (2010-06-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd
GSM BSS
Encrypted Network Management 1 Introduction
1 Introduction
1.1 Scope
This document describes the encrypted network management feature (GBFD-113522 Encrypted
Network Management).
1.2 Intended Audience

This document is intended for:
 Personnel who need to understand encrypted network management feature
 Personnel who work with Huawei products
1.3 Change History

This section provides information on the changes in different document versions.
There are two types of changes, which are defined as follows:
 Feature change: refers to the change in the encrypted network management feature of a specific
product version.
 Editorial change: refers to the change in wording or the addition of the information that was not
described in the earlier version.
Document Issues
The document issues are as follows:
 01 (2010-06-30)
 Draft (2010-03-30)
01 (2010-06-30)
This is the first release of GBSS12.0.
Compared with issue draft (2010-03-30) of GBSS12.0, issue 01 (2010-06-30) of GBSS12.0 incorporates
the changes described in the following table.
Change Change Description Parameter Change

Type
Feature None. None.
change
Editorial Parameters are presented in None.
change the form of Parameter ID
instead of Parameter Name.
Draft (2010-03-30)
This is the draft release of GBSS12.0.
Issue 01 (2010-06-30) Huawei Proprietary and Confidential 1-1

GSM BSS
Encrypted Network Management 2 Overview of Encrypted Network Management
2 Overview of Encrypted Network Management

The encrypted network management feature is based on the Secure Socket Layer (SSL) protocol, which
allows the M2000 to set up an SSL-based TCP transmission channel between the M2000 server and an
NE.
With the rapid development of radio networks, telecom operators have higher requirements for the
security of OM transmission. Thus, data encryption on OM channels has become a basic feature of
telecommunications products.
The encryption on OM transmission channels is applied in scenarios such as remote maintenance and
data transmission between the LMT and NEs.
The encryption on GBSS OM transmission channels provides customers with the following benefits:
 Ensuring the security and confidentiality of data transmission over OM channels
 Ensuring the privacy of customers' data
 Reducing the possibility that data be intercepted during transmission through plain text

GSM BSS
Encrypted Network Management 3 Technical Description
3 Technical Description
3.1 Overview
During the data transmission between the M2000 and an NE, most of data is transmitted in the form of
data files such as performance data file, log file, configuration data file, and version and batch data file. If
data files are transmitted in traditional transmission mode (plain text), they are subject to exposure to
unauthorized parties.
With the encrypted network management feature, an SSL-based transmission channel is set up between
the M2000 server and an NE before a TCP link is established. Data is transmitted over the encrypted
channel. Figure 3-1 shows the encrypted network management feature.
Figure 3-1 Encrypted network management
SSL is a protocol that guarantees the security of data transmission. The SSL protocol is applied between
the application layer and the transport layer. It provides the following functions:
 Data encryption
 Identity authentication
 Data integrity check
The SSL protocol provides secure data transmission to upper-layer applications such as WEB service,
FTP, and Telnet.

GSM BSS
The transmission between the M2000 and a BSC supports both normal connection and SSL-based
connection. To ensure the security of data transmission between the M2000 and a BSC, it is
recommended that SSL-based connection be used.
Figure 3-2 shows the flowchart of establishing SSL-based connection between the M2000 and a BSC.

GSM BSS
Figure 3-2 Flowchart of establishing SSL-based connection between the M2000 and a BSC
Figure 3-3 shows the flowchart of establishing FTP connection between the M2000 and a BSC.
Figure 3-3 Flowchart of establishing FTP connection between the M2000 and a BSC

GSM BSS
Through SSL, the M2000 implements the following functions:

 Setting the connection policy between the M2000 and a BSC
 Setting the SSL authentication policy
 Managing the digital certificates of NEs
 Setting the SSL encryption for FTP
3.2 Setting the Connection Policy Between the M2000 and a

BSC
Connection Type
The connection types are as follows:
 Common connection
By default, the connection between the M2000 and a BSC is in common mode.
 SSL-based connection
The SSL protocol is adopted to ensure the security of data transmission between the M2000 and the
BSC. After a BSC is created and accesses the M2000, users can enable the SSL-related functions of
the BSC on the M2000 client.
Setting the SSL Connection Policy

Users can set the SSL connection policy between the M2000 and the BSC on the M2000 client.
3.3 Setting the SSL Authentication Policy

The SSL authentication policy determines whether the ID authentication is performed when the BSC is
connected to the M2000 through SSL. Through the ID authentication, the M2000 determines whether
the information is sent to the correct BSC, thus ensuring the secure transmission of information.
The prerequisites for setting the SSL authentication policy are as follows:
 The certificate is already configured on the M2000. For details on how to configure the certificate, see
section 3.4 "Managing the Digital Certificate."
 The authentication policy becomes valid only when an SSL connection is set up between the M2000
and the BSC.
 The digital certificate is issued to the BSC and has been activated.
Table 3-1 describes the parameters for the SSL authentication policy
Table 3-1 Parameter description
Parameter Description
NE name Name of an NE.

OMC Whether the M2000 authenticates the BSC when the SSL
authenticates connection is set up between the M2000 and the BSC.
NEs
NE Whether the BSC authenticates the M2000 when SSL
authenticates connection is set up between the M2000 and the BSC.
the OMC

GSM BSS
The modes of SSL connections between the M2000 and NEs are as follows:
 Anonymous: select neither of the two options.
 Unidirectional authentication: select either of the option, that is, the OMC authenticates NEs or NE authenticates the
OMC.
 Bidirectional authentication: select both the options.
3.4 Managing the Digital Certificate

The digital certificate is abbreviated to certificate. It is essential to the PKI. The certificate is a segment of
data that contains the user ID information, user public key information, and the digital signature of the
CA.
The current certificate conforms to the X.509 standard and consists of the following contents:
 Version number of the certificate
 Serial number of the certificate
 ID of the signature algorithm
 Name of the issuing authority
 Validity period
 Certificate owner
 Public key of the certificate
M2000 Certificate
By default, the M2000 is not configured with a digital certificate. If users need to use a certificate, they
need to apply for a certificate from the certification authority (CA) and then manually configure the
certificate for the M2000 server.
The CA that applies for the M2000 certificate must be the one that applies for the NE certificate.
NE Certificate
The certificates of the BSC are managed by the M2000. Users can import, configure, and query
certificates.
Table 3-2 describes the certificates used by the BSC.
Table 3-2 Certificates used by the BSC
Certificate Description
Type
Root The root CA is the first issuing authority of the public key system. It is the source of all
certificate the trust and uses its private key for signature. The certificate issued by the root CA for
itself is the root certificate. The root CA can create certificates for other CAs. It can also
create certificates for other computers, users, or services. Users can trace the root
certificates of most certificate-based applications through the certificate chain.
Public key The digital certificate with a public key. To ensure that the public key certificate is correct,
certificate the public key certificate requires the signature of the CA.

GSM BSS
Certificate Description
Type
Private Part of the private key. To ensure the security of the private key file, users must encrypt
key file the private key file. This means that only the person who knows the password of the
private key can use it.
CRL In case that the private key of an entity in PKI is stolen, the public key certificate
matching the stolen key must be added to the certificate revocation list (CRL) and set to
invalid. If a certificate owner has ended the relation with an organization, the
corresponding public key certificate must be added to the CRL.
Certificate To verify the public key, users must obtain the public key of the CA that issues the
chain certificate of the private key. Then, users can check the signature on the certificate. The
identity of a public key certificate should be authenticated by the CA of the upper level.
The process for authenticating a public key becomes an iterative process. As a result, a
certificate chain is formed, which ends at the root certificate.
Table 3-3 describes the naming rules of BSC certificates.

Table 3-3 Naming rules of BSC certificates
Certificate Naming Rules
Type
Root NE name_RootCA_Date.XXX
certificate
Public key NE name_ClientCer_Date.XXX
certificate
Private NE name_ClientPrivKey_Date.XXX
key file
CRL NE name_CRLFile_Date.XXX
 The root certificate, public key certificate file, and private key file are mandatory for issuing NE certificates.
 XXX refers to the format of a certificate. For details on the formats of certificates supported by NEs, see Table 3-4.
Table 3-4 Formats of certificates that are issued to the BSC and supported by the M2000
Certificate Type Format
Root certificate .cer, .crt, .pem, .pfx, .p12
Public key certificate .cer, .crt, .pem, .pfx, .p12
Private key file .pem, .pfx, .p12
Certificate chain .pem
CRL .cer, .crt, .crl, .pem

GSM BSS
 The certificates used by the M2000 and the BSC must be requested in the same CA.
 A password is generated along with the NE private key. Therefore, users need to provide the password when the
M2000 issues the certificate to the BSC.
 If the BSC certificate is not issued by the root CA, a certificate chain file is required.
Importing BSC Certificates

Users can create tasks on the M2000 client to download and activating BSC certificates. After the tasks
are created, the M2000 executes the tasks to issue the certificates to the BSC and activate the
certificates.
 The M2000 server automatically deletes certificate files after it successfully issues the files.
 To protect digital certificates from being illegally copied, it is advised that users delete the certificate files saved on the
local M2000 client after they are backed up.
 When importing certificates for a BSC, ensure that the imported certificates consist of the root certificate, public key
certificate, and private key file.
When the BSC communicate normally with the M2000, users can issue a certificate to the relevant BSC
by creating a task for creating certificates on the M2000 client.
Querying NE Certificates
When the connection between the BSC and the M2000 server requires an identity authentication, the
associated digital certificates must exist on the BSC. Users can query the digital certificates used by the
BSC on the M2000 client.
On the NE, only a set of activated digital certificates exist. When querying certificates, users can query only the names of
the certificates used by the BSC.
3.5 Setting SSL Encryption for FTP

The FTP connection between the M2000 and the BSC is based on SSL based. Users can encrypt the
FTP of the M2000 to transmit files in encrypted mode.
The FTPS encryption is anonymous.

The settings and authentication mode of the SSL connection policy does not apply to the FTPS policy. Both the strategies
are mutual exclusive.
3.6 Specifications
If both communication parties adopt SSL to transmit data, the communication performance degrades by
20% to 60%. Table 3-5 and Table 3-6 list the hardware configuration of the server and client.
Table 3-5 Hardware of a server
Item Configuration
Server Sun Fire V440
CPU 1.59 GHz x 2
Operating system Solaris 10
RAM 4 GB

GSM BSS
Item Configuration
Logs -
LAN 100 Mbit/s
Table 3-6 Hardware of a client

Item Configuration
Client Windows XP
CPU Pentium 3.0 GHz, dual core
Operating system Windows XP
RAM 512 MB
Logs -
LAN 100 Mbit/s
Table 3-7 and Table 3-8 list the data transmission performance in TCP mode and SSL mode when the
hardware configuration listed in Table 3-5 and Table 3-6 is used.
Table 3-7 Transmission performance in TCP mode
Data Size (MB) Time (s) CPU Usage (%) Used RAM (MB)
5 0.145439 1.77777778 9.10222
10 0.256535 4.33333333 10.24
100 2.505977 17.4615385 32.29538
Table 3-8 Transmission performance in SSL mode

Data Size (MB) Time (s) CPU Usage (%) Used RAM (MB)
5 0.291336 8.2 13.82400
10 0.5687 18.75 21.76
100 5.771667 29.9500 56.832

GSM BSS
Encrypted Network Management 4 Parameters
4 Parameters
None.

GSM BSS
Encrypted Network Management 5 Counters
5 Counters
None.

GSM BSS
Encrypted Network Management 6 Glossary
6 Glossary
For the acronyms, abbreviations, terms, and definitions, see the Glossary.

GSM BSS
Encrypted Network Management 7 Reference Documents
7 Reference Documents
[1] M2000 Commissioning Guide
[2] M2000 Administrator Guide
[3] M2000 Operator Guide


Encrypted Network Management

Uploaded by

Copyright:

Available Formats

You might also like

Encrypted Network Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Encrypted Network Management

Uploaded by

Copyright:

Available Formats

Encrypted Network Management

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

2 Overview of Encrypted Network Management .................................................................2-1

Issue 01 (2010-06-30) Huawei Proprietary and Confidential i

1.2 Intended Audience

1.3 Change History

Change Change Description Parameter Change

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 1-1

2 Overview of Encrypted Network Management

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 2-1

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-1

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-2

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-3

Through SSL, the M2000 implements the following functions:

3.2 Setting the Connection Policy Between the M2000 and a

Setting the SSL Connection Policy

3.3 Setting the SSL Authentication Policy

NE name Name of an NE.

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-4

3.4 Managing the Digital Certificate

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-5

Table 3-3 describes the naming rules of BSC certificates.

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-6

Importing BSC Certificates

3.5 Setting SSL Encryption for FTP

The FTPS encryption is anonymous.

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-7

Table 3-6 Hardware of a client

Table 3-8 Transmission performance in SSL mode

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 3-8

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 4-1

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 5-1

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 6-1

Issue 01 (2010-06-30) Huawei Proprietary and Confidential 7-1

You might also like