Cisco Systems 10200 Adapter and User Security

2-6

Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x

OL-16000-07

Chapter 2 Managing BTS Users and Commands Using EMS

Adapter and User Security

Security is an important part of the BTS 10200. The BTS 10200 has interfaces to customer premise

equipment (CPE) as well as northbound Operations Support System (OSS) interfaces. All of these

interfaces are subject to attacks. In addition, users who are allowed onto the BTS 10200 can also find

ways to exploit applications that can lead to service-affecting situations. Therefore, many precautions

are taken to ensure the solidity of the BTS 10200 defenses while avoiding a system that is difficult to

manage.

Figure 2-1 BTS 10200 Access and Related Security

Adapter and User Security

This section describes requirements that generally involve adapter and user level of security. In the BTS

10200, adapters are any external, northbound interfaces of the BTS 10200. However, some extrapolated

requirements involve adapter technology based on the current deployment:

• Support termination of a session once a provisionable inactivity timeout has occurred. An event

report is issued upon each timeout expiry. The inactivity time ranges from 10 to 30 minutes.

• Restrict access as “root” to the BTS 10200 in all cases except Cisco TAC and customer

“administrator”. This is a broad statement that includes the addition of command-line interface

(CLI) commands to help manage the system. In addition, UNIX services are restricted to harden the

operating system (OS). The service restriction is listed in the Solaris OS Security and BTShard

Package section. The process of restricting root access is an ongoing process.

• Use of “sudo" is acceptable and the formal Sun-built and packaged version is located in

/opt/sfw/bin/.

104705

Cisco BTS 10200

Kernel parameter tuning

User password control and

command authorization UNIX services

(for example

Apache and SSH)

User authentication and authorization

BTS applications and third-party software

Solaris kernel and IP stack

OSS Network

NMS/NOC User Access for OAM&P

VoIP Network Gateway Access for IAD or PSTN

Contents

Main Page CONTENTS Page Page Page Page Page Preface Organization Document Change History Obtaining Documentation and Submitting a Service Request Page Page Starting and Shutting Down the BTS Meeting Power Requirements Starting BTS Hardware Shutting Down BTS Hardware Starting BTS Software Page Page Managing BTS Users and Commands Using EMS Logging into the EMS Using CLI Managing Users Page Page Managing Commands Adapter and User Security Solaris OS Security and BTShard Package Page Page Operator Interface Vulnerabilities in H.323 Message Processing Authentication, Authorization and Accounting Support Pluggable Authentication Module Support User Security Account Management Sun Microsystems Configurations Page Solaris OS Patches Trace Normal Forms (TNF) Support XML Libraries Device GLM Patch Security CE Patch Security Bad_Trap Patch Java SDK Patches Page Monitoring and Backing Up the BTS Detecting and Preventing BTS Congestion Monitoring BTS Hardware Checking BTS System Health Using BTS System-Health Reports Checking BTS System Time Checking the OS Log of Each Host Machine Checking Disk Mirroring on Each Host Machine CA/FS Side A CA/FS Side B EMS Side A EMS Side B Auditing Databases and Tables Exporting Provisioned Data 3-9 Limitations Creating Numbering Resource Utilization/Forecast (NRUF) Reports Creating Reports for Nonrural Primary and Intermediate Carriers Creating Reports for Rural Primary and Intermediate Carriers Page Page Backing Up the Software Image Full Database Auditing Checking Shared Memory From CA/FS Side A From CA/FS Side B Backing Up the Full BTS Backing Up the CA/FS Backing up the EMS/BDMS Backing up the EMS Database Using FTP to Setup File Transfer Using SFTP to Setup File Transfer Page Archiving Your Database Examining Heap Usage Checking the DNS Server Log Archive Facility (LAF) Secure Transfer of Files Other Capabilities Provisioning LAF Example 1 Example 2 Example 3 Setup Non-Interactive SSH Login to External Archive Server Adding Static Routes LAF Alarm Information Moving Core Files Page Operating the BTS Managing Subscribers Page Page Page Viewing Calls Using Status and Control Commands Page Using Show and Change Commmands Using ERAC Commands Page Page Managing Transactions Scheduling Commands Limitations Page Managing External Resources Viewing BTS System-Wide Status Page Managing Trunk Groups and Trunks Page Page Page Page Page Page Page Page Managing Subscriber Terminations Page Page Page Managing Gateways Page Managing Other External Resources Page Learning External Resource Dependencies Page Page Page 5-24 Source Token 5-25 5-26 Figure 5-3 ISDN Administrative and Operational Maintenance States for a Trunking Gateway 5-27 GigE Support Prerequisites Provisioning the GigE Interface Page Page Using BTS Measurements Using Measurements Learning the Measurement Types ISDN Measurements Page Page Call Processing Measurements Page Page Page Page Page Page MGCP Adapter Measurements DQoS Measurements SIP Measurements Page Page Service Interaction Manager Measurements POTS Local FS Measurements Page Page Page Page Page POTS Application Server Measurements POTS Miscellaneous FS Measurements Page POTS Class of Service FS Measurements POTS Screen List Editing FS Measurements POTS Customer Originated Trace FS Measurements POTS Automatic Callback, Recall, and Call Return Measurements Page POTS Limited Call Duration (Prepaid/Postpaid) with RADIUS Interface to AAA Measurements POTS Call Forwarding Combination Measurements AIN Services FS Measurements Page SCCP Protocol Measurements Page TCAP Protocol Measurements Page Page Page SUA Measurements Page M3UA Protocol Measurements Page SCTP Measurements Page Page IUA Measurements Page ISUP MeasurementsI Page Page Page 6-50 6-51 ISUP (ANSI) Measurements Page Page ISUP (France) Measurements ISUP (Poland) Measurements ISUP (ITU-China) Measurements Page Page ISUP (ITU-Mexico) Measurements Page ISUP (ITU-HongKong) Measurements Page Audit Measurements SIP Interface Adapter Measurements Page Call Detail Block Measurements Page Event Messaging Measurements Dynamic QoS Measurements PCMM Measurements SNMP Protocol Measurements Trunk Group Usage Measurements Page Page Announcement Measurements H.323 Protocol Measurements Page Page Page Call Tools Measurements AIN Tools Measurements PCT Tools Measurements CPU Usage Measurements Memory Usage Measurements Disk Usage Measurements Network I/O Usage Measurements Page System Load Usage Measurements Disk I/O Usage Measurements ENUM Measurements Diameter Message Counters Single Number Reach Counters Using the BTS SNMP Agent Managing User Access to the SNMP Agent Viewing SNMP Trap Reports Page Viewing and Managing BTS Components Page Querying the SNMP Agent Enabling NMS to Query/Poll Solaris SNMP Agent Page Page APPENDIX A Feature Tones Tones per Feature Page Page request when Page Tone Frequencies and Cadences Page Page APPENDIX B FIM/XML Understanding the Configurable FIM/XML Feature Advantages of the FIM/XML Tool Tool Requirements Writing an External FIM/XML File Defining Features Elements in the External FIM/XML File Define Element Precedence-Exception Element Inhibit Others Element Inhibit Me Element Response Profile Element Error Operation Installing the FIM/XML File Using the Offline FIM/XML Tool Page FIM/XML File and Shared iFC File Features Defined in FIM/XML and Shared iFC Provisioning iFC Defining a New feature as the Originating Feature Defining a VSC Defining the SIP Trigger Profile Feature Configuration Feature Restrictions and Limitations