iDirect Security Best Practices Technical Note

D

R

Technical Note

AF T

Security Best Practices

August 13, 2012

D

R

AF T

Copyright © 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission is prohibited. Information contained herein is subject to change without notice. The specifications and information regarding the products in this document are subject to change without notice. All statements, information, and recommendations in this document are believed to be accurate, but are presented without warranty of any kind, express, or implied. Users must take full responsibility for their application of any products. Trademarks, brand names and products mentioned in this document are the property of their respective owners. All such references are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product's rightful owner.

Document Name: TN_Security Best Practices_Rev A_08132012 DRAFT.pdf Document Part Number: T0000468

ii

Security Best Practices

Revision History

The following table shows all revisions for this document. To determine if this is the latest revision, check the TAC Web page. Reason for Change(s)

MMM DD, 2012

Initial release of document

Who Updated? JVespoli

D

R

A

Date Released

AF T

Rev

Security Best Practices

iii

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

AF T

Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Hub and NMS Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Network Isolation and External Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

R

Server Password Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Secure Server Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Disabling SNMP on NMS Servers when not Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Disabling NMS Config Service on Non-Distributed NMS Servers. . . . . . . . . . . . . . . . . . . . . . 2

D

Encryption of Backup Files Before Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

NMS Client Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 User Passwords and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Console Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Clearing Data from Decommissioned Remotes and Line Cards . . . . . . . . . . . . . . . . 4

iv

Security Best Practices

About This Guide

Purpose This technical note recommends basic security practices to help ensure that all components of iDirect Networks are secure.

AF T

Intended Audience

This technical note is intended for iDirect Network Operators and System Administrators responsible for ensuring that iDirect networks are secure.

Contents Of This Guide

This document contains the following major sections: “Hub and NMS Server Security”

•

“NMS Client Security”

•

“Console Password Security”

•

“Clearing Data from Decommissioned Remotes and Line Cards”

R

•

D

Document Conventions

This section describes and illustrates the conventions used throughout the document. Convention Description

Example

Blue Courier font

Used when the user is required to enter a command at a command line prompt or in a console.

Enter the command:

Courier bold font

Used when showing terminal display information such as output from a command or contents of a file.

crc report all

Security Best Practices

cd /etc/snmp/

3100.3235 : DATA CRC [ 1] 3100.3502 : DATA CRC [5818] 3100.4382 : DATA CRC [ 20]

v

Bold Trebuchet font

Used when referring to text that appears on the screen on a windows-type Graphical User Interface (GUI). Used when specifying names of commands, menus, folders, tabs, dialogs, list boxes, and options.

1. If you are adding a remote to an inroute group, right-click the Inroute Group and select Add Remote.

The Remote dialog box has a number of userselectable tabs across the top. The Information tab is visible when the dialog box opens.

Blue Trebuchet font

Used to show hyperlinked text within a document.

For instructions on adding an line card to the network tree and selecting a Hub RFT for the line card, see “Adding a Line Card” on page 108.

Bold italic Trebuchet font

Used to emphasize information for the user, such as in notes

Note:

Red italic Trebuchet font

Used when the user needs to strictly follow the instructions or have additional knowledge about a procedure or action.

WARNING! The following procedure may cause a network outage.

AF T

Getting Help

Several line card model types can be configured as receive-only line cards.

R

The iDirect Technical Assistance Center (TAC) is available to help you 24 hours a day, 365 days a year. Software user guides, installation procedures, a FAQ page, and other documentation that supports our products are available on the TAC webpage. You can access the TAC webpage at: http://tac.idirect.net.

D

If you are unable to find the answers or information that you need, you can contact the TAC at (703) 648-8151.

vi

Security Best Practices

Security Best Practices

AF T

This technical note recommends basic security practices to help ensure that all components of iDirect Networks are secure. iDirect also recommends implementation of additional security measures over and above these steps as required for your specific network configurations.

Hub and NMS Server Security

An iDirect installation includes a number of Linux servers used to configure and run the networks. These servers include: •

NMS servers for network configuration and monitoring

•

Protocol Processor Blade servers to manage network traffic at the hub

•

GKD servers to manage and distribute encryption keys

iDirect recommends securing all hub and NMS servers from unauthorized physical access.

R

In addition, iDirect strongly recommends implementing the security measures in the following sections to protect the servers.

D

Network Isolation and External Access In addition to limiting physical access to your servers, iDirect recommends that isolation of all networks from external access to the extent possible. Access to the iDirect servers should be protected behind a commercial-grade firewall. If external access is required, iDirect recommends use of secure private networks. •

For VNO operators, all connections should be established through carefully managed Virtual Private Networks (VPN).

•

All iBuilder and iMonitor clients connecting to the NMS over a Wide Area Network (WAN) should do so over a private network or VPN.

Server Password Security iDirect Servers are shipped with default passwords. At installation, the passwords should be changed from the default on all servers for the following users: •

root

•

idirect (iDX Release 2.1 and later)

Security Best Practices

1

Hub and NMS Server Security

Thereafter, these passwords should be changed periodically. When selecting new passwords, iDirect recommends that you follow common guidelines for constructing strong passwords.

Secure Server Connections iDirect recommends using Secure Shell (SSH) for all remote logins to server machines. SSH was designed as a secure replacement for Telnet and other remote shell protocols that do not encrypt data by default. Once an SSH connection is established, Telnet can be safely used to open sessions on the local host. To further improve security, beginning with iDX Release 2.1, iDirect stopped allowing any remote sessions (including SSH) to log on directly to the root account of an iDirect server. Instead, use SSH to log on to a less privileged account such as the idirect account. Then enter su - from the command line to log on as root if root access is required.

Disabling SNMP on NMS Servers when not Required

AF T

An SNMP Proxy Agent running on the NMS server provides read access to the iDirect MIB and SNMP traps to an external SNMP Manager. If not used, this service should be disabled on the NMS server that runs the snmpsvr process. To disable the SNMP service: 1. TBD 2. .....

Need procedure from engineering

R

Disabling NMS Config Service on Non-Distributed NMS Servers iDirect recommends disabling the nms_config service on non-distributed NMS servers. Do not perform this procedure on a distributed NMS. The NMS servers in a DNMS configuration require the nms_config service.

D

Note:

To disable the nms_config service: 1. TBD

2. .....

Need procedure from engineering.

Encryption of Backup Files Before Archiving iDirect provides a utility that Network Operators can use to back up the NMS databases. Some operators archive the resulting backup files on external storage. iDirect recommends encrypting backup files before copying them to external storage. The Linux gpg command, which is available on the NMS server, is one method that can be used for to encrypt the backup files before archiving.

2

Security Best Practices

NMS Client Security

NMS Client Security iDirect recommends the following measures to ensure secure access to iDirect networks from the iBuilder and iMonitor clients.

User Passwords and Permissions The NMS clients are preconfigured with the following users: •

admin

•

guest

Client Access

AF T

At installation, use iBuilder to change the passwords for these users from their default settings. In addition, iDirect recommends creating NMS users with permissions tailored to the access level requirements of the network operators. Create strong passwords for all such accounts and change them periodically. See the iBuilder User Guide for your release for details on creating users.

Access to iBuilder and iMonitor sessions should be strictly controlled. Network operators should always log out of any NMS clients when leaving workstations to prevent unauthorized access.

Remote Access

R

All remote access by NMS client applications to iDirect networks should be established over secure private networks.

Console Password Security

D

The following iDirect network elements are pre-configured with a user account and an admin account that allow access to the iDirect applications using a console terminal window. •

Remotes

•

Line Cards

•

Protocol Processor Blades

At installation, these passwords should be changed from the default on each of these network elements. Thereafter, these passwords should be changed periodically. All of these passwords can be changed in iBuilder by right-clicking the network element; selecting the Modify option from the menu; and applying the changes as required. (See the iBuilder User Guide for details.) Note:

The user and admin console passwords for protocol processor blades are configured at the Protocol Processor level of the iBuilder tree and shared by all blades configured under that Protocol Processor.

Security Best Practices

3

Clearing Data from Decommissioned Remotes and Line Cards

Clearing Data from Decommissioned Remotes and Line Cards iDirect recommends that you execute the zeroize command to erase sensitive data on all decommissioned remotes and line cards before discarding. 1. Open a console session to the remote modem or line card and log on to the admin account. 2. At the command line prompt, enter the following command to remove all secure data: zeroize all

D

R

AF T

If the zeroize command is unavailable, enter the command csp enable. Then execute the zeroize command again. If the command is still unavailable, contact the iDirect TAC.

4

Security Best Practices

D

R

AF T

Clearing Data from Decommissioned Remotes and Line Cards

Security Best Practices

5

AF T

R

D