Contents
1 Introduction
This document describes the security functions implemented by the Multimedia Telephony Application Server (MTAS). It also describes the security-related procedures that can be performed by the system administrators.
The MTAS is a telephony application server that is to be deployed as a virtualized network element in an IP Multimedia Subsystem (IMS) network. This deployment is referred to as a Virtualized Network Function (VNF). For details about MTAS, the supported functionality, and the nodes it communicates with, refer to vMTAS 1 Technical Product Description Common Features.
1.1 Prerequisites
This section describes the prerequisites; conditions and information required for performing security management on the MTAS.
1.1.1 Conditions
Before performing the procedures in Section 3.1 Procedures, ensure that the following conditions are met:
- The MTAS VNF has already been installed and initially configured. The initial configuration includes the necessary settings for the authentication of Northbound Interface (NBI) users to a Lightweight Directory Access Protocol (LDAP) server and their authorization.
- The intended software level to be run in the MTAS is installed. The release information can be found in delivery reports, delivery specifications, delivery notes, release notes, or correction notes.
- The user has the required access privileges, and the required usernames and passwords are known.
1.2 Environment
This section describes the environment requirements for product operations.
MTAS belongs to the core network and is not facing directly to access networks. In addition, the system is to be deployed behind a firewall which offers protection from external attacks.
MTAS is placed in the Service & Control Virtual Private Network (VPN) group which includes Network Functions handling signaling traffic without direct connection to external networks. This includes the following VPN for connecting the IMS Network Nodes in the group:
- The Signaling Service Control VPN for signaling traffic to and from other IMS Network Nodes.
- The Operation and Maintenance Service Control VPN for Operation & Maintenance (O&M) traffic used for IMS Network Nodes in the group. This also includes Charging (Ro/Rf) and Provisioning (CAI3G) traffic.
For more details, refer to MTAS Internal and External Connectivity.
2 Product Security Functionality
The following security functionality is supported in the product:
- Authentication
- Authorization
- Accountability
- Integrity
- Confidentiality
2.1 Authentication
2.1.1 O&M User Authentication
MTAS supports Local and Centralized O&M password-based user authentication, refer to:
2.1.2 Mutual Authentication of Communication Channel Peers
MTAS supports certificate-based mutual authentication for:
- LDAP over Transport Layer Security (TLS), between MTAS and LDAP server, refer to Certificate Management.
- IKEv2 during the establishment of the IPsec Security
Associations, between MTAS and any peer, refer to eVIP Management Guide.
2.2 Authorization
2.2.1 O&M User Authorization
Authorization is the capability to validate if the logged in user is allowed to perform a certain operation to a certain Managed Object (MO). The authorization is role-based, that is, the logged in user is mapped to a role and each role has one or several rules defining the access right to an MO.
The user management principles, user administration, and user roles are described in User Management.
2.3 Accountability
Audit Log function allows the operator tracking of the operator access to system and actions performed over resources such as files, directories managed objects and attributes.
The log allows performing audits to detect fraudulent or misuse on the operations performed in the nodes.
For details, refer to Audit Logs.
2.4 Integrity
2.4.1 Node Integrity
- Verification/protection of the integrity of the system configuration files.
- Node integrity protection prevents unauthorized modification of the selected files/folders.
- O&M Roles and Rules provide integrity protection by role and target based access control.
2.4.2 Communication Integrity
- Integrity protection of O&M traffic (also including charging data records, backups, logs)
- Integrity protection of signaling traffic
- TLS provides for integrity protection
2.5 Confidentiality
2.5.1 Communication Confidentiality
- Confidentiality protection of O&M traffic (here including also charging data records, backups, logs).
- Confidentiality protection of signaling traffic.
- TLS provides for confidentiality and integrity protection, and mutual authentication of the peers.
- NETCONF is protected using Secure Shell (SSH), in addition TLS can also be used
- LDAP is protected using TLS, both for provisioning requests and for access to an external LDAP authentication and authorization server.
- CAI3G for provisioning is protected by using TLS.
- Signaling traffic like Session Initiation Protocol (SIP) and Diameter can be protected by IPsec tunnels with authentication and encryption of each IP packet in a communication session.
3 Security Configuration
This section describes how to operate the security functionality of the product.
3.1 Procedures
This section provides the instructions for operating the security functionality of the product.
3.1.1 Hardening
Perform hardening of the MTAS node according to the procedures described in MTAS Hardening Guide.
This includes:
- Allow or block ports for all listening services
- Change default passwords, including predefined password for root which could be known by many persons.
- Disable root access through NBI, remote logon for root user is enabled by default.
- Enable strong password enforcement
- Force password change and aging
- Configure Command-Line Interface (CLI) inactivity timer
- Create emergency user, at least one emergency user must be configured in the system
- Delete unused local Linux® accounts, if additional users are created during installation, and they are not to be used, they must be deleted.
- Block Network File System (NFS) against access from external networks.
The operator can have own security policies, where the node must be hardened according to operator requirements, for example defining specific secure protocols or other ports different than the default ones.
After the hardening activities have been performed, create a backup of the system. It is also recommended to upload the backup to external storage.
3.1.2 Authentication and User Management
Create users and user groups, and assign privileges to a group.
Always use personal accounts instead of shared or generic user accounts.
The MTAS has five predefined default roles. These roles, and the corresponding rules, cannot be modified:
- System Administrator
- System Security Administrator
- MTAS Application Administrator
- MTAS Application Security Administrator
- MTAS Application Operator
LDAP must be configured with the strongest possible ciphers.
For details on LDAP Authentication and Local Authorization, and Roles/Rules refer to User Management.
3.1.3 Audit Trails
The audit log enables logging and tracking access to files, directories, and resources of the system, as well as tracing system calls. It enables monitoring of the system for application misbehavior or code malfunctions.
For information about where to find the audit and syslog log files, and how to read them, refer to Audit Logs.
3.1.4 MTAS Configuration for Provisioning LDAP
There are provisioning related MOs that are not accessible through the normal NBI, a provisioning LDAP connection is used instead.
The procedures for setting up the LDAP connection using Secure Socket Layer (SSL) / Transport Layer Security (TLS) are described in MTAS Configuration for Provisioning LDAP.
3.1.5 MTAS Configuration for XDMS
The XDMS function supports a secured CAI3G interface to allow the operator to manage subscriber data in an encrypted and authenticated way.
The authentication of the MTAS is enabled by a trusted certificate.
The operator has the possibility to perform the operations on the CAI3G certificate, refer to MTAS XDMS Management Guide.
3.1.6 Change Logon Banner
By default, no information is provided to the user when logging on using the CLI. The operator can define own customized greeting message or legal message when a user logs on through the CLI.
The system provides the file /cluster/etc/motd, which allows a text message to be created and later displayed when user logs on to the system through CLI.
3.1.7 IPsec Support
If there are requirements to protect Signaling traffic, for example SIP or Diameter (when transferring charging or malicious call tracing data) IPsec tunnels can be used.
The procedures for setting up IPsec tunnels to protect signaling traffic are described in eVIP Management Guide.
3.1.8 H.248
For H.248, there is a configured white list of MIDs that are supported.
If the Media Resource Function Processor (MRFP) uses any other MID than configured in MTAS, the Stream Control Transmission Protocol (SCTP) link to it is closed down, refer to Managed Object Model (MOM).
3.2 Recommended Periodic Operations
This section describes recommended periodic operations.
The product has to be properly hardened before it is taken into use. Nevertheless, it is important that the daily operations on the product are performed in such a way that the security status of the product is not weakened.
New vulnerabilities which need to be mitigated are frequently found in the existing products. Therefore it is necessary to maintain the security posture of the product in service on a regular, ongoing basis.
The recommended periodic security-related operations are the following:
- Ensure that the latest software version is installed. It is recommended to get the latest available Emergency Package (EP) version of the MTAS.
- Ensure that Audit Logging is turned on and working.
- Regularly perform housekeeping of not used or obsolete software bundles, and backups stored at the node.
- Regularly perform system backups.
- Regularly export backups to external storage.
- Regularly export logs to external storage.
- Regularly fetch Performance Management (PM) data from the MTAS and store externally.
- Regularly check the TLS certificates to ensure that they do not expire.
- Run password checkers periodically to find weak passwords.
- Monitor the file system integrity periodically, either manually or as a scheduled task.
- Ensure that no unnecessary listening ports are open.
- Ensure that the ports for the insecure protocols Telnet and File Transfer Protocol (FTP) are closed.
- Ensure that no shared user accounts are used.
- Ensure that administrative user rights are assigned only to real needs.
- Run password checkers periodically with word lists to find weak passwords.
- Regularly check audit logs related to potential security events. Check anything that could be considered as strange according to the traffic model of the operator, besides error cases like for example failures to authenticate, too much user activity, too many dropped or rejected sessions.
- Regularly analyze log data and counters to reconsider the chosen security-related attributes.
- Monitor the following counters to detect unauthorized
access:
- MtasXdmsCai3gLoginOk
- MtasXdmsCai3gLoginNOkI
- MtasXdmsCai3gLoginNOkE
- MtasMrfcRejectedRegistration
- MtasSipPresenceInvalid
3.3 Handling of Patches
This section describes handling of patches.
Patches are delivered in the form of Emergency Packages (EPs). The process to load EPs is described in the upgrade instruction for the actual MTAS EP.
4 Default Parameter Values
Not applicable.
5 Services, Ports, and Protocols
The services, ports, and protocols that are used by the products are listed in Table 1.
For details on IP Address Types and Ports, refer to MTAS Hardening Guide.
|
Service or Interface Name |
Protocol |
IP Address Type |
Port |
Transport Protocol |
IP Version |
|---|---|---|---|---|---|
|
Muta MIP |
830 |
||||
|
Muta MIP |
6513 |
||||
|
Muta MIP |
22 |
||||
|
|
Muta MIP |
161 |
|||
|
SC-1 IP SC-2 IP |
22 |
||||
|
Muta MIP |
22 |
||||
|
LDAP Provisioning |
LDAP(S) |
7323 17323 7423 (S), 17423 (S) |
|||
|
CAI3G/ SOAP/HTTP(S) |
8095 8443 (S) |
||||
|
Ut |
Ut / XCAP |
Ut VIP |
8090 |
||
|
CCMP |
CCMP /HTTP |
8096 |
|||
|
Traffic VIP |
5060 5082 -5088, 5160 -5163 |
TCP/UDP |
|||
|
Ma |
Traffic VIP |
5060 5090 |
TCP/UDP |
||
|
Pw |
Traffic VIP |
5086 |
TCP/UDP |
||
|
Mp |
H.248 |
Traffic VIP |
2944 |
||
|
Cr |
SOAP/HTTP |
Traffic VIP |
9080 |
||
|
Px |
SOAP/HTTP |
Traffic VIP |
9080 |
||
|
Sh / Dh |
Diameter |
Traffic VIP |
3868–3872 |
||
|
Rf / Ro |
Diameter |
3868–3872 |
|||
|
Diameter |
Traffic VIP |
3868–3872 |
|||
|
CAPv2 / MAP |
CAPv2 / MAP |
SIGTRAN VIP1 SIGTRAN VIP2 |
2905 |
||
6 Privacy
MTAS handles personal subscriber data to be able to provide services in the network. The data of the subscribers is handled properly and the product supports different measures to protect the privacy of the subscribers. The personal data is listed in Table 2.
6.1 Notice
This product processes personal information and it can have an impact on the right to privacy of the data subjects (for example, subscribers), whose data is processed.
When operating this product, ensure that personal information processing is performed in a fair and lawful manner, and in accordance to the local data protection regulation in force. This can be achieved by providing notice to subscribers of operator’s privacy policies, for example at the moment of establishing the subscription.
6.2 Consent
This product can process personal data that can be considered sensitive information, such as network location, in addition to basic personal data.
The local data protection regulation where the node is operated can require obtaining subscriber consent to process this kind of personal information. Such consent must be obtained so to:
- Collect and maintain personal data of the subscriber, aimed at holding securely this information.
- Fulfill the purpose of installing, upgrading, and administering
the MTAS.
The system can be required to activate trace information. The purpose of these traces is only for troubleshooting. Depending on the required information (level of the trace), it can contain personal data.
- Disclose the personal information to third parties.
6.3 Classification of Personal Data
Table 2 lists the personal data handled by the MTAS.
|
Personal Data Category |
Data Item |
Comments |
|---|---|---|
|
Basic data |
IP-Address |
|
|
IMEI code |
||
|
Mobile number |
||
|
First name |
||
|
Last name |
||
|
Mobile Device Serial Number |
IMEI | |
|
Logon details |
SCC pin | |
|
Sensitive data |
Call history |
|
|
Connection history |
||
|
Metadata showing user activity |
||
|
Tracing information |
||
|
Location history |
||
|
Location: LAC / CellID |
||
|
Malicious call history |
||
|
Barred calling subscribers (Black list) |
||
|
Diversion numbers |