Authentication

The TOE provides Point-to-Point Protocol (PPP) security verification by the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) modes for MS users authentication 

The TOE authenticates the users based on individual user IDs and passwords. User IDs are unique within the TOE and stored together with associated passwords and other (security) attributes in the memory. 

A user must enter the correct user name and password to log in to the UGW9811, which prevents unauthorized access to the UGW9811. A user name consists of a maximum of 32 letters and numerals and must start with a letter. The user name is case insensitive.

The authorized administrators are able to configure a system-wide password policy that is then enforced by the TOE.

Besides the minimum length of the password, which can be set to be between 6 and 32 characters, administrators have

the option to enforce the use of specific characters (numeric, alphanumeric low or capital, and special characters).

To meet the requirements for assigning rights to different users and prevent unauthorized access and operations, the

users are categorized into different levels by role and are assigned the corresponding operation rights.

A user group defines a set of rights for different user type. A command group is a set of commands. A user group can be authorized rights via command groups, an user group may include more than one command groups. Commands are classified into command groups, and then the command groups are assigned to users with different authorities, realizing authority management.

Commands are classified into command groups and command groups are assigned to users with different rights. One command belongs to only one specific command group. The system provides eight predefined command groups. The commands contained in these command groups cannot be modified. This means that a command group to which a command belongs cannot be changed, and rights can be assigned only by specifying command groups.

Access Control

The access control feature enables carriers to manage user authorities to ensure that only authorized users are allowed to operate the UGW9811 within the authorization range, such as adding, modifying, or deleting users, logging in or logging out users, and assigning rights to users.

The access control feature is implemented in the three planes: management plane, control plane and end-user plane.

In the management plane, the TOE can enforce the account locking function for the LMT user access control.

In the control plane, the access control feature includes:

? Different access control policies for subscribers. These control policies have different priorities, which ensure that subscribers with a higher priority level have priority access to network resources.

? Supports to control the subscriber capacity and the bandwidth. When the number of subscribers or the bandwidth usage reaches the maximum limit, the TOE does not allow new subscribers to access.

? Supports to deny the session establishment request from the blacklisted SGSNs, MMEs, and S-GWs,APN. 

In the end-user plane, the TOE supports:

? Bandwidth management to restrict the maximum bandwidth for the specific service(eg, P2P) of the subscriber

group.

? IP-based ACL, Blacklist and Whitelist, APN-specific Packet Filtering Based on ACLs

? Anti-spoofing function to check the uplink and downlink user-plane traffic and discards packets from spoofed source IP addresses.

? VRF (Virtual routing and forwarding) and the VLAN(virtual local area network) functions to separate the different network from each other to ensure network security.

Account Locking

The UGW9811 supports a maximum of 16 actives sessions for the LMT login.

For LMT login, when a user is absent, the account can be locked to prevent unauthorized access to the system.

If an administrator has specified values for these parameters for a specific user, the TOE will deny authentication of the user if the number of “account valid days” configured for the user has been exceeded, if the password has not been changed within the timeframe specified in the “password valid days” configuration for the user, or if the user tries to authenticate in a timeframe that lies outside of the “login start time” and “login end time” specified for the user. 

SGSN/MME/S-GW Blacklist and Whitelist

The UGW9811 supports adding specific IP address ranges of serving GPRS support nodes (SGSNs), mobility management entities (MMEs), and serving gateways (S-GWs) to whitelists or blacklists. The UGW9811 grants access to whitelisted SGSNs, MMEs, and S-GWs and rejects access to blacklisted ones. 

By specifying the SGSNs, MMEs, and S-GWs on which subscribers can be activated, carriers can restrict the service

usage by or roaming behaviors of subscribers.

The TOE supports to deny the MS session establishment request from the blacklisted SGSNs, MMEs, and S-GWs.

IP-based ACL

The TOE supports IP-based Access Control List (ACL) to filter traffic destined to TOE to prevent internal traffic  overload and service interruption.

The TOE also uses the ACL to identify flows and perform flow control to prevent the CPU and related services from

being attacked

1) Support enabling ACLs by associating ACLs to whitelist, blacklist, user-defined-flow. This function is achieved by interpreting ACL configurations then storing interpreted value in memory.

2) Support screening, filtering traffic destined to CPU. This function is achieved by downloading ACL configurations into hardware.

3) Support rate limiting traffic based on screened traffic. This function is achieved by downloading configuration of rate into hardware.

Communication security

The LMT log in the UGW9811 can use the SSL.

The TOE provides a trusted communication channel between the TOW and the SGSNs, MMEs, and S-GWs which are

defined in the whitelist.

SSL：

SSL provides the following security services:

- Identity authentication

- Connection privacy

- Data integrity

IPsec

The UGW9811 supports IPsec. IPsec provides two security protocols to ensure the privacy, integrity, authenticity, and anti-replay of data packets during transmission: Authentication Header (AH) and Encapsulating Security Payload (ESP). Internet Key Exchange (IKE) can automatically negotiate key exchange, and establish and maintain security associations (SAs) to simplify the use and management of IPsec.

Auditing

The logs of the TOE include:

1) Operation logs: Operation logs record the information about operations performed by the user, such as the task name, user name, client IP address, and operation time. An administrator can query for and save users logs based on specified parameters.

2) Security logs: Security logs record all security events, including user login events, user authentication events, and management events.

3) System logs: System logs record system information, including the black box information, process status, and OS operating error. System logs are used to locate and analyse faults.

4) Diagnostic logs: Application software operation logs (DEBUG_LOG) record the operation log information about the OMU software and NE software. The operation log information includes error information and operation information. Application software operation logs are used to commission the application software and locate faults. 

Audit review

Users can query for operation logs and security logs only after an administrator assigns related rights to the users. By regularly checking logs, an administrator can trace and audit operators behaviours, find attack behaviours in time, and take measures, such as changing the password and locking the account.

Audit Storage

These logs are stored on the hard disk of the SRU/MPU board of the TOE. Only users which have G_6 and G_7 can access these logs files. 

Each type of log file defines the maximum number of audit records supported to be stored. If the audit record number of the log file exceeds the maximum number threshold, the latest audit record will be dropped. If the storage capacity reached the threshold, the latest log will overwrite the earliest log.

Time

The TOE supports its own clock, to support logging and timed log-outs. (FPT_STM.1, FTA_SSL.3)

Security function management

The TOE offers management functionality for its security functions, where appropriate. This is partially already addressed in more detail in the previous sections of the TSS, but includes:

1) User management, including user name, password, User Group memberships, including the association of users and corresponding privileged functionalities. etc.

2) Access control management, including the blacklists.

3) Enabling/disabling and configuring of SSL.

4) Enabling/disabling and configuring of IPsec

5) Support configuration on session lock when no operation is performed on the user session within a given interval;

6) Support configuration on max attempts due to authentication failure within certain period of time;

7) Support configuration on limiting access by IP address;

8) Support configuration ACLs based on IP protocol number, source and/or destination IP address, source and/or destination port number if TCP/UDP;

9) Support configuration on APN-specific packet filtering Based on ACLs.

10) Support configuration on SGSN/MME/S-GW blacklist and whitelist.

great post. thanks.

very good post by user

very useful article. thanks for sharing.

great stand up post.

very good useful detail

great stand up post.

this post deserves to be favorite. admin please take care.

what a post! great!

i love this post. very useful for my work.