D

Technical Note

AF
T

Security Best Practices

August 13, 2012

AF
T

Copyright 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission is
prohibited. Information contained herein is subject to change without notice. The specifications and information
regarding the products in this document are subject to change without notice. All statements, information, and
recommendations in this document are believed to be accurate, but are presented without warranty of any kind,
express, or implied. Users must take full responsibility for their application of any products. Trademarks, brand
names and products mentioned in this document are the property of their respective owners. All such references
are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product's
rightful owner.

Document Name: TN_Security Best Practices_Rev A_08132012 DRAFT.pdf

Document Part Number: T0000468

ii

Security Best Practices

Revision History

The following table shows all revisions for this document. To determine if this is the latest
revision, check the TAC Web page.
Reason for Change(s)

MMM DD, 2012

Initial release of document

Who Updated?
JVespoli

Date Released

AF
T

Rev

Security Best Practices

iii

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

AF
T

Contents Of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Hub and NMS Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network Isolation and External Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Server Password Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Secure Server Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Disabling SNMP on NMS Servers when not Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Disabling NMS Config Service on Non-Distributed NMS Servers. . . . . . . . . . . . . . . . . . . . . . 2

Encryption of Backup Files Before Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

NMS Client Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

User Passwords and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Console Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Clearing Data from Decommissioned Remotes and Line Cards . . . . . . . . . . . . . . . . 4

iv

Security Best Practices

About This Guide

Purpose
This technical note recommends basic security practices to help ensure that all components
of iDirect Networks are secure.

AF
T

Intended Audience

This technical note is intended for iDirect Network Operators and System Administrators
responsible for ensuring that iDirect networks are secure.

Contents Of This Guide

This document contains the following major sections:

Hub and NMS Server Security

NMS Client Security

Console Password Security

Clearing Data from Decommissioned Remotes and Line Cards

Document Conventions

This section describes and illustrates the conventions used throughout the document.
Convention Description

Example

Blue
Courier
font

Used when the user is

required to enter a
command at a command
line prompt or in a console.

Enter the command:

Courier
bold font

Used when showing

terminal display
information such as output
from a command or
contents of a file.

crc report all

Security Best Practices

cd /etc/snmp/

3100.3235 : DATA CRC [

1]
3100.3502 : DATA CRC [5818]
3100.4382 : DATA CRC [ 20]

Bold
Trebuchet
font

Used when referring to text

that appears on the screen
on a windows-type
Graphical User Interface
(GUI).
Used when specifying
names of commands,
menus, folders, tabs,
dialogs, list boxes, and
options.

1. If you are adding a remote to an inroute group,

right-click the Inroute Group and select Add
Remote.

The Remote dialog box has a number of userselectable tabs across the top. The Information tab is
visible when the dialog box opens.

Blue
Trebuchet
font

Used to show hyperlinked

text within a document.

For instructions on adding an line card to the network

tree and selecting a Hub RFT for the line card, see
Adding a Line Card on page 108.

Bold italic
Trebuchet
font

Used to emphasize
information for the user,
such as in notes

Note:

Red italic
Trebuchet
font

Used when the user needs

to strictly follow the
instructions or have
additional knowledge about
a procedure or action.

WARNING! The following procedure may cause

a network outage.

AF
T

Getting Help

Several line card model types can be

configured as receive-only line cards.

The iDirect Technical Assistance Center (TAC) is available to help you 24 hours a day, 365 days
a year. Software user guides, installation procedures, a FAQ page, and other documentation
that supports our products are available on the TAC webpage. You can access the TAC
webpage at: http://tac.idirect.net.

If you are unable to find the answers or information that you need, you can contact the TAC at
(703) 648-8151.

vi

Security Best Practices

Security Best Practices

AF
T

This technical note recommends basic security practices to help ensure that all components
of iDirect Networks are secure. iDirect also recommends implementation of additional
security measures over and above these steps as required for your specific network
configurations.

Hub and NMS Server Security

An iDirect installation includes a number of Linux servers used to configure and run the
networks. These servers include:

NMS servers for network configuration and monitoring

Protocol Processor Blade servers to manage network traffic at the hub

GKD servers to manage and distribute encryption keys

iDirect recommends securing all hub and NMS servers from unauthorized physical access.

In addition, iDirect strongly recommends implementing the security measures in the following
sections to protect the servers.

Network Isolation and External Access

In addition to limiting physical access to your servers, iDirect recommends that isolation of all
networks from external access to the extent possible. Access to the iDirect servers should be
protected behind a commercial-grade firewall.
If external access is required, iDirect recommends use of secure private networks.

For VNO operators, all connections should be established through carefully managed
Virtual Private Networks (VPN).

All iBuilder and iMonitor clients connecting to the NMS over a Wide Area Network (WAN)
should do so over a private network or VPN.

Server Password Security

iDirect Servers are shipped with default passwords. At installation, the passwords should be
changed from the default on all servers for the following users:

root

idirect (iDX Release 2.1 and later)

Security Best Practices

Hub and NMS Server Security

Thereafter, these passwords should be changed periodically. When selecting new passwords,
iDirect recommends that you follow common guidelines for constructing strong passwords.

Secure Server Connections

iDirect recommends using Secure Shell (SSH) for all remote logins to server machines. SSH was
designed as a secure replacement for Telnet and other remote shell protocols that do not
encrypt data by default. Once an SSH connection is established, Telnet can be safely used to
open sessions on the local host.
To further improve security, beginning with iDX Release 2.1, iDirect stopped allowing any
remote sessions (including SSH) to log on directly to the root account of an iDirect server.
Instead, use SSH to log on to a less privileged account such as the idirect account. Then enter
su - from the command line to log on as root if root access is required.

Disabling SNMP on NMS Servers when not Required

AF
T

An SNMP Proxy Agent running on the NMS server provides read access to the iDirect MIB and
SNMP traps to an external SNMP Manager. If not used, this service should be disabled on the
NMS server that runs the snmpsvr process.
To disable the SNMP service:
1. TBD
2. .....

Need procedure from engineering

Disabling NMS Config Service on Non-Distributed NMS Servers

iDirect recommends disabling the nms_config service on non-distributed NMS servers.
Do not perform this procedure on a distributed NMS. The NMS servers in a DNMS
configuration require the nms_config service.

Note:

To disable the nms_config service:

1. TBD

2. .....

Need procedure from engineering.

Encryption of Backup Files Before Archiving

iDirect provides a utility that Network Operators can use to back up the NMS databases. Some
operators archive the resulting backup files on external storage. iDirect recommends
encrypting backup files before copying them to external storage. The Linux gpg command,
which is available on the NMS server, is one method that can be used for to encrypt the
backup files before archiving.

Security Best Practices

NMS Client Security

NMS Client Security

iDirect recommends the following measures to ensure secure access to iDirect networks from
the iBuilder and iMonitor clients.

User Passwords and Permissions

The NMS clients are preconfigured with the following users:

admin

guest

Client Access

AF
T

At installation, use iBuilder to change the passwords for these users from their default
settings. In addition, iDirect recommends creating NMS users with permissions tailored to the
access level requirements of the network operators. Create strong passwords for all such
accounts and change them periodically. See the iBuilder User Guide for your release for
details on creating users.

Access to iBuilder and iMonitor sessions should be strictly controlled. Network operators
should always log out of any NMS clients when leaving workstations to prevent unauthorized
access.

Remote Access

All remote access by NMS client applications to iDirect networks should be established over
secure private networks.

Console Password Security

The following iDirect network elements are pre-configured with a user account and an admin
account that allow access to the iDirect applications using a console terminal window.

Remotes

Line Cards

Protocol Processor Blades

At installation, these passwords should be changed from the default on each of these network
elements. Thereafter, these passwords should be changed periodically.
All of these passwords can be changed in iBuilder by right-clicking the network element;
selecting the Modify option from the menu; and applying the changes as required. (See the
iBuilder User Guide for details.)
Note:

The user and admin console passwords for protocol processor blades are
configured at the Protocol Processor level of the iBuilder tree and shared by all
blades configured under that Protocol Processor.

Security Best Practices

Clearing Data from Decommissioned Remotes and Line Cards

Clearing Data from Decommissioned Remotes and Line

Cards
iDirect recommends that you execute the zeroize command to erase sensitive data on all
decommissioned remotes and line cards before discarding.
1. Open a console session to the remote modem or line card and log on to the admin
account.
2. At the command line prompt, enter the following command to remove all secure data:
zeroize all

AF
T

If the zeroize command is unavailable, enter the command csp enable. Then execute
the zeroize command again. If the command is still unavailable, contact the iDirect
TAC.

Security Best Practices

AF
T

Clearing Data from Decommissioned Remotes and Line Cards

Security Best Practices

AF
T