nsp security concepts date issued february 2007 document reference & release version...

NSP Security Concepts

Date issued February 2007

Document reference & release version

TR-IAS-22-03 - Ed 1.6

These presentation materials describe Tekelec's present plans to develop and make available to its customers certain products, features and functionality. Tekelec is only obligated to provide those deliverables specifically included in a written agreement signed by Tekelec and customer.

Training documentation

Notes

1

NSP Security Training Manual

This Training Manual is in accordance with Tekelec NSP

Issued February 2007 .

Copyright

© 2006 TEKELEC France. All rights reserved

In accordance with its policy of constant product improvement, TEKELEC France reserves the right to change the information in this manual without notice. No part of this manual may be photocopied or reproduced in any form without the prior written permission of TEKELEC France.

Software license notice

Your license agreement with TEKELEC France specifies the permitted and prohibited uses of the product. Any unauthorized duplication or use

of Tekelec NSP, in whole or in part, in print or in any other storage and retrieval system, is prohibited. Trademarks

All product names mentioned are trademarks of their respective owners.

Tekelec France

Headquarters Mulhouse Office Paris Office Le Meltem Parc de la Mer Rouge 60 avenue du Centre 2 allée des Séquoias 20E rue Salomon Grumbach 78180 Montigny le Bretonneux 69578 Limonest Cedex 68059 Mulhouse Cedex (France) (France) (France)

Tel: +33 4 3749 7530 Tel: +33 3 8933 4900 Tel: +33 1 6137 0210 Fax: +33 4 3749 7575 Fax: +33 3 8933 4939 Fax: +33 1 6138 3173

E-mail: [email protected] Website: www.tekelec.com

Training documentation ‘06 | 2

Notes

2

Class outline

•This class is intended to provide you with a full introduction to NSP Security as well as an understanding of its basic concepts and operations.

•Class Outline includes the following sections: - About the Class

Training objectives - Introducing NSP General architecture NSP functional key points - NSP security Concepts NSP security features

Families

Security concepts - Privileges Privileges groups

Feature access example Authorizations

- Privacy Why Privacy ?

Privacy rights for objects - Security Policy - NSP security Learn more NSP security

concepts and configuration Why Users, Groups and roles Security Policy example Security implementation Lesson review


Notes

3

Purpose of NSP

•NSP was conceptualized as a software framework

Provide a reusable set of common features Well documented APIs and How-To

•NSP facilitates building of business solutions and products

For Tekelec-CSSG business applications

NSP developed once, applications developed every where

• It is based on a J2EE architecture

Scalability, reliability, portability

Development focused on business

• NSP Allowed creation of a coherent central configuration database

Configuration is applied locally from the central database.

•All applications running on NSP have web based GUI

No installation needed on client side


Notes

4

Training objectives

• After this training you will be able to:

Know the main concepts of the security in NSP Know

the concepts of Privileges, Profile and Privacy Know

the Security Policy recommendation


Notes

5

Introducin

g NSP


Notes

6

General architecture

Workstations

Weblogic Oracle server

LAN / WAN based on IP Maintenance

web browser

Acquisition System


Notes

•Acquisition system

All the IAS core part : acquisition servers (MSW, …), xDR processing servers (ICP, ProTraq, …), storage servers (DataServer, xDR DataWarehouse, …)

•Weblogic & Oracle server

It is the main NSP server, Weblogic is the framework for the NSP platform, while Oracle Data Base contains all its configuration.

•Workstations

End-users computers, with web browser installed

•Maintenance web browser

Either one of the end-users computers or a separate one, it only needs a web browser.

7

NSP functional key points

• Centralized Configuration No data entered twice

Consistency guaranteed Applied to remote applications

Automatic mechanism to discover existing configurations

• Security management

Authentication: verification of users’ identity Authorization: access control to resources Confidentiality: privacy to protect sensitive data

• Monitoring List of system alarms bundled as a feature of NSP

• Main IAS business applications exist on NSP xDR Browser, ProPerf, ProTraq configuration, ProAlarm, Alarms Forwarding…

Full set of applications for every days business


Notes

8

NSP

security

Concepts


Notes

9

NSP security features

• Purpose of NSP security features :

Authentication : Identity verification part. Make sure the user is who he claims to be.

Authorization : Features access control and Privileges part. Make sure that each feature is only granted to the users who have the privilege for it.

Confidentiality : Data Privacy part.

Make sure each data is only available for the users who have the rights to access it.


Notes

3 security aspects :

•Authentication : part of user and password management

•Authorization : part of access control to NSP functionalities

- for example : access to an application (ProTraq, …), or to a specific application feature (create new Protraq configurations, …)

•Confidentiality : part of access control on DATA (same principle as authorization but on data objects) - for example : access control on each DataServer sessions, on ProTraq sessions, …

10

Families

• According to the privileges associated to each users, three different families of applications are available from the NSP Portal

Business Family

Configuration Monitoring

Family Family


Notes

3 applications families are accessible depending on users privileges :

• Business : all NSP end-user applications are located in this area, this include xDR Browser (formerly ProScan), Properf graphs, ProTraq statistics, …

• Configuration : this part contains all the tools to configure the IAS platform : links monitored, xDR sessions and ProTraq configurations, Alarms configuration, …

• Monitoring : this part is only intended to NSP administrators and permits to check the internal logs (both applicative and system logs)

The access to these areas is made according the users’ Privileges.

11

Security Concepts

• With NSP it is possible to manage the access to The features (through Privileges)

The data (through Privacy)

• To use NSP applications and data

Users are created

Each user is defined by

Login/password to access the NSP A Profile

One or more privileges One or more privacies


Notes

12

Security Concepts

CONCEPTS NSPBusinessXXX or WEBLOGIC NSP

NSPConfigurationXXX or

NSPMonitoringXXX

Privileges

Privacy User Profile Privacy

Role

Login Password Privileges Privacy

Profile Privacy Allows to share declared in NSP objects


Notes

13

Privileges


Notes

14

Privileges Groups

• Access to the features

3 NSP families exist : Business, Configuration and Monitoring Business group gives the possibility to use completely or partially xDR Browser, ProPerf and ProAlarm Viewer

Configuration group gives the possibility to use completely or partially xDR Browser, ProPerf, ProTraq, ProAlarm Configuration and System configuration

Monitoring group gives the possibility to use System alarms and Log Viewer

For each features group, 3 levels are defined with different privileges User : Basic User : can only use the system for exploitation

Power user : User with more privileges than the User Manager : Manager

of the family (Business, Configuration, Monitoring) Plus one Administrator

Administrator of the NSP platform (can do anything, can view anything)


Notes

15

Privileges groups

Administrator

BusinessManager ConfigurationManager MonitoringManager

BusinessPowerUser ConfigurationPowerUser MonitoringPowerUser

BusinessUser ConfigurationUser MonitoringUser


Notes

Each family has 3 levels of Privileges and with administrator, there are 10 different ones : • Administrator

• Business Users, Business Power Users, Business Managers • Configuration Users, Configuration Power Users, Configuration Managers • Monitoring Users, Monitoring Power Users, Monitoring Managers

16

Features access example

• Example of functions access control :

Creation of queries in xDR Browser requires the BusinessPowerUser Privilege

So a BusinessPowerUser and above (BusinessManager, Administrator) can create queries in xDR Browser

But a BusinessUser can’t create filters, he can only list and execute queries.

BusinessManager The features from a lower level Privilege are all granted to the upper level Privilege

xDR Browser : Create BusinessPowerUser List & Execute queries

List & Execute BusinessUser


Notes

17

Authorizations for Business Family

BusinessManager

Application Component Functionality BusinessPowerUser

BusinessUser

List Sessions

HyperLink(Execute )

List

Edit

Queries Add

Delete

HyperLink(Execute ) xDR Browser

Add (Upload )

Results HyperLink(Download )

Delete

Roles Change

Export Export(Execute )

xDR xDRLayout(View )

Full decoding xDRLayout(View )

map All

ProAlarm Terminate an alarm Viewer alarm list Create a filter

Other

ProPerf dashboard view All


Notes

Business Power User includes specifics rights and Business User rights.

means rights of role

means rights inherited from the level n-1

18

Authorizations for Configuration Family

ConfigurationManager

Application Component Functionality ConfigurationPowerUser

ConfigUser

ProAlarm ProAlarm All

Configuration configuration

Forwarding Configuration All

List

Edit xDR Browser Schedule

Add

Delete

Consult

Create

Stats configurations Update

Change rights

Delete

ProTraq Consult

Set

Configuration Activate applying Deactivate

Change rights

Delete


Notes

Configuration Manager includes specifics rights and Configuration Power UserandConfiguration Userrights.

19

Authorizations for Configuration Family

ConfigurationManager

Application Component Functionality ConfigurationPowerUser

ConfigUser

Consult

Create ProPerf dashboard config

Update

Delete

Consult Host, Application,

Modify Session, Dictionary Delete

System Config Activate

Deactivate Configuration applying Set

Delete


Notes

20

Authorizations for Monitoring Family

MonitoringManager

Application Functionality MonitoringPowerUser

MonitoringUser

Terminate an alarm

System Alarms Manage filters

Other

Log Viewer Display


Notes

Monitoring User includes specifics rights (System Alarms - Other and Log viewer - Consult).

21

Privacy


Notes

22

Why Privacy ?

• To control access to Data

A User (object owner) can share his data objects to another Privacy using the Privacy rights (R, W, X)

It means, the user must have created the object.

Privacy rights are set to objects

Users are assigned to these Privacy through Profiles A User can be associated to one or several Privacies

• Data objects to share :

xDR and statistics sessions Filters

ProTraq configurations ProPerf Dashboards

• Users can create new Privacy for precise data access rights •

Administrator has access to all objects


Notes

23

Privacy rights for objects

Application Object Class eXecute Write Read

xDR session Open session N/A View session in list xDR Browser View and read query

queries Execute query Change query Save it with a new name

ProTraq Config Apply/activate/… Change View configuration

ProTraq statistic sessions Open session N/A View session in list Configuration

Alarms

View panel & KPI list of ProPerf dashboard View dashboard Change configuration

dashboard

Forwarding filters

Managed Objects

filters ProAlarm

Maps

Aggregated objects

host Run discover Update and delete view attributes

applications: Data Server, Run discover (when Update and delete view attributes System MSW, ICP, IMF applicable)

Configuration xDR session N/A Update and delete view attributes

Dictionary, Protocol, Stack N/A N/A N/A


Notes

24

Security Policy


Notes

25

Security policy

• The security policy must be defined for

access to features (through Privileges) access to data (through Privacy)

• Ideally, this should be defined before the configuration on the NSP starts.

• Profiles of Users usage. A Profile will be an easy way to grant Privileges and Privacy to a user.

• The typical way a company is organized is a separation of data between different regions or different departments.

You protect access to your data

You can only use what you need

Within a department of a company, some users will be allowed to do some configuration tasks, and others will only be able to display a dashboard or query xDRs with some predefined queries.


Notes

26

NSP

security

Learn more


Notes

27

NSP security concepts and configuration

CONCEPTS WEBLOGIC NSP Privileges

Privacy User Profile Privacy

Role

CONFIGURATION Role Privileges

NSPxxx Role

Group NSPxxx

Group Group Privacy User Role

PRFxxx PRIVxxx Role


Notes

• The users are defined in the Weblogic console. They are granted access for features and data through the Profiles.

• The NSPxxx roles and groups are already defined and cannot be modified.

• The roles and groups related to Privacy must be created. Only Privacy Roles will be declared manually and appear in the NSP.

28

Why Users, Groups and Roles

• Why groups and roles in Weblogic Configuration

The access to NSP is managed by an embedded LDAP server. LDAP knows groups and users

The application server used by NSP manages the access to the features and data through groups and roles

A link between users and roles must be done This link is made through groups

• Different types of Roles

Predefined Privileges roles for the access to the features (NSPxxx) User defined Privacy Roles for the access to the data Those Roles are not linked together

A Role is always associated to a group


Notes

• Roles

•The Privileges roles names NSPxxx are predefined in the system and cannot be modified. They are used by NSP to control the access to the features for the users.

•At least one Privacy role must be created to manage the access to the data. The roles for data access are created in the Weblogic console and then declared in the NSP with the security application

29

NSP Security example

• Example of 2 different departments within a company

NET department: manage SS7 Network surveillance Need for users doing configuration tasks and simple users

QOS department: manage QoS and Fraud

Need for users doing configuration tasks and users for troubleshooting on QoS data

Need to reduce access to a subset of data on fraud, and limit possible operations

This is translated into the following security policy


Notes

30

NSP Security example

• NET department: manage SS7 Network surveillance Profile Net Managers

Feature access is configuration and business manager: almost no restriction on feature access Privacy is NET

Profile Net Users Feature access is Business Users: they can execute queries on sessions, view dashboards they have access to Privacy is NET

•QOS department: manage QoS and Fraud Profile Qos&Fraud Managers

Feature access is configuration and business manager: almost no restriction on feature access. Privacy is QOS and FRAUD

Profile QOS Power Users Feature access is Business Power Users. they can create queries, but they can’t create dashboards. Privacy is QOS

Profile FRAUD Users Feature access is Business User: they can execute queries on sessions, view dashboards they have access to Privacy is FRAUD


Notes

31

Security policy example

• The different Profiles with features access

NET dept Quality dept

QoS &Fraud Managers Sessions Sessions Net Managers Access & Create Access & Create on everything

on everything

Filters Filters

Access ProTraq Config ProTraq Config & Create

QoS B. Power Users ProPerf ProPerf Access Dashboards Dashboards

Net Users

Access Fraud B. Users


Notes

• In each dept :•The managers can do all actions on the objects

•The users can only access to all or only part of the sessions, filters and dashboards. They cannot access to the ProTraq configurations, only to the results if the privacy is applied.

• Specific for the Quality dept :

•The Power users can do everything a simple user can do, as well as creating filters.

32


NET dept CONFIGURATION WEBLOGIC NSP

Group Group Group NSPBusinessManagers NSPConfigManagers NSPMonitoringManagers

Group Users PrfNetManager

Privacy Group Role Role Group PrivNET NET

NSPBusinessUser NET

Group Users PrfNetUsers


Notes

33


Quality dept CONFIGURATION WEBLOGIC NSP

Group Group Group NSPBusinessManagers NSPConfigManagers NSPMonitoringManagers

Group Users PrfQOS&FRAUDManager

Group Privacy NSPBusinessPowerUser Group Role Role

PrivFRAUD FRAUD Fraud

Group Users PrfQOSPowerUsers

Privacy Group Role Role PrivQOS QOS

QOS Group

NSPBusinessUser

Group Users PrfFRAUDUsers


Notes

34


• Example for Data privacy control

The QOS team wants to share access to one of its dashboard to the FRAUD team.

The owner of the dashboard can give Read & eXecute privilege to FRAUD Privacy.

Access control for the FRAUD group

NET


Notes

• In NSP the Privacy roles must be declared BUT the groups (PRIVxxx, PRFxxx, NSPxxx) don’t appear. •They are used to share objects with others users.

35

Security implementation

• During implementation:

1 Administrator for all the operations done by Tekelec User TEKELEC with the role NSPAdmin

1 Administrator for all the administrative operations that could be done by the customer

User CustomerAdmin with the role NSPAdmin

Those Administrators users should be used only for maintenance Should not be owner of any object = should not do a Discover

Privacy names should be prefixed with PRIV Profiles names should be prefixed by PRF Privileges names are prefixed by NSP by default


Notes

• Users

•A login is created for each user, because

-The preferences are linked to each user. Preferences in the NSP applications are for Point codes format, directory where to export some results, the alarms presentation, …

-In the logs, the owner of the object appears and it is possible to follow the user activity (today only error, but in a next version all the activity of an user).

• Recommandation

•It is recommended to prefix: -The access privacy groups by Priv -The profiles of users by Prf

- it is easier to manage these different elements in the Weblogic console

36

Security implementation

• During implementation:

For each Department In a small context, only one Privacy is necessary

Otherwise several Privacy Roles have to be created : they can be defined by geographical areas, by services, … (i.e. PrivQOS and PrivFraud) For each Privacy, create a Profile with the Privilege NSPConfigManagers (i.e. PrfNetManagers). These users will do all the necessary discovers (hosts, applications, sessions) and will affect the privacy on the objects for the other users of this group

Create all the other necessary Profiles (i.e. PrfNetUsers, PrfQosPowerUsers…) with at least one Privacy assigned to them Assign users to their corresponding Profile


Notes

37

Lesson Review

• Q - What are the 3 elements of the security for NSP ?

• Q - What defines a user ?

• Q - What is the purpose of a NSPxxx Privilege group ?

• Q - What defines the access to data ?

• Q - What is a Profile and what is its purpose ?


Notes

38

nsp security concepts date issued february 2007 document reference & release version...

Documents

tekelec nsp

purpose of nsp nsp

nsp security training

business nsp

nsp security concepts

howto nsp

training documentation

concepts of privileges