Web Security Principles
1. The authentication module must adopt the anti brute force cracking mechanism, for example: the authentication code or the account or IP is locked after several consecutive login failures.
Note: if you lock the account or IP after multiple consecutive attempts to log in, you need to support the "allowed number of consecutive failures" configuration of the continuous login failure locking policy, and support the automatic unlocking after the locking time expires.
2. For every request of a page or servlet that needs to be authorized to access, it is necessary to verify whether the session ID of the user is legal and whether the user is authorized to perform this operation, so as to prevent the URL from exceeding the authority.
Note: to prevent the user from directly entering the URL, exceeding the authority of the URL, requesting and executing some pages or servlets; it is recommended to implement through the filter.
3. During the login process, when passing the user name and password to the server, the HTTPS security protocol (that is, SSL with server-side certificate) must be used. It only provides local access and login, and is not required for the scenario of equipment management.
Note: if sensitive data such as account number and password are passed between client and server, SSL with server certificate must be used. Because SSL consumes a lot of CPU resources on the server side, the bearing capacity of the server must be considered in the implementation.
4. The final authentication process for users must be placed on the server.
5. The data generated by the user must be verified at the server; the data must be HTML encoded before being output to the client to prevent malicious code and cross site script attacks. For untrusted data, HTML encoding must be performed before output to the client.
6. Using the mainstream web security scanning tools to scan web servers and web applications, there is no "high" level vulnerability.
7. For web applications of non embedded products, prepare statement should be used instead of direct statement to execute statement to prevent SQL injection.
database security
Outsourcing database, open source database and Huawei self-developed database shall be configured for security to ensure no security loopholes.
1. The database password is forbidden to use the default password of the database manufacturer, and the password complexity shall meet the "password security requirements". If there are multiple default accounts in the database, the accounts that are not used must be disabled or deleted.
Two Use a separate operating system account to run the database; sensitive files in the database (such as init.ora and listener.ora of Oracle database) need to strictly control access rights, which can only be read and written by the database process running account and DBA account; strictly and clearly divide the permissions granted by the database account, and all database accounts can only have the minimum to perform their tasks Permission; for databases with listener functions (such as Oracle's listener.ora), you need to set the listener password or set it to local operating system authentication.
3. Using mainstream or Huawei designated system scanning software for security scanning, there is no "high" level vulnerability.
Sensitive data protection
The storage, transmission and processing of sensitive data in the system shall ensure data security and comply with applicable national and regional laws and regulations.
Definition of sensitive data: including but not limited to password, bank account number, personal data (data that can identify a living natural person by using the data alone or in combination with other information, including end-user name, account number, calling and called number, communication record, bill, communication time, positioning data, etc.).
1. The password does not allow clear text to be stored in the system and should be encrypted. In the scenario where the password does not need to be restored, the irreversible algorithm must be used for encryption. The access to bank account and other sensitive data should have authentication, authorization and encryption mechanisms. The password file must be set with access control. Ordinary users cannot read or copy the encrypted content. If the account file / data contains a password and must be accessible to all users, it is necessary to separate the account file / data from the password file / data.
Note: the password function provided by the third-party mainstream software and hardware (such as operating system, database, web container) is not limited by this article.
2. The transmission of sensitive data (including password, bank account number, bulk personal data, etc.) between untrusted networks must adopt secure transmission channel or encrypted transmission, except for the provisions of standard protocol.
3. Private encryption algorithm is prohibited.
Explain:
1) It is recommended to use symmetric encryption algorithm: aes192 and above strength;
2) The recommended key exchange algorithm: dh1024;
3) Dsa1024 and ecdsa192 are recommended for digital signature algorithm;
4) Rsa2048 and ecc192 are recommended for asymmetric algorithm;
5) Hash algorithm is recommended: sha256 and above strength;
6) HMAC (hash based message verification code) algorithm is recommended to use: hmac-sha256;
4. The key used for encryption of sensitive data transmission cannot be hard coded in the code.
In the security transmission of sensitive data, the industry standard security protocol (such as SSH) is preferred V2 / tls1.0/ssl3.0/ipsec/sftp/https, etc.) and make sure that the secret key can be configured; if the security transmission process is realized by the product itself, the Diffie Hellman key exchange algorithm is preferred; if the preset shared key and other methods are used, the key must also be configurable and replaceable.
5. It is forbidden to record sensitive data such as password, bank account number and communication content in log, call list and other documents;
6. Try to avoid recording personal data in logs and bills. If personal data must be recorded, all data must be stored structurally or suitable for anonymous extraction;
1) Try to avoid recording personal data in the log. If it is necessary to record personal data, put a uniform mark before or after personal data to distinguish it from other non personal data.
2) Try to avoid recording personal data in the call list. If it is necessary to record, the call list must be stored in a structured way. The fields must be separated by a uniform separator, and the fields in each row correspond strictly by columns.
7. When the product with the function of personal data export is released, it must provide filtering or anonymization processing and functions or tools for personal data;
8. Strictly limit the permission of the export function. The use of the export function must have a log record.
9. The function of personal data collection / processing shall provide security protection mechanism (such as authentication, authority control, log recording, etc.) and be disclosed to customers through product data.
10. In addition to the normal business process and standard protocol, it is forbidden to locate the user's accurate location information for the purpose of fault location. If it is necessary to process the accurate location data of users, Huawei shall have clear requirements and give users the opportunity to withdraw their consent at any time during the scheme design.
Password security policy management
1. When setting the password, the password complexity is detected by default, and the password shall at least meet the following requirements:
1) The password shall be at least 6 characters long (at least 8 characters for privileged users);
2) The password must contain a combination of at least two characters:
- at least one lowercase letter;
- at least one capital letter;
- at least one number;
- at least one special character: ` ~! @ # $% ^ & * () - = + | [{}];: ', <. > /? And space
3) The password cannot be the same as the account or the reverse order of the account;
If the set password does not meet the above rules, a warning must be given.
2. The system must provide a mechanism for locking users. You can choose one of the following two ways:
Mode 1: when the number of times of repeatedly entering the wrong password (3 times by default, which can be set by the system) exceeds the system limit, the system will lock the user.
Mode 2: the system can also double the interval time of the next password allowed to be entered. In this mode, the user can not set automatic locking.
3. Automatic unlocking time can be set (only applicable to users who are locked due to password attempt)
1) For users whose password attempts fail n times and are locked, the system should be able to set the automatic unlocking time. It is recommended that the default unlocking time is 5 minutes.
2) When the user is locked for a predefined time, the user can be unlocked automatically or manually through the security administrator.
3) During the locking time, only the account of the application security administrator role can be allowed to manually unlock the user.
4. The password in the operation interface cannot be displayed in clear text. It cannot be displayed in clear text when the password is typed (the password in the operation interface can not be displayed or replaced with *). It cannot be displayed in clear text even when it is printed on the terminal or stored in the log. Even the clear text password in memory (such as during login) should be overwritten immediately after use.
5. The password input box does not support the copy function.
6. For the default password of the system built-in account, the password shall meet the requirements of complexity, and remind the user to modify it in the customer data.
7. Users can modify their own password, which shall meet the following requirements:
1) Users must verify the old password when modifying their own password;
2) It is not allowed to change the password of an account other than its own account (except for the administrator)
8. The password cannot be transmitted in clear text in the network. The password and other authentication credentials must be encrypted in the transmission process, using a high security level encryption algorithm.
Explain:
1) It is recommended to use symmetric encryption algorithm: aes192 and above strength;
2) The recommended key exchange algorithm: dh1024;
3) Dsa1024 and ecdsa192 are recommended for digital signature algorithm;
4) Rsa2048 and ecc192 are recommended for asymmetric algorithm;
5) Hash algorithm is recommended: sha256 and above strength;
6) HMAC (hash based message verification code) algorithm is recommended to use: hmac-sha256;
9. The password must be encrypted when stored locally and meet the following requirements:
1) The password cannot be written into the log file, configuration file and cookie in clear text;
2) The password file must be set with access control. Ordinary users cannot read or copy the encrypted content.
10. Provide clear account number and password list for product supporting data.
Note: Huawei provides user list template
Safety data
For pre-sale, opening, current network operation and maintenance stages, provide supporting security programs and information.
1. Describe the product safety features in the product description.
2. Provide product communication matrix before product release. Describe the communication relationship between machines / network elements / modules, including: port, protocol, IP address, authentication method, port purpose information, etc.
Note: Huawei provides communication matrix template.
3. The premise of product release is to provide anti-virus software deployment guide. Describe the preparation, process, execution steps, fallback processing after failure before deployment of anti-virus software, as well as the upgrade and configuration guidance of virus feature library (required for Windows system platform).
4. Provide safety configuration / reinforcement guide before product release.
Describe the following:
-Security reinforcement and inspection, mainly including operating system, database or web server reinforcement content, need to include specific reinforcement content and operation steps (required).
-The security configuration of the application. For the product business security application, what security options need to be enabled and what content needs to be configured. (this part is required for the security functions that can take effect only by configuring the security policy when the product is launched). If there is no applied security configuration, name it security hardening guide. Safety reinforcement guidelines are necessary.
5. Provide safety maintenance manual before product release. From the perspective of solutions, provide guidance on daily business security maintenance, including security patches, security configuration, routine inspection of anti-virus software, etc., and guide maintenance personnel to conduct routine security maintenance.
Operating system security
Whether using general operating system (windows, Linux, UNIX, etc.) or embedded operating system (such as VxWorks, PSOs, etc.), the system should ensure the security of the software and its running environment.
Note: system refers to the overall system delivered to customers for operation, including self-developed software, operating system for software operation and application services.
1. Using the mainstream vulnerability scanning software for security scanning, there is no high-risk level vulnerability.
2. The pre installation rate of "operating system reinforcement + operating system patch" of new products shipped based on the general operating system = 100%; for products not pre installed in the production phase, it is necessary to include the default security policy file in the officially released version, and explain the reinforcement requirements and operation steps in the product data.
Explain:
1) For the operating system provided by Huawei, the product version shall be developed and compatibility tested based on the latest operating system security patch.
2) For the operating system provided by the partner, the partner shall test the compatibility of the operating system security patch before the delivery of the version and release it with the version, and strengthen the operating system according to the CIS standard and release it with the version.
3. Products using Windows operating system need to use mainstream anti-virus software for compatibility test.
Explain:
1) For the windows operating system provided by Huawei, the partners need to use mainstream anti-virus software or anti-virus software designated by Huawei for compatibility test;
2) For the windows operating system provided by the partner, the product shall be matched with the anti-virus software specified by Huawei by default, and the anti-virus software shall be tested for compatibility.
Protocol and interface anti attack
The system shall have the basic anti attack ability and the defense ability for common attacks affecting itself. Note: system refers to the overall system delivered to customers for operation, including self-developed software, operating system for software operation and application services.
1. All external communication connections of the system must be necessary for the operation and maintenance of the system. For the communication ports used, it is stated in the product communication matrix document that the dynamic listening port must be limited to a reasonable range. The port scan tool verifies that ports not listed in the communication matrix must be closed.
Explain:
1) Huawei provides communication matrix template.
2. Try to avoid using the implementation mode of dynamic debugging port. In the absence of alternative scheme, if it must be used, the following requirements shall be met:
1) , if using industry standard protocols (such as RPC, FTP passive mode), and there are certain security measures (such as NFS security configuration, Firewall support FTP passive mode, etc.);
2) , if it is self implemented, the dynamic listening port must be limited to a reasonable range.
2. All communication ports and protocols that can manage the system must have access authentication mechanism, unless there is no authentication mechanism in the standard protocol.
3. Protocol malformed message attack test shall be carried out for protocols developed by self-developed protocol and non mainstream software (including non mainstream open source software) in the industry.
4. The physical interface visible outside the equipment that can manage the system must have access authentication mechanism.
Monitoring interface and prevention of illegal monitoring
The legal monitoring interface for product development shall comply with international standards and the legal requirements of the host country.
1. In the absence of Huawei's clear requirements, it is strictly prohibited to develop functions and interfaces with the nature of monitoring, regardless of whether such functions and interfaces should comply with the corresponding national and international standards.
2. If Huawei has a demand for a legal monitoring interface, the partner shall develop it according to the monitoring function provided by Huawei or the requirements in the interface documents.
Note: requirements for the product version that provides a legal monitoring interface (one of two options)
1) The product provides two versions of software installation package: one supports legal monitoring and the other does not support legal monitoring. According to the security requirements of the market, select the corresponding software installation package for deployment.
2) The software installation package provided by the product is divided into basic software installation package and legal monitoring plug-in installation package. According to the security requirements of the market, choose whether to install the legal monitoring plug-in installation package.
3. In addition to the normal business process and standard protocol, it is prohibited to provide the function of collecting the original communication content (voice, SMS / MMS, fax, data business) of the end user, even for the purpose of ensuring network operation and service.
Note:
1) In addition to voice, SMS / MMS, fax and data business information, the instant message, e-mail information and URL of the end user also belong to the communication content;
2) Debug function is allowed, but sensitive data such as password, bank account and communication content are not allowed in debug information.