Chapter 9, Security

This chapter provides information about Cisco ONS 15454 users and security. To provision security, refer to the Cisco ONS 15454 Procedure Guide.

9.1 User IDs and Security Levels

The CISCO15 user ID is provided with the ONS 15454 for initial login to the node, but this user ID is not supplied in the prompt when you sign into Cisco Transport Controller (CTC). This ID can be used to set up other ONS 15454 user IDs.

You can have up to 500 user IDs on one ONS 15454. Each CTC or Transaction Language One (TL1) user can be assigned one of the following security levels:

•

Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.

•

Superuser—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users.

By default, multiple concurrent user ID sessions are permitted on the node; that is, multiple users can log into a node using the same user ID. However, you can provision the node to allow only a single login per user ID and prevent concurrent logins for all users.

9.2 User Privileges and Policies

This section lists user privileges for each CTC action and describes the security policies available to Superusers for provisioning.

9.2.1 User Privileges by CTC Action

Table 9-1 shows the actions that each user privilege level can perform in node view.

Table 9-1 ONS 15454 Security Levels—Node View
CTC Tab	Subtab	[Subtab]:Actions	Retrieve	Maintenance	Provisioning	Superuser
Alarms	—	Synchronize/Filter/Delete Cleared Alarms	X	X	X	X
Conditions	—	Retrieve/Filter	X	X	X	X
History	Session	Filter	X	X	X	X
History	Shelf	Retrieve/Filter	X	X	X	X
Circuits	Circuits	Create/Edit/Delete	—	—	X	X
	Circuits	Filter/Search	X	X	X	X
	Rolls	Complete/ Force Valid Signal/ Finish	—	—	X	X
Provisioning	General	General: Edit	—	—	Partial¹	X
		Multishelf Config: Edit	X	X	X	X
		Power Monitor: Edit	—	—	X	X
	EtherBridge	Spanning trees: Edit	—	—	X	X
	Network	General: Edit	—	—	—	X
		General: View	X	X	X	X
		Static Routing: Create/Edit/Delete	—	—	X	X
		OSPF: Create/Edit/Delete	—	—	X	X
		RIP: Create/Edit/Delete	—	—	X	X
		Proxy: Create/Edit/Delete	—	—	—	X
		Firewall: Create/Edit/Delete	—	—	—	X
	OSI	Main Setup: Edit	—	—	—	X
		TARP: Config: Edit	—	—	—	X
		TARP: Static TDC: Add/Edit/Delete	—	—	X	X
		TARP: MAT: Add/Edit/Remove	—	—	X	X
		Routers: Setup: Edit	—	—	—	X
		Routers: Subnets: Edit/Enable/Disable	—	—	X	X
		Tunnels: Create/Edit/Delete	—	—	X	X
	BLSR	Create/Edit/Delete/Upgrade	—	—	X	X
	BLSR	Ring Map/Squelch Table/RIP Table	X	X	X	X
	Protection	Create/Edit/Delete	—	—	X	X
	Security	Users: Create/Delete/Clear Security Intrusion Alarm	—	—	—	X
		Users: Edit	Same user	Same user	Same user	All users
		Active Logins: View/Logout/ Retrieve Last Activity Time	—	—	—	X
		Policy: Edit/View	—	—	—	X
		Access: Edit/View	—	—	—	X
		RADIUS Server: Create/Edit/Delete/Move Up/Move Down/View	—	—	—	X
		Legal Disclaimer: Edit	—	—	—	X
	SNMP	Create/Edit/Delete	—	—	X	X
	SNMP	Browse trap destinations	X	X	X	X
	Comm Channels	SDCC: Create/Edit/Delete	—	—	X	X
		LDCC: Create/Edit/Delete	—	—	X	X
		GCC: Create/Edit/Delete	—	—	X	X
		OSC: OSC Terminations: Create/Edit/Delete	—	—	X	X
		OSC: DWDM Ring ID: Create/Edit/Delete	—	—	—	X
		PPC: Create/Edit/Delete	—	—	X	X
	Timing	General: Edit	—	—	X	X
	Timing	BITS Facilities: Edit	—	—	X	X
	Alarm Profiles	Alarm Behavior: Edit	—	—	X	X
		Alarm Profile Editor: Store/Delete²	—	—	X	X
		Alarm Profile Editor: New/Load/Compare/Available/Usage	X	X	X	X
	Cross-Connect	Edit	—	—	X	X
	Defaults	Edit/Import	—	—	—	X
	Defaults	Reset/Export	X	X	X	X
	WDM-ANS	Provisioning: Edit	—	—	—	X
		Provisioning: Reset	X	X	X	X
		Internal Patchcords: Create/Edit/Delete/Commit/ Default Patchcords	—	—	X	X
		Port Status: Launch ANS	—	—	—	X
		Node Setup	X	X	X	X
Inventory	—	Delete	—	—	X	X
Inventory	—	Reset	—	X	X	X
Maintenance	Database	Backup	—	X	X	X
	Database	Restore	—	—	—	X
	EtherBridge	Spanning Trees	X	X	X	X
		MAC Table: Retrieve	X	X	X	X
		MAC Table: Clear/Clear All	—	X	X	X
		Trunk Utilization: Refresh	X	X	X	X
		Circuits: Refresh	X	X	X	X
	Network	Routing Table: Retrieve	X	X	X	X
	Network	RIP Routing Table: Retrieve	X	X	X	X
	OSI	IS-IS RIB: Refresh	X	X	X	X
		ES-IS RIB: Refresh	X	X	X	X
		TDC: TID to NSAP/Flush Dynamic Entries	—	X	X	X
		TDC: Refresh	X	X	X	X
	BLSR	Edit/Reset	—	X	X	X
	Protection	Switch/Lock out/Lockon/Clear/ Unlock	—	X	X	X
	Software	Download	—	X	X	X
	Software	Activate/Revert	—	—	—	X
	Cross-Connect	Cards: Switch/Lock/Unlock	—	X	X	X
	Cross-Connect	Resource Usage: Delete	—	—	X	X
	Overhead XConnect	View	X	X	X	X
	Diagnostic	Retrieve Tech Support Log	—	—	X	X
	Diagnostic	Lamp Test	—	X	X	X
	Timing	Source: Edit	—	X	X	X
	Timing	Report: View/Refresh	X	X	X	X
	Audit	Retrieve	—	—	—	X
	Audit	Archive	—	—	X	X
	Test Access	View	X	X	X	X
	DWDM	APC: Run/Disable/Refresh	—	X	X	X
		WDM Span Check: Edit/Retrieve Span Loss values/Reset	X	X	X	X
		ROADM Power Monitoring: Refresh	X	X	X	X

¹Provisioner user cannot change node name, contact, or AIS-V insertion on STS-1 signal degrade (SD) parameters.

²The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users with the required security levels.

Table 9-2 shows the actions that each user privilege level can perform in network view.

Table 9-2 ONS 15454 Security Levels—Network View
CTC Tab	Subtab	[Subtab]: Actions	Retrieve	Maintenance	Provisioning	Superuser
Alarms	—	Synchronize/Filter/Delete cleared alarms	X	X	X	X
Conditions	—	Retrieve/Filter	X	X	X	X
History	—	Filter	X	X	X	X
Circuits	Circuits	Create/Edit/Delete	—	—	X	X
	Circuits	Filter/Search	X	X	X	X
	Rolls	Complete, Force Valid Signal, Finish	—	—	X	X
Provisioning	Security	Users: Create/Delete	—	—	—	X
		Users: Edit	Same user	Same user	Same user	All users
		Active logins: Logout/Retrieve Last Activity Time	—	—	—	X
		Policy: Change	—	—	—	X
	Alarm Profiles	Store/Delete¹	—	—	X	X
	Alarm Profiles	New/Load/Compare/ Available/Usage	X	X	X	X
	BLSR	Create/Delete/Edit/Upgrade	—	—	X	X
	Overhead Circuits	Create/Delete/Edit/Merge	—	—	X	X
	Overhead Circuits	Search	X	X	X	X
	Provisionable Patchcords (PPC)	Create/Edit/Delete	—	—	X	X
	Server Trails	Create/Edit/Delete	—	—	X	X
Maintenance	Software	Download/Cancel	—	X	X	X
Maintenance	Diagnostic	OSPF Node Information: Retrieve/Clear	X	X	X	X

¹The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users with the required security levels.

9.2.2 Security Policies

Users with Superuser security privileges can provision security policies on the ONS 15454. These security policies include idle user timeouts, password changes, password aging, and user lockout parameters. In addition, a Superuser can access the ONS 15454 through the TCC2/TCC2P RJ-45 port, the backplane LAN connection, or both.

9.2.2.1 Superuser Privileges for Provisioning Users

Superusers can grant permission to Provisioning users to retrieve audit logs, restore databases, clear performance monitoring (PM) parameters, activate software loads, and revert software loads. These privileges can only be set using CTC network element (NE) defaults, except the PM clearing privilege, which can be granted to a Provisioning user using the CTC Provisioning> Security > Access tabs. For more information about setting up Superuser privileges, refer to the Cisco ONS 15454 Procedure Guide.

9.2.2.2 Idle User Timeout

Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of time before the CTC window is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and lower-level users have longer or unlimited default idle periods, as shown in Table 9-3. The user idle period can be modified by a Superuser; refer to the Cisco ONS 15454 Procedure Guide for instructions.

9.2.2.3 User Password, Login, and Access Policies

Superusers can view real-time lists of users who are logged into CTC or TL1 by node. Superusers can also provision the following password, login, and node access policies:

Table 9-3 ONS 15454 Default User Idle Times
Security Level	Idle Time
Superuser	15 minutes
Provisioning	30 minutes
Maintenance	60 minutes
Retrieve	Unlimited

•

Password expirations and reuse—Superusers can specify when users must change and when they can reuse their passwords.

•

Locking out and disabling users—Superusers can provision the number of invalid logins that are allowed before locking out users and the length of time before inactive users are disabled.

•

Node access and user sessions—Superusers can limit the number of CTC sessions a user login can have to just one session. Superusers can also prohibit access to the ONS 15454 using the LAN or TCC2/TCC2P RJ-45 connections.

In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning > Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It provides authentication and secure communication over unsecure channels. Port 22 is the default port and cannot be changed. Superuser can also configure EMS and TL1 access states to secure and non-secure modes.

9.3 Audit Trail

The Cisco ONS 15454 maintains a Telcordia GR-839-CORE-compliant audit trail log that resides on the TCC2/TCC2P card. Audit trails are useful for maintaining security, recovering lost transactions, and enforcing accountability. Accountability refers to tracing user activities; that is, associating a process or action with a specific user. The audit trail log shows who has accessed the system and what operations were performed during a given period of time. The log includes authorized Cisco support logins and logouts using the operating system command line interface (CLI), CTC, and TL1; the log also includes FTP actions, circuit creation/deletion, and user/system generated actions.

Event monitoring is also recorded in the audit log. An event is defined as the change in status of an network element. External events, internal events, attribute changes, and software upload/download activities are recorded in the audit trail.

To view the audit trail log, refer to the Cisco ONS 15454 Procedure Guide. You can access the audit trail logs from any management interface (CTC, CTM, TL1).

The audit trail is stored in persistent memory and is not corrupted by processor switches, resets, or upgrades. However, if you remove both TCC2/TCC2P cards, the audit trail log is lost.

9.3.1 Audit Trail Log Entries

Table 9-4 Audit Trail Window Columns
Heading	Explanation
Date	Date when the action occurred
Num	Incrementing count of actions
User	User ID that initiated the action
P/F	Pass/Fail (whether or not the action was executed)
Operation	Action that was taken

•

Task—Name of the task involved in the activity (view a dialog box, apply configuration, etc.)

•

Status—Status of the user action (Read, Initial, Successful, Timeout, Failed)

9.3.2 Audit Trail Capacities

The ONS 15454 is able to store 640 log entries. When this limit is reached, the oldest entries are overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is raised and logged (by way of CORBA/CTC).

When the log server reaches the maximum capacity of 640 entries and begins overwriting records that were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit trail records have been lost. Until you off-load the file, this event will not occur a second time regardless of the amount of entries that are overwritten by incoming data. To export the audit trail log, refer to the Cisco ONS 15454 Procedure Guide.

9.4 RADIUS Security

Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication, authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the actions of remote users.

9.4.1 RADIUS Authentication

RADIUS is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components:

The server runs on a central computer, typically at a customer site, while the clients reside in the dial-up access servers and can be distributed throughout the network.

An ONS 15454 node operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. Transactions between the RADIUS client and server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This eliminates the possibility that someone monitoring an unsecured network could determine a user's password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing RADIUS authentication.

9.4.2 Shared Secrets

For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server.

Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.

•

To ensure a random shared secret, generate a random sequence at least 22 characters long.

•

You can use a shared secret of up to 128 characters in length. To protect your server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).

•

Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the three groups listed in Table 9-5.

The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m<PqAa72(.

Group	Examples
Letters (uppercase and lowercase)	A, B, C, D and a, b, c, d
Numerals	0, 1, 2, 3
Symbols (all characters not defined as letters or numerals)	Exclamation point (!), asterisk (*), colon (:)

Table Of Contents

Security