NSP Security Concepts Date issued February 2007 Document reference & release version TR-IAS Ed 1.6 These presentation materials describe Tekelec's present plans to develop and make available to its customers certain products, features and functionality. Tekelec is only obligated to provide those deliverables specifically included in a written agreement signed by Tekelec and customer. Training documentation Notes 1
NSP Security Training Manual This Training Manual is in accordance with Tekelec NSP Issued February Copyright © 2006 TEKELEC France. All rights reserved In accordance with its policy of constant product improvement, TEKELEC France reserves the right to change the information in this manual without notice. No part of this manual may be photocopied or reproduced in any form without the prior written permission of TEKELEC France. Software license notice Your license agreement with TEKELEC France specifies the permitted and prohibited uses of the product. Any unauthorized duplication or use of Tekelec NSP, in whole or in part, in print or in any other storage and retrieval system, is prohibited. Trademarks All product names mentioned are trademarks of their respective owners. Tekelec France HeadquartersMulhouse OfficeParis Office Le MeltemParc de la Mer Rouge60 avenue du Centre 2 allée des Séquoias20E rue Salomon Grumbach78180 Montigny le Bretonneux Limonest Cedex68059 Mulhouse Cedex (France) Tel: Tel: Tel: Fax: Fax: Fax: Website: Training documentation ‘06 | 2 Notes 2
Class outline This class is intended to provide you with a full introduction to NSP Security as well as an understanding of its basic concepts and operations. Class Outline includes the following sections: - About the Class Training objectives - Introducing NSP General architecture NSP functional key points - NSP security Concepts NSP security features Families Security concepts - Privileges Privileges groups Feature access example Authorizations - Privacy Why Privacy ? Privacy rights for objects - Security Policy - NSP security Learn more NSP security concepts and configuration Why Users, Groups and roles Security Policy example Security implementation Lesson review Training documentation ‘06 | 3 Notes 3
Purpose of NSP NSP was conceptualized as a software framework Provide a reusable set of common features Well documented APIs and How-To NSP facilitates building of business solutions and products For Tekelec-CSSG business applications NSP developed once, applications developed every where It is based on a J2EE architecture Scalability, reliability, portability Development focused on business NSP Allowed creation of a coherent central configuration database Configuration is applied locally from the central database. All applications running on NSP have web based GUI No installation needed on client side Training documentation ‘06 | 4 Notes 4
Training objectives After this training you will be able to: Know the main concepts of the security in NSP Know the concepts of Privileges, Profile and Privacy Know the Security Policy recommendation Training documentation ‘06 | 5 Notes 5
Introducing NSP Training documentation ‘06 | 6 Notes 6
General architecture Workstations Weblogic Oracle server LAN / WAN based on IP Maintenance web browser Acquisition System Training documentation ‘06 | 7 Notes Acquisition system All the IAS core part : acquisition servers (MSW, …), xDR processing servers (ICP, ProTraq, …), storage servers (DataServer, xDR DataWarehouse, …) Weblogic & Oracle server It is the main NSP server, Weblogic is the framework for the NSP platform, while Oracle Data Base contains all its configuration. Workstations End-users computers, with web browser installed Maintenance web browser Either one of the end-users computers or a separate one, it only needs a web browser. 7
NSP functional key points Centralized Configuration No data entered twice Consistency guaranteed Applied to remote applications Automatic mechanism to discover existing configurations Security management Authentication: verification of users’ identity Authorization: access control to resources Confidentiality: privacy to protect sensitive data Monitoring List of system alarms bundled as a feature of NSP Main IAS business applications exist on NSP xDR Browser, ProPerf, ProTraq configuration, ProAlarm, Alarms Forwarding… Full set of applications for every days business Training documentation ‘06 | 8 Notes 8
NSP security Concepts Training documentation ‘06 | 9 Notes 9
NSP security features Purpose of NSP security features : Authentication : Identity verification part. Make sure the user is who he claims to be. Authorization : Features access control and Privileges part. Make sure that each feature is only granted to the users who have the privilege for it. Confidentiality : Data Privacy part. Make sure each data is only available for the users who have the rights to access it. Training documentation ‘06 | 10 Notes 3 security aspects : Authentication : part of user and password management Authorization : part of access control to NSP functionalities - for example : access to an application (ProTraq, …), or to a specific application feature (create new Protraq configurations, …) Confidentiality : part of access control on DATA (same principle as authorization but on data objects) - for example : access control on each DataServer sessions, on ProTraq sessions, … 10
Families According to the privileges associated to each users, three different families of applications are available from the NSP Portal Business Family Configuration Monitoring Family Training documentation ‘06 | 11 Notes 3 applications families are accessible depending on users privileges : Business : all NSP end-user applications are located in this area, this include xDR Browser (formerly ProScan), Properf graphs, ProTraq statistics, … Configuration : this part contains all the tools to configure the IAS platform : links monitored, xDR sessions and ProTraq configurations, Alarms configuration, … Monitoring : this part is only intended to NSP administrators and permits to check the internal logs (both applicative and system logs) The access to these areas is made according the users’ Privileges. 11
Security Concepts With NSP it is possible to manage the access to The features (through Privileges) The data (through Privacy) To use NSP applications and data Users are created Each user is defined by Login/password to access the NSP A Profile One or more privileges One or more privacies Training documentation ‘06 | 12 Notes 12
Security Concepts CONCEPTS NSPBusinessXXX or WEBLOGICNSP NSPConfigurationXXX or NSPMonitoringXXX Privileges Privacy User ProfilePrivacy Role Login Password Privileges Privacy Profile Privacy Allows to share declared in NSP objects Training documentation ‘06 | 13 Notes 13
Privileges Training documentation ‘06 | 14 Notes 14
Privileges Groups Access to the features 3 NSP families exist : Business, Configuration and Monitoring Business group gives the possibility to use completely or partially xDR Browser, ProPerf and ProAlarm Viewer Configuration group gives the possibility to use completely or partially xDR Browser, ProPerf, ProTraq, ProAlarm Configuration and System configuration Monitoring group gives the possibility to use System alarms and Log Viewer For each features group, 3 levels are defined with different privileges User : Basic User : can only use the system for exploitation Power user : User with more privileges than the User Manager : Manager of the family (Business, Configuration, Monitoring) Plus one Administrator Administrator of the NSP platform (can do anything, can view anything) Training documentation ‘06 | 15 Notes 15
Privileges groups Administrator BusinessManager ConfigurationManager MonitoringManager BusinessPowerUser ConfigurationPowerUser MonitoringPowerUser BusinessUser ConfigurationUser MonitoringUser Training documentation ‘06 | 16 Notes Each family has 3 levels of Privileges and with administrator, there are 10 different ones : Administrator Business Users, Business Power Users, Business Managers Configuration Users, Configuration Power Users, Configuration Managers Monitoring Users, Monitoring Power Users, Monitoring Managers 16
Features access example Example of functions access control : Creation of queries in xDR Browser requires the BusinessPowerUser Privilege So a BusinessPowerUser and above (BusinessManager, Administrator) can create queries in xDR Browser But a BusinessUser can’t create filters, he can only list and execute queries. BusinessManager The features from a lower level Privilege are all granted to the upper level Privilege xDR Browser : Create BusinessPowerUser List & Execute queries List & Execute BusinessUser Training documentation ‘06 | 17 Notes 17
Authorizations for Business Family BusinessManager ApplicationComponentFunctionality BusinessPowerUser BusinessUser List Sessions HyperLink(Execute) List Edit QueriesAdd Delete HyperLink(Execute) xDR Browser Add (Upload) Results HyperLink(Download) Delete RolesChange ExportExport(Execute) xDRxDRLayout(View) Full decodingxDRLayout(View) mapAll ProAlarm Terminate an alarm Viewer alarm list Create a filter Other ProPerf dashboard viewAll Training documentation ‘06 | 18 Notes Business Power User includes specifics rights and Business User rights. means rights of role means rights inherited from the level n-1 18
Authorizations for Configuration Family ConfigurationManager ApplicationComponentFunctionalityConfigurationPowerUser ConfigUser ProAlarm All Configuration configuration Forwarding ConfigurationAll List Edit xDR Browser Schedule Add Delete Consult Create Stats configurationsUpdate Change rights Delete ProTraq Consult Set Configuration Activate applying Deactivate Change rights Delete Training documentation ‘06 | 19 Notes Configuration Manager includes specifics rights and Configuration Power UserandConfiguration Userrights. 19
Authorizations for Configuration Family ConfigurationManager ApplicationComponentFunctionalityConfigurationPowerUser ConfigUser Consult Create ProPerfdashboard config Update Delete Consult Host, Application, Modify Session, Dictionary Delete System Config Activate Deactivate Configuration applying Set Delete Training documentation ‘06 | 20 Notes 20
Authorizations for Monitoring Family MonitoringManager ApplicationFunctionalityMonitoringPowerUser MonitoringUser Terminate an alarm System Alarms Manage filters Other Log Viewer Display Training documentation ‘06 | 21 Notes Monitoring User includes specifics rights (System Alarms - Other and Log viewer - Consult). 21
Privacy Training documentation ‘06 | 22 Notes 22
Why Privacy ? To control access to Data A User (object owner) can share his data objects to another Privacy using the Privacy rights (R, W, X) It means, the user must have created the object. Privacy rights are set to objects Users are assigned to these Privacy through Profiles A User can be associated to one or several Privacies Data objects to share : xDR and statistics sessions Filters ProTraq configurations ProPerf Dashboards Users can create new Privacy for precise data access rights Administrator has access to all objects Training documentation ‘06 | 23 Notes 23
Privacy rights for objects ApplicationObject Class eXecuteWriteRead xDR sessionOpen sessionN/AN/AView session in list xDR Browser View and read query queriesExecute queryChange query Save it with a new name ProTraq ConfigApply/activate/…ChangeView configuration ProTraq statistic sessionsOpen sessionN/AN/AView session in list Configuration Alarms View panel & KPI list of ProPerfdashboardView dashboardChange configuration dashboard Forwardingfilters Managed Objects filters ProAlarm Maps Aggregated objects hostRun discoverUpdate and deleteview attributes applications: Data Server,Run discover (when Update and deleteview attributes System MSW, ICP, IMFapplicable) Configuration xDR sessionN/AN/AUpdate and deleteview attributes Dictionary, Protocol, StackN/AN/AN/AN/AN/AN/A Training documentation ‘06 | 24 Notes 24
Security Policy Training documentation ‘06 | 25 Notes 25
Security policy The security policy must be defined for access to features (through Privileges) access to data (through Privacy) Ideally, this should be defined before the configuration on the NSP starts. Profiles of Users usage. A Profile will be an easy way to grant Privileges and Privacy to a user. The typical way a company is organized is a separation of data between different regions or different departments. You protect access to your data You can only use what you need Within a department of a company, some users will be allowed to do some configuration tasks, and others will only be able to display a dashboard or query xDRs with some predefined queries. Training documentation ‘06 | 26 Notes 26
NSP security Learn more Training documentation ‘06 | 27 Notes 27
NSP security concepts and configuration CONCEPTS WEBLOGICNSP Privileges Privacy User ProfilePrivacy Role CONFIGURATION Role Privileges NSPxxx Role Group NSPxxx Group Privacy User Role PRFxxx PRIVxxx Role Training documentation ‘06 | 28 Notes The users are defined in the Weblogic console. They are granted access for features and data through the Profiles. The NSPxxx roles and groups are already defined and cannot be modified. The roles and groups related to Privacy must be created. Only Privacy Roles will be declared manually and appear in the NSP. 28
Why Users, Groups and Roles Why groups and roles in Weblogic Configuration The access to NSP is managed by an embedded LDAP server. LDAP knows groups and users The application server used by NSP manages the access to the features and data through groups and roles A link between users and roles must be done This link is made through groups Different types of Roles Predefined Privileges roles for the access to the features (NSPxxx) User defined Privacy Roles for the access to the data Those Roles are not linked together A Role is always associated to a group Training documentation ‘06 | 29 Notes Roles The Privileges roles names NSPxxx are predefined in the system and cannot be modified. They are used by NSP to control the access to the features for the users. At least one Privacy role must be created to manage the access to the data. The roles for data access are created in the Weblogic console and then declared in the NSP with the security application 29
NSP Security example Example of 2 different departments within a company NET department: manage SS7 Network surveillance Need for users doing configuration tasks and simple users QOS department: manage QoS and Fraud Need for users doing configuration tasks and users for troubleshooting on QoS data Need to reduce access to a subset of data on fraud, and limit possible operations This is translated into the following security policy Training documentation ‘06 | 30 Notes 30
NSP Security example NET department: manage SS7 Network surveillance Profile Net Managers Feature access is configuration and business manager: almost no restriction on feature access Privacy is NET Profile Net Users Feature access is Business Users: they can execute queries on sessions, view dashboards they have access to Privacy is NET QOS department: manage QoS and Fraud Profile Qos&Fraud Managers Feature access is configuration and business manager: almost no restriction on feature access. Privacy is QOS and FRAUD Profile QOS Power Users Feature access is Business Power Users. they can create queries, but they can’t create dashboards. Privacy is QOS Profile FRAUD Users Feature access is Business User: they can execute queries on sessions, view dashboards they have access to Privacy is FRAUD Training documentation ‘06 | 31 Notes 31
Security policy example The different Profiles with features access NET deptQuality dept QoS &Fraud Managers Sessions Net Managers Access & Create on everything Filters Access ProTraq Config & Create QoS B. Power Users ProPerf Access Dashboards Net Users Access Fraud B. Users Training documentation ‘06 | 32 Notes In each dept : The managers can do all actions on the objects The users can only access to all or only part of the sessions, filters and dashboards. They cannot access to the ProTraq configurations, only to the results if the privacy is applied. Specific for the Quality dept : The Power users can do everything a simple user can do, as well as creating filters. 32
Security policy example NET dept CONFIGURATION WEBLOGICNSP Group NSPBusinessManagers NSPConfigManagersNSPMonitoringManagers Group Users PrfNetManager Privacy Group Role Group PrivNETNET NSPBusinessUser NET Group Users PrfNetUsers Training documentation ‘06 | 33 Notes 33
Security policy example Quality dept CONFIGURATION WEBLOGICNSP Group NSPBusinessManagers NSPConfigManagersNSPMonitoringManagers Group Users PrfQOS&FRAUDManager GroupPrivacy NSPBusinessPowerUser Group Role PrivFRAUDFRAUD Fraud Group Users PrfQOSPowerUsers Privacy Group Role PrivQOSQOS Group NSPBusinessUser Group Users PrfFRAUDUsers Training documentation ‘06 | 34 Notes 34
Security policy example Example for Data privacy control The QOS team wants to share access to one of its dashboard to the FRAUD team. The owner of the dashboard can give Read & eXecute privilege to FRAUD Privacy. Access control for the FRAUD group NET Training documentation ‘06 | 35 Notes In NSP the Privacy roles must be declared BUT the groups (PRIVxxx, PRFxxx, NSPxxx) don’t appear.They are used to share objects with others users. 35
Security implementation During implementation: 1 Administrator for all the operations done by Tekelec User TEKELEC with the role NSPAdmin 1 Administrator for all the administrative operations that could be done by the customer User CustomerAdmin with the role NSPAdmin Those Administrators users should be used only for maintenance Should not be owner of any object = should not do a Discover Privacy names should be prefixed with PRIV Profiles names should be prefixed by PRF Privileges names are prefixed by NSP by default Training documentation ‘06 | 36 Notes Users A login is created for each user, because -The preferences are linked to each user. Preferences in the NSP applications are for Point codes format, directory where to export some results, the alarms presentation, … -In the logs, the owner of the object appears and it is possible to follow the user activity (today only error, but in a next version all the activity of an user). Recommandation It is recommended to prefix: -The access privacy groups by Priv -The profiles of users by Prf - it is easier to manage these different elements in the Weblogic console 36
Security implementation During implementation: For each Department In a small context, only one Privacy is necessary Otherwise several Privacy Roles have to be created : they can be defined by geographical areas, by services, … (i.e. PrivQOS and PrivFraud) For each Privacy, create a Profile with the Privilege NSPConfigManagers (i.e. PrfNetManagers). These users will do all the necessary discovers (hosts, applications, sessions) and will affect the privacy on the objects for the other users of this group Create all the other necessary Profiles (i.e. PrfNetUsers, PrfQosPowerUsers…) with at least one Privacy assigned to them Assign users to their corresponding Profile Training documentation ‘06 | 37 Notes 37
Lesson Review Q - What are the 3 elements of the security for NSP ? Q - What defines a user ? Q - What is the purpose of a NSPxxx Privilege group ? Q - What defines the access to data ? Q - What is a Profile and what is its purpose ? Training documentation ‘06 | 38 Notes 38