Web Security Issues

Web systems must take steps to mitigate Web application security risks.

1. The authentication module must use anti-violence mechanism, such as: Verification code or multiple consecutive attempts to login failed after the lock account or IP.

Note: If the number of consecutive attempts to login failed to lock the account or IP, the need to support the continuous logon failure lockout policy "allow consecutive failures" configurable, support after the lock time timeout after automatic unlocking.

2. Every request for a page or servlet that requires authorization must verify that the user's session ID is legitimate and that the user is authorized to do so to prevent the URL from exceeding its authority.

Note: Prevent users from entering URLs directly, requesting and executing some pages or servlets, and implementing them via filters.

3. During the logon process, the user name and password must be passed to the server side with the HTTPS security protocol (that is, SSL with the server-side certificate). Only provide the local access, login, do the equipment management use of the scene is not required temporarily.

Note: If you pass sensitive data, such as account numbers, passwords, and so on between the client and server, you must use SSL with the server-side certificate. Because SSL consumes a lot of CPU resources on the server side, it must be implemented with the ability to take care of the servers.

4. The final authentication process for the user must be placed on the server.

5. User-generated data must be verified on the server, and the data must be HTML-encoded before it is exported to the client to prevent malicious code, cross-site scripting attacks. For untrusted data, HTML encoding must be done before the output to the client.

6. Scan Web servers and Web applications using the mainstream web security scanning tool, without a "high" level of vulnerability.

7. Web applications that are not embedded products should use the precompiled statement PreparedStatement instead of the direct statement execution statement to prevent SQL injection.

Database security

Outsourcing database, open source database, Huawei Self-developed database should be securely configured to ensure that no security breaches occur.

1. Database passwords prohibit the use of the database vendor's default password, and the password complexity must meet the "password security requirements." If the database has more than one default account, you must disable or delete the unused account.

2. Use a separate operating system account to run the database; sensitive files in the database such as: Init.ora of Oracle database, Listener.ora, etc.) need to strictly control access rights, can only be read and written by the database process running account and DBA account, the permissions granted by the database account are strictly divided, all database accounts can only have the minimum permissions to perform their tasks, and for the listener-enabled database (such as Oracle's Listener.or A) You need to set the listener password or set it to local operating system authentication.

3. Use the mainstream or Huawei-designated system scan software for a security scan, there is no "high" level of vulnerability.

Sensitive data protection

The storage, transmission and processing of sensitive data by the system requires data security and compliance with applicable national and regional laws and regulations.

Sensitive data definition: including but not limited to passwords, bank accounts, personal data (using this data alone or in combination with other information can identify a living natural person's data, including: End user name, account number, calling and called number, communication record, phone, communication time, location data, etc.).

1. Passwords do not allow plaintext to be stored in the system and should be protected by encryption. In scenarios where you do not need to restore a password, you must encrypt it using an irreversible algorithm. Access to sensitive data such as bank accounts is authenticated, authorized, and encrypted. Password file must be set access control, ordinary users can not read or copy the encrypted content. If the account file/data contains a password and must be accessible by all users, separate the account file/data from the password file/data.

Note: The password functionality provided by the industry's third-party mainstream hardware and software (such as operating systems, databases, web containers) is not limited by this article.

2. The transmission of sensitive data (including passwords, bank accounts, bulk personal data, etc.) between untrusted networks shall be transmitted using secure transmission channels or encrypted transmissions, with the exception of standard protocols.

3. Prohibit the use of private encryption algorithms.

Description

1) symmetric encryption algorithm recommended use: AES192 and above strength;

2) Key exchange algorithm recommended: DH1024;

3) The digital Signature algorithm is recommended to use: DSA1024, ECDSA192;

4) The proposed use of asymmetric algorithms: RSA2048, ECC192;

5) hash (hash) algorithm recommended use: SHA256 and above strength;

6) The HMAC (hash-based message verification code) algorithm is recommended for use with: hmac-sha256;

1. Encryption key for sensitive data transfer, cannot be hardcoded in code.

In the secure transmission of sensitive data, priority is given to using the industry's standard security protocols (such as SSH V2/tls1.0/ssl3.0/ipsec/sftp/https, etc.) and ensuring that the keys are configurable, and if the product itself implements a secure transfer process, The Diffie-hellman key exchange algorithm is preferred, and if you use other methods such as a preset shared key, you must also ensure that the key is configurable and replaceable.

2. Prohibit the recording of passwords, bank accounts, communications and other sensitive data in such documents as logs, word orders, etc.;

Sensitive data protection

3. Try to avoid recording personal data in logs and words, if personal data must be recorded, all data must be structured storage or suitable for anonymous extraction;

1) Try to avoid the recording of personal data in the log, if it must be recorded, before or after the personal data to add a unified mark to distinguish from other non-personal data.

2) As far as possible to avoid recording personal data in the statement, if it must be recorded, the order must be structured storage, the fields must be separated by a uniform delimiter, the field of each row is strictly corresponding to the column.

4. When a product is released with personal data export, it must also provide filtering or anonymity processing and functions or tools for personal data;

5. Strict restrictions on the export function, the use of the export function must be logged.

6. The functions relating to the collection/processing of personal data shall be provided with security protection mechanisms (e.g. certification, authority control, logging, etc.) and disclosed to the customer through the product information.

7. In addition to normal business processes and standard protocols, users are prohibited from locating accurate location information for fault location purposes. To deal with user precise location data, Huawei should have a clear need, and in the design of the program, give users the opportunity to withdraw consent at any time.

Password Security Policy Management

1. When setting a password, the password complexity is detected by default, and the password satisfies at least the following requirements:

1) password length of at least 6 characters (privileged user at least 8 characters);

2) The password must contain a combination of at least two characters, such as:

-At least one lowercase letter;

-At least one uppercase letter;

-at least one number;

-At least one special character: ' [email protected]#$%^&* ()-_=+\|  [{}];: ' ", <.>/? and spaces

3) password can not be the same as the account number or the reverse order;

If you set a password that does not conform to the above rules, you must warn.

2. The system must provide a mechanism for locking the user. You can choose one of the following two ways:

Mode one: When repeatedly entering the wrong password number (the default 3 times, the number of times the system can be set) exceeds the system limit, the system will lock the user.

Mode two: The system can also set the next time to allow the password to double the interval, in this way, the user can not set automatic lock.

3. Can set the automatic unlock time (only for users who have been locked in the password attempt)

1) for the user who failed the password attempt n times, the system should be able to set the automatic unlocking time, and the default unlock time is 5 minutes.

2) When the user is locked for a predefined time, the user can be automatically unlocked, or the user can be manually unlocked by a security administrator.

3) within the lockout period, only allow the application Security Administrator role to manually unlock the user account.

Password Safe usage rules

4. The password in the interface cannot be displayed in clear text, the password can not be displayed in plain text (the input password in the interface is not displayed or replaced with a *), including printing on the terminal or stored in the log when the password is not clear, even if the in-memory plaintext password (such as during logon), should be overwritten immediately after use.

5. The Password input box does not support the copy function.

6. For the system built-in account of the default password, password should meet the complexity of the requirements, and in the customer information to remind users to modify.

7. The user can modify their own password, the following requirements should be met:

1) The user must verify the old password when modifying his/her password;

2) do not allow to modify passwords other than their own account (except for administrators)

8. Password can not be transmitted in the network, password and other authentication credentials in the transmission process must be encrypted, using high security level encryption algorithm.

Description

1) symmetric encryption algorithm recommended use: AES192 and above strength;

2) Key exchange algorithm recommended: DH1024;

3) The digital Signature algorithm is recommended to use: DSA1024, ECDSA192;

4) The proposed use of asymmetric algorithms: RSA2048, ECC192;

5) hash (hash) algorithm recommended use: SHA256 and above strength;

6) The HMAC (hash-based message verification code) algorithm is recommended for use with: hmac-sha256;

9. Passwords must be encrypted when stored locally, to meet the following requirements:

1) Passwords cannot be written to log files, configuration files, and cookies in plaintext;

2) password file must be set access control, ordinary users can not read or copy the encrypted content.

10. Provide clear account number and password list for product supporting information.

Description: Huawei provides user list template

Safety Information

For pre-sale, opening, the current network operation and maintenance of several stages, to provide supporting security programs, information.

1. Describe the product safety characteristics in the product description.

2. Provide product communication matrix before product release. Describe the communication relationship between the machine/network element/module, including: Port, protocol, IP address, authentication method, port usage information, etc. used by the communication.

Description: Huawei provides a communication matrix template.

3. Provide anti-virus software Deployment Guide before product release. Describes preparation, process, execution steps, post-failure fallback processing, and virus signature Library upgrade configuration guidance (required for Windows system platforms) before the antivirus software is deployed.

4. Provide safety configuration/reinforcement guide before product release.

Describe the following:

-Security hardening and inspection, including reinforcement content such as operating system, database or Web server, need to contain concrete reinforcement content and operation steps (required).

-Application Security Configuration for product business security applications, what security options need to be enabled, and what to configure. (This section is required for security features that require security policy configuration for the product to start with.) If no security configuration is applied, the security Hardening Guide is named. The Safety Hardening Guide is a must.

5. Provide safety maintenance manual before product release. Provide guidance on daily safety maintenance of the business from a solution perspective, including security patches, security configurations, routine checks of antivirus software, and so on, to guide maintenance personnel in routine safety maintenance.

Operating system security

Whether using a universal operating system (Windows, Linux, UNIX, etc.) or an embedded operating system (such as VxWorks, PSOs, etc.), the system should ensure the security of the software and software operating environment.

Note: The system refers to the whole system which is delivered to the customer, including the self-developed software, the operating system of the software and the application service.

1. Use the mainstream vulnerability scanning software for security scanning without a high-risk level of vulnerability.

2. New shipping products based on general operating system "operating system hardening + OS Patches" pre-installed rate = 100%; For products that are not preinstalled in the production process, the default security policy files need to be included in the released version, and the hardening requirements and procedures are described in the product documentation.

Description

1) The operating system provided by Huawei, the product version should be based on the latest operating system security patches for development and compatibility testing.

2) The operating system provided by the partner, the partner is required to perform compatibility testing of the operating system security patches and release them with the release prior to the release, and to harden the operating system and release it with the version according to CIS standards.

3. Using the products of the Windows operating system, the product needs to be tested for compatibility with mainstream anti-virus software.

Description

1) Huawei provides the Windows operating system, the partner must use the mainstream anti-virus software or Huawei designated anti-virus software for compatibility testing;

2) The partner provides the Windows operating system, the product needs to be the default supporting the Huawei designated anti-virus software, and the anti-virus software compatibility test.

Protocol and interface anti-attack

The system should have the basic anti-attack ability, have the defense ability to the common attack which affects oneself. Note: The system refers to the whole system which is delivered to the customer, including the self-developed software, the operating system of the software and the application service.

1. All the external communication connections of the system must be necessary for the system to operate and maintain, and the communication ports used are indicated in the product communication matrix document, the dynamic listening port must be limited to a reasonable range. The port Scan tool verifies that the ports that are not listed in the communication matrix must be closed.

Description

1) Huawei provides a communication matrix template.

2. Try to avoid the use of dynamic detection port implementation, in the absence of alternatives, if necessary to use, the following requirements should be met:

1), if using industry-standard protocols (such as RPC, FTP passive mode), and have certain security measures (such as NFS security configuration, Firewall support FTP passive mode, etc.);

2), if the self-implemented way, then the dynamic listening port must be limited to determine the reasonable range.

2. All communication ports and protocols that can manage the system must have access authentication mechanism, except for the standard protocol without authentication mechanism.

3. Protocols for self-research agreements and non-mainstream software in the industry (including non-mainstream open source software) are tested for protocol malformed message attack.

4. The physical interfaces that can be externally visible to the system must have access authentication mechanisms.

Monitoring interface and preventing illegal monitoring

Product development of the legitimate monitoring interface should follow international standards and the legal requirements of the host country.

1. Without Huawei's explicit requirements, it is forbidden to develop features and interfaces that have a monitoring nature, regardless of whether the function or interface complies with the appropriate national and international standards.

2. In the event that Huawei is in need of a legitimate monitoring interface, the partner shall develop it in accordance with the requirements of the monitoring function or interface provided by Huawei.

Description: Requirements for a product version that provides a legitimate listening interface (option two)

1) The product offers two versions of the Software installation package: one that supports legitimate snooping, and one that does not support legitimate snooping. According to the security requirements of the market, select the corresponding software installation package for deployment.

2) product offering software installation package split into: Basic software installation package and legal listener plug-in installation package. Depending on the security requirements of the market, choose whether to install a legitimate listener plug-in installation package.

3. In addition to normal business processes and standard protocols, the ability to capture the content of the end user's original communications (voice, SMS/MMS, fax, data business) is prohibited, even for the purpose of safeguarding network operations and services.

Note:

1) In addition to voice class, SMS/MMS class, fax class, data business class information belongs to the communication content, the end user's instant message, e-mail information, URL also belongs to the communication content;

2) allows the use of debug functions, but the debug information is not allowed to include passwords, bank accounts, communication content and other sensitive data.

Web Security Issues