Upload
trinhkhue
View
234
Download
3
Embed Size (px)
Citation preview
HUAWEI TECHNOLOGIES CO LTD Page 1
wwwhuaweicom
Page 1
CC Certification for Telecom Products
Huawei Technologies Co Ltd
2011-9-28 12th ICCC In Malaysia
HUAWEI TECHNOLOGIES CO LTD Page 2Page 2
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 3Page 3
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 4Page 4
ArgentinaMauritius
Malaysia
Romania
China
India
Hungary
Brazil
Mexico
Holland
UAE
Bahrain
Germany
RampD center
Huawei Headquarters
Technical support center
Accounting share center
Supply center amp Hub
Training center
Biding center (Planning)
120000+ employees with 150+ nationalities worldwide15 Regional Headquarters operations in 140+ countries
Localized operation powered by global resources
Introduction
HUAWEI TECHNOLOGIES CO LTD Page 5Page 5
Cyber Security an Increasing Global Threat
End UserGovernment Operator
XXX
XXX
XXX
XXX XXX
XXX
XXX
XXX
XXX XXX
HUAWEI TECHNOLOGIES CO LTD Page 6Page 6
Government Operator
Vendor
High-efficiency and low cost security entry control and supervision systems
Balance between security assurance and cost of business operation
Secure and trusted delivery amp enhanced security assurance
More risk aware and discerning
End User
Cyber Security
Challenges for All Participants
Common Criteria (CC)
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 2Page 2
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 3Page 3
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 4Page 4
ArgentinaMauritius
Malaysia
Romania
China
India
Hungary
Brazil
Mexico
Holland
UAE
Bahrain
Germany
RampD center
Huawei Headquarters
Technical support center
Accounting share center
Supply center amp Hub
Training center
Biding center (Planning)
120000+ employees with 150+ nationalities worldwide15 Regional Headquarters operations in 140+ countries
Localized operation powered by global resources
Introduction
HUAWEI TECHNOLOGIES CO LTD Page 5Page 5
Cyber Security an Increasing Global Threat
End UserGovernment Operator
XXX
XXX
XXX
XXX XXX
XXX
XXX
XXX
XXX XXX
HUAWEI TECHNOLOGIES CO LTD Page 6Page 6
Government Operator
Vendor
High-efficiency and low cost security entry control and supervision systems
Balance between security assurance and cost of business operation
Secure and trusted delivery amp enhanced security assurance
More risk aware and discerning
End User
Cyber Security
Challenges for All Participants
Common Criteria (CC)
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 3Page 3
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 4Page 4
ArgentinaMauritius
Malaysia
Romania
China
India
Hungary
Brazil
Mexico
Holland
UAE
Bahrain
Germany
RampD center
Huawei Headquarters
Technical support center
Accounting share center
Supply center amp Hub
Training center
Biding center (Planning)
120000+ employees with 150+ nationalities worldwide15 Regional Headquarters operations in 140+ countries
Localized operation powered by global resources
Introduction
HUAWEI TECHNOLOGIES CO LTD Page 5Page 5
Cyber Security an Increasing Global Threat
End UserGovernment Operator
XXX
XXX
XXX
XXX XXX
XXX
XXX
XXX
XXX XXX
HUAWEI TECHNOLOGIES CO LTD Page 6Page 6
Government Operator
Vendor
High-efficiency and low cost security entry control and supervision systems
Balance between security assurance and cost of business operation
Secure and trusted delivery amp enhanced security assurance
More risk aware and discerning
End User
Cyber Security
Challenges for All Participants
Common Criteria (CC)
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 4Page 4
ArgentinaMauritius
Malaysia
Romania
China
India
Hungary
Brazil
Mexico
Holland
UAE
Bahrain
Germany
RampD center
Huawei Headquarters
Technical support center
Accounting share center
Supply center amp Hub
Training center
Biding center (Planning)
120000+ employees with 150+ nationalities worldwide15 Regional Headquarters operations in 140+ countries
Localized operation powered by global resources
Introduction
HUAWEI TECHNOLOGIES CO LTD Page 5Page 5
Cyber Security an Increasing Global Threat
End UserGovernment Operator
XXX
XXX
XXX
XXX XXX
XXX
XXX
XXX
XXX XXX
HUAWEI TECHNOLOGIES CO LTD Page 6Page 6
Government Operator
Vendor
High-efficiency and low cost security entry control and supervision systems
Balance between security assurance and cost of business operation
Secure and trusted delivery amp enhanced security assurance
More risk aware and discerning
End User
Cyber Security
Challenges for All Participants
Common Criteria (CC)
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 5Page 5
Cyber Security an Increasing Global Threat
End UserGovernment Operator
XXX
XXX
XXX
XXX XXX
XXX
XXX
XXX
XXX XXX
HUAWEI TECHNOLOGIES CO LTD Page 6Page 6
Government Operator
Vendor
High-efficiency and low cost security entry control and supervision systems
Balance between security assurance and cost of business operation
Secure and trusted delivery amp enhanced security assurance
More risk aware and discerning
End User
Cyber Security
Challenges for All Participants
Common Criteria (CC)
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 6Page 6
Government Operator
Vendor
High-efficiency and low cost security entry control and supervision systems
Balance between security assurance and cost of business operation
Secure and trusted delivery amp enhanced security assurance
More risk aware and discerning
End User
Cyber Security
Challenges for All Participants
Common Criteria (CC)
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 7Page 7
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 8Page 8
Security Goal
Enter Take away Understand Change Get away
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 9Page 9
Independent ISMS Audit
Huawei has been BS7799 certified since 2004
The certificate was updated to ISO27001 in 2007
The current ISO27001 certificate was released in
July 2010
HeadquartersBeijing Representative OfficeShanghai Research InstituteHuawei Germany OfficesHuawei Belgium OfficesFrance OfficesUK Office
Portugal Office
Certified
Ongoing
Spain OfficeItaly Offices
Singapore OfficeSwitzerland Offices
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 10Page 10
Our Security Policy
Compliance to a series of standardsbull ITU x805 and 3GPP standards for telecom products
Global cyber security organization with branches in 4 countries UK US
France and India bull In UK a security lab has been established
Great efforts to local regulations and laws on cyber security especially for
telecom products
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 11Page 11
Huaweirsquos Perspective
Separation of dutiesAccess ControlPrivacy
Threats
Vulnerability
Protection against various attacks risk analysis
Security designed in solutionSecurity embedded in process
Issues Solutions
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 12Page 12
Establishing the Company Level Cyber Security Vision amp Policy
Management an Control
Vision Establish an E2E customer-facing cyber security assurance system which is transparent mutual-trust and neutral to ensure customers long-term security trust
Proactive Protection
Regulations Compliance
Traceability
Open and Transparent
Proactively analyze cyber security requirements and risks prevent and respond to security threats Integrate security assurance activities into business processes such as IPD Procurement Supply Chain and Delivery amp Service process and develop management regulations and technical standards to ensure the effective execution of the activities
All the security management documents processes and activities must be compliant with local laws and regulations concerning cyber security
Through professional management process deployment records storing and IT technical support ensure that the products solutions and services offered by Huawei are traceable throughout the whole lifecycle
Communicate with stakeholders of different countries including governments customers industry partners and employees through various organizations channels and platforms to encounter the threats and challenges of global telecommunication network in common
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 13Page 13
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 14Page 14
We actively cooperate with authorized LAB to do evaluation
hope that we can get the disinterested result according to the
Common Criteria (CC) standards
Common Criteria (CC) Certification obtained recently a couple
of telecom products are under evaluation based on ST
Cooperation with Authorized Labs for CC
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 15Page 15
CC Certified Products
050
100150200250300350400450
CC Certified Products Distribution
Certified Products PPUp to Sep 2011
Huaweirsquos Telecom Products
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 16Page 16
Typical Telecom Network Architecture
Rx
S1-C
S1-U
S11
E-UTRAN
MME
S-GW
S5
GERAN
UTRAN
SGSNS6a
S4
S3
S12
Iu
Gb
PDN-GW
SGi
PCRF
Gx
ePDG 3GPP-AAAUntrusted non-3GPP IP accesseg WLAN
S6bS2b
SWn SWa
SWx
GxbS7c
Gn
PDSN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of a Linux operating system Remote clients are available for management access to the server
Gr
OperatorrsquosIP service
GGSN
Gx
Gi
Carrier Grade Platform(TOE software)
HLRHSS
2G
3G
39G
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 17Page 17
Uu InterfacebullAuthentication USIM+EPS AKA
bullEncryption AESSNOW 3GZUC
eNodeB SecuritybullEmbedded firewall (ACL) bull IPsec for protection of signaling and user data
bullAuthenticationEncryption
Backhaul SecuritybullCertificate-Based authentication (8021x IKE PKI)
bullIPSecbullTLSSSL
Core Securitybull Huawei USC security solution
bullTraffic segregation CN firewall
OMC Securitybull OM data encryptionbull Account managementbull Log managementbull Security alarm
SSL
Internet
eNB
SecGW
UE
Terminal
IP NetworkBackhaul
NMSOM Network
Service
Signaling
Billing
Firewall
Firewall
UGW HSS
eNB
Third Party Network MME
SSL
IPsec
Long Term Evolution Security Overview
Non-trusted Zone Trusted Zone
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 18Page 18
Huawei Security Solution Architecture
bull Comprehensive top-down end-to-end security design methodology
bull Based on ITU-T X805 recommendation architecture
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 19Page 19
1
Concluding Remarks
Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 20Page 20
Our Achievements
2
1
In July 2011 we gain the EAL3 certificates from CCN other products on going evaluationEAL3 methodically tested and checked
CGP platformSecurity Target Huawei Carrier Grade Platform (CGP) Version 1 Release 5Security Target v028 20110309Protection Profile No conformance to a Protection Profile is claimed
NetEngine40ECX600 running VRP(V500R007) platformSecurity Target Huawei NetEngine40ECX600 Universal Service RouterV600R001 Security Target V068 20110224Protection Profile No conformance to a Protection Profile is claimed
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 21Page 21
Evaluation Process
TOE Sec Function
Threats OrgSecPolicies Assumptions
Environ ObjectivesTOE Sec Objectives
TOE SARsTOE SFRs
Security Problem Definition What is the threat
Security Objectives What is the security objective
Security Requirements How to achieve security goal
Security Solution Definition How to solve the problem
Solution Implementation Definition How to implement those solutions
TOE Summary Specification
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 22Page 22
Threats amp Assumptions Objectives
Threatsbull TAccountabilityLossbull TEavesdropbull TUnauthenticatedAccessbull TUnauthorizedAccess
Assumptionsbull APhysicalProtectionbull ATrustworthyUsersbull ANetworkSegregationbull ASupport
Environment Objectivesbull OEAdministrationbull OESupportbull OEUsers
TOE Sec Objectivesbull OAuditbull OCommunicationbull OAuthenticationbull OAuthorization
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 23Page 23
Security Functional Requirements(SFR)
Security Functional Class Security Functional Requirement Component
Security Audit (FAU)
FAU_GEN1 Audit data generation FAU_GEN1FAU_GEN2 User identity association FAU_GEN2FAU_SAR3 Selectable audit review FAU_SAR3FAU_STG3 Action in case of possible audit data loss FAU_STG3
Cryptographic Support (FCS) FCS_COP1 Cryptographic operation FCS_COP1
User Data Protection (FDP)FDP_ACC1 Subset access control FDP_ACC1FDP_ACF1 Security attribute based access control FDP_ACF1
Identification and Authentication(FIA)
FIA_AFL1 Authentication failure handling FIA_AFL1FIA_ATD1 User attribute definition FIA_ATD1FIA_SOS1 Verification of secrets FIA_SOS1FIA_UAU2 User authentication before any action FIA_UAU2FIA_UID2 User identification before any action FIA_UID2
Security Management(FMT)
FMT_MSA1 Management of security attributes FMT_MSA1FMT_MSA3 Static attribute initialization FMT_MSA3aFMT_MSA3 Static attribute initialization FMT_MSA3bFMT_SMF1 Specification of Management Functions FMT_SMF1FMT_SMR1 Security roles FMT_SMR1
Protection of the TSF (FPT) FPT_ITT1 Basic internal TSF data transfer protection FPT_ITT1
TOE Access (FTA) FTA_TSE1 TOE session establishment FTA_TSE1Trusted PathChannels (FTP) FTP_TRP1 Trusted path FTP_TRP1
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 24Page 24
Security Assurance Requirements(SAR) EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV DevelopmentADV_ARC1 Security architecture descriptionADV_FSP3 Functional specification with complete summaryADV_TDS2 Architectural design
AGD Guidance documents
AGD_OPE1 Operational user guidanceAGD_PRE1 Preparative procedures
ALC Life-cycle support
ALC_CMC3 Authorisation controlsALC_CMS3 Implementation representation CM coverageALC_DEL1 Delivery proceduresALC_DVS1 Identification of security measuresALC_LCD1 Developer defined life-cycle model
ASE Security Target evaluation
ASE_CCL1 Conformance claimsASE_ECD1 Extended components definitionASE_INT1 ST introductionASE_OBJ2 Security objectivesASE_REQ2 Derived security requirementsASE_SPD1 Security problem definitionASE_TSS1 TOE summary specification
ATE TestsATE_COV2 Analysis of coverageATE_DPT1 Testing basic designATE_FUN1 Functional testingATE_IND2 Independent testing - sample
AVA Vulnerability assessment AVA_VAN2 Vulnerability analysis
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 25Page 25
Testing
TOE Testing bull Developed by manufacturer
bull Verifying each unit test identifying
security functionality
bull Testing method is appropriate to the
function to be tested
Penetration Testing bull The independent penetration testing
devised several test cases no
exploitable vulnerabilities nor
residual vulnerabilities have been
found covering attacks including
SQL Injection Xpath injection cross-site Scripting cross-site request forgery buffer overflows race conditions replay attacks MiTM attacks brute force IP spoofing
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 26Page 26
Evaluation Results
The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the ldquoHuawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target Security Target
v028rdquo 20110309
All the assurance components required by the level EAL3 have been
assigned a ldquoPASSrdquo verdict Consequently the laboratory (LGAI-APPLUS)
assigns the ldquoPASSrdquo VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology as define by of the Common
Criteria and the Common Methodology
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 27Page 27
1 Introduction
Cyber Security Policy
3 Best Development Practices
2
4 Our Achievements
5
Agenda
Concluding Remarks
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 28Page 28
Future Plan
Huawei product lines can be
classified as followsbull Application and Software
bull Optical Network
bull Core Network
bull Data Communication
bull Wireless Product
bull Access Network
bull Terminals
bull Storage amp Network Security
bull Enterprise
We plan to incorporate the Common Criteria certification to the following product lines
bull Core Network
bull Enterprise
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
HUAWEI TECHNOLOGIES CO LTD Page 29Page 29
We are increasing our market positionpresent and future security will be a key factor
Certification for telecom products will become more and more important
along with the development of CC standardization
Taking on an open transparent and sincere attitude Huawei is willing to co-
operate with all governments customers and partners through various
channels to jointly cope with threats and challenges from cyber security
Concluding Remarks
Thank youwwwhuaweicom
Thank youwwwhuaweicom