CC Certification for

Telecom Products

Huawei Technologies Co., Ltd.

www.huawei.com

2011-9-28 12th ICCC In Malaysia

HUAWEI TECHNOLOGIES CO., LTD. Page 1

Agenda

1 Introduction

2 Cyber Security Policy

3 Best Development Practices

4 Our Achievements

5 Concluding Remarks

HUAWEI TECHNOLOGIES CO., LTD. Page 2

Agenda

1 Introduction

2 Cyber Security Policy

3 Best Development Practices

4 Our Achievements

5 Concluding Remarks

HUAWEI TECHNOLOGIES CO., LTD. Page 3

 Introduction

Holland
Germany

■
◆ Hungary
■
▲ Romania ◆
Bahrain
UAE ◆ India China
Mexico ▲
■ ■ ■
◆■
Malaysia
▲
■ Brazil
Huawei Headquarters
▲ Accounting share center
▲
◆ Biding center (Planning) Mauritius
▲ Argentina
■ Supply center & Hub
R&D center 120,000+ employees with 150+ nationalities worldwide
Training center 15 Regional Headquarters, operations in 140+ countries
Technical support center

Localized operation powered by global resources

HUAWEI TECHNOLOGIES CO., LTD. Page 4

Cyber Security an Increasing Global Threat
Government Operator End User
XXX XXX

XXX
XXX XXX

XXX

XXX

XXX

XXX XXX

HUAWEI TECHNOLOGIES CO., LTD. Page 5

Challenges for All Participants

Government Operator

High-efficiency and low Balance between security

cost security entry control assurance and cost of
and supervision systems business operation

Cyber
End User Security Vendor

More risk aware and Secure and trusted delivery

discerning & enhanced security
assurance

Common Criteria (CC)

HUAWEI TECHNOLOGIES CO., LTD. Page 6
Agenda

1 Introduction

2 Cyber Security Policy

3 Best Development Practices

4 Our Achievements

5 Concluding Remarks

HUAWEI TECHNOLOGIES CO., LTD. Page 7

 Security Goal

Enter Take away Understand Change Get away

HUAWEI TECHNOLOGIES CO., LTD. Page 8

Independent ISMS Audit

„Huawei has been BS7799 certified since 2004

„The certificate was updated to ISO27001 in 2007
„The current ISO27001 certificate was released in
July, 2010

z Headquarters
z Beijing Representative Office
z Shanghai Research Institute
Certified z Huawei Germany Offices
zHuawei Belgium Offices
zFrance Offices zSpain Office
zUK Office z Italy Offices

zPortugal Office
Ongoing zSingapore Office
zSwitzerland Offices

HUAWEI TECHNOLOGIES CO., LTD. Page 9

 Our Security Policy
¾ Compliance to a series of standards
• ITU x.805 and 3GPP standards for telecom products

¾ Global cyber security organization with branches in 4 countries, UK, U.S.,

France and India.
• In UK, a security lab has been established.

¾ Great efforts to local regulations and laws on cyber security, especially for
telecom products

HUAWEI TECHNOLOGIES CO., LTD. Page 10

Huawei’s Perspective

Separation of duties
Privacy Access Control

Protection against various

Threats attacks, risk analysis

Security designed in solution

Vulnerability Security embedded in process

Issues Solutions

HUAWEI TECHNOLOGIES CO., LTD. Page 11

 Management an Control

Establishing the Company Level Cyber

Security Vision & Policy
Vision: Establish an E2E customer-facing cyber security assurance system, which is
transparent, mutual-trust, and neutral, to ensure customer's long-term security trust.

Proactively analyze cyber security requirements and risks, prevent and respond to security
Proactive threats. Integrate security assurance activities into business processes such as IPD,
Protection Procurement, Supply Chain, and Delivery & Service process, and develop management
regulations and technical standards to ensure the effective execution of the activities.

Regulations All the security management documents, processes and activities must be compliant with
Compliance local laws and regulations concerning cyber security.

Through professional management, process deployment, records storing and IT technical

Traceability support, ensure that the products, solutions and services offered by Huawei are traceable
throughout the whole lifecycle.

Communicate with stakeholders of different countries including governments, customers,

Open and
industry partners, and employees through various organizations, channels and platforms
Transparent to encounter the threats and challenges of global telecommunication network in common.

HUAWEI TECHNOLOGIES CO., LTD. Page 12

Agenda

1 Introduction

2 Cyber Security Policy

3 Best Development Practices

4 Our Achievements

5 Concluding Remarks

HUAWEI TECHNOLOGIES CO., LTD. Page 13

 Cooperation with Authorized Labs for CC

¾ We actively cooperate with authorized LAB to do evaluation,

hope that we can get the disinterested result according to the
Common Criteria (CC) standards

¾ Common Criteria (CC) Certification obtained recently, a couple

of telecom products are under evaluation, based on ST

HUAWEI TECHNOLOGIES CO., LTD. Page 14

 CC Certified Products

CC Certified Products Distribution
450
400
350
300
250
200
150
100
50
0

Huawei’s Telecom Products

Up to Sep. 2011 #Certified Products # PP

HUAWEI TECHNOLOGIES CO., LTD. Page 15

 Typical Telecom Network Architecture
HLR/HSS

Gr

Gb SGSN PCRF
2G
S6a Gx SWx Carrier Grade Platform
GERAN (TOE: software)
Iu Gn
S3 GGSN
S7c Gx
3G S4 Gxb Rx
S12 Gi
UTRAN
S11
S1-C MME S5
SGi Operator’s
3.9G IP service
S1-U
E-UTRAN S-GW PDN-GW
S6b
S2b
PDSN
SWn SWa
Untrusted non-3GPP IP access
ePDG 3GPP-AAA
e.g. WLAN
The central (server) side of CGP runs within a physical Operation and Management Unit (OMU) on top of
a Linux operating system. Remote clients are available for management access to the server.
HUAWEI TECHNOLOGIES CO., LTD. Page 16
Long Term Evolution Security Overview
Uu Interface: Backhaul Security: OMC Security:
•Authentication: •Certificate-Based • OM data encryption
USIM+EPS authentication (802.1x, • Account management
AKA • Log management
IKE, PKI)
•Encryption: • Security alarm
•IPSec
AES/SNOW •TLS/SSL
3G/ZUC OM Network
UGW HSS NMS

SSL
Service Firewall
eNB Backhaul
UE IP Network Billing
Firewall
Signaling
SecGW
eNB
„Internet

Terminal Third Party

Network MME

Non-trusted Zone Trusted Zone

eNodeB Security: Core Security:

• Embedded firewall (ACL) • Huawei USC security IPsec
• IPsec for protection of solution
signaling and user data. • Traffic segregation , SSL
• Authentication/Encryption CN firewall

HUAWEI TECHNOLOGIES CO., LTD. Page 17

Huawei Security Solution Architecture

• Comprehensive, top-down, end-to-end security design methodology

• Based on ITU-T X.805 recommendation architecture

HUAWEI TECHNOLOGIES CO., LTD. Page 18

Agenda

1 Introduction

2 Cyber Security Policy

3 Best Development Practices

4 Our Achievements

5 Concluding Remarks

HUAWEI TECHNOLOGIES CO., LTD. Page 19

Our Achievements
In July 2011 we gain the EAL3 certificates from CCN, other
products on going evaluation.
EAL3: methodically tested and checked

1
CGP platform
Security Target: Huawei Carrier Grade Platform (CGP) Version 1 Release 5
Security Target. v0.28 2011/03/09.
Protection Profile: No conformance to a Protection Profile is claimed.

2
NetEngine40E/CX600 running VRP(V500R007) platform
Security Target: Huawei NetEngine40E/CX600 Universal Service Router
V600R001 Security Target. V0.68, 2011/02/24.
Protection Profile: No conformance to a Protection Profile is claimed.

HUAWEI TECHNOLOGIES CO., LTD. Page 20

 Evaluation Process

Security Problem Definition: What

is the threat? Threats Org.Sec.Policies Assumptions

Security Objectives: TOE Sec. Objectives Environ. Objectives

What is the security
objective?
Security Solution
Definition: How to
solve the problem?
Security Requirements:
How to achieve security TOE SFRs TOE SARs
goal?

Solution Implementation TOE

Definition: How to implement Summary TOE Sec. Function
those solutions? Specification

HUAWEI TECHNOLOGIES CO., LTD. Page 21

Threats & Assumptions, Objectives
Threats Assumptions
• T.AccountabilityLoss • A.PhysicalProtection
• T.Eavesdrop • A.TrustworthyUsers
• T.UnauthenticatedAccess • A.NetworkSegregation
• T.UnauthorizedAccess • A.Support

TOE Sec. Objectives Environment Objectives

• O.Audit • OE.Administration
• O.Communication • OE.Support
• O.Authentication • OE.Users
• O.Authorization

HUAWEI TECHNOLOGIES CO., LTD. Page 22

Security Functional Requirements(SFR)

Security Functional
Security Functional Requirement Component
Class
FAU_GEN.1: Audit data generation FAU_GEN.1
FAU_GEN.2: User identity association FAU_GEN.2
Security Audit (FAU) FAU_SAR.3: Selectable audit review FAU_SAR.3
FAU_STG.3: Action in case of possible audit data loss FAU_STG.3
Cryptographic Support (FCS) FCS_COP.1: Cryptographic operation FCS_COP.1
FDP_ACC.1: Subset access control FDP_ACC.1
User Data Protection (FDP)
FDP_ACF.1: Security attribute based access control FDP_ACF.1
FIA_AFL.1: Authentication failure handling FIA_AFL.1
FIA_ATD.1: User attribute definition FIA_ATD.1
Identification and
FIA_SOS.1: Verification of secrets FIA_SOS.1
Authentication(FIA)
FIA_UAU.2: User authentication before any action FIA_UAU.2
FIA_UID.2: User identification before any action FIA_UID.2
FMT_MSA.1: Management of security attributes FMT_MSA.1
FMT_MSA.3: Static attribute initialization FMT_MSA.3a
Security Management(FMT) FMT_MSA.3: Static attribute initialization FMT_MSA.3b
FMT_SMF.1: Specification of Management Functions FMT_SMF.1
FMT_SMR.1: Security roles FMT_SMR.1
Protection of the TSF (FPT) FPT_ITT.1: Basic internal TSF data transfer protection FPT_ITT.1
TOE Access (FTA) FTA_TSE.1: TOE session establishment FTA_TSE.1
Trusted Path/Channels (FTP) FTP_TRP.1: Trusted path FTP_TRP.1

HUAWEI TECHNOLOGIES CO., LTD. Page 23

Security Assurance Requirements(SAR):
EAL3 Security Assurance Level
Assurance Class Assurance Components
ADV_ARC.1 Security architecture description
ADV: Development ADV_FSP.3 Functional specification with complete summary
ADV_TDS.2 Architectural design
AGD: Guidance AGD_OPE.1 Operational user guidance
documents AGD_PRE.1 Preparative procedures
ALC_CMC.3 Authorisation controls
ALC_CMS.3 Implementation representation CM coverage
ALC: Life-cycle
ALC_DEL.1 Delivery procedures
support
ALC_DVS.1 Identification of security measures
ALC_LCD.1 Developer defined life-cycle model
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE: Security Target
ASE_OBJ.2 Security objectives
evaluation ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: basic design
ATE: Tests ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
AVA: Vulnerability
AVA_VAN.2 Vulnerability analysis
assessment

HUAWEI TECHNOLOGIES CO., LTD. Page 24

Testing

¾ TOE Testing: z SQL Injection,

• Developed by manufacturer z Xpath injection,
• Verifying each unit test, identifying
z cross-site Scripting,
security functionality
• Testing method is appropriate to the z cross-site request forgery,
function to be tested z buffer overflows,
¾ Penetration Testing: z race conditions,
• The independent penetration testing z replay attacks,
devised several test cases, no
z MiTM attacks,
exploitable vulnerabilities nor
residual vulnerabilities have been z brute force,
found, covering attacks including, z IP spoofing.

HUAWEI TECHNOLOGIES CO., LTD. Page 25

Evaluation Results

¾ The product Huawei Carrier Grade Platform (CGP) software (Unique version
identifier: CGP V100R005C00) with the following patch
V100R005C00SPC604 has been evaluated in front of the “Huawei Carrier
Grade Platform (CGP) Version 1 Release 5 Security Target, Security Target,
v0.28”, 2011/03/09

¾ All the assurance components required by the level EAL3 have been
assigned a “PASS” verdict. Consequently, the laboratory (LGAI-APPLUS)
assigns the “PASS” VERDICT to the whole evaluation due all the evaluator
actions are satisfied for the EAL3 methodology, as define by of the Common
Criteria and the Common Methodology

HUAWEI TECHNOLOGIES CO., LTD. Page 26

Agenda

1 Introduction

2 Cyber Security Policy

3 Best Development Practices

4 Our Achievements

5 Concluding Remarks

HUAWEI TECHNOLOGIES CO., LTD. Page 27

Future Plan

¾ Huawei product lines can be ¾ We plan to incorporate the

classified as follows: Common Criteria certification to
• Application and Software
the following product lines:
• Core Network
• Optical Network
• Enterprise
• Core Network
• Data Communication
• Wireless Product
• Access Network
• Terminals
• Storage & Network Security
• Enterprise

HUAWEI TECHNOLOGIES CO., LTD. Page 28

 Concluding Remarks

¾ We are increasing our market position，present and future security will be

a key factor!

¾ Certification for telecom products will become more and more important
along with the development of CC standardization.

¾ Taking on an open, transparent and sincere attitude, Huawei is willing to co-

operate with all governments, customers and partners through various
channels to jointly cope with threats and challenges from cyber security.

HUAWEI TECHNOLOGIES CO., LTD. Page 29

Thank you
www.huawei.com