Security Management in the FCAPS model

Security Management in the FCAPS model

Security Management is a Network Management function that is about protecting both the network as a whole and the individual devices against intentional or accidental abuse, unauthorized access and communication loss.
Security Management is also responsible to set constraints per managed element, according to standards & specifications.

Implementing an SNMP-based Network Management System without considering security can be a big problem, especially if we are talking about commercial networks. Even for home networks, security should be top priority to ensure that sensitive data are not publicly available or easy to be accessed.

An easy way to understand security is to categorize security functions as:

  • Authentication
  • Authorisation
  • Segmentation
  • Communication
  • Hardening
  • Authentication

    Authentication is defined as the process of identifying an individual, usually based on a username and password or some times with biometrics (fingertips etc.).

    In security systems, authentication is distinct from authorisation, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

    When evaluating the authentication security capabilities of a system software, you typically look for the following features:

    1. Local and remote authentication
    2. Strong authentication
    3. Two-factor authentication
    4. User account monitoring

    Local Authentication

    Local authentication answers the following question: Can the system authenticate the user locally, i.e. without connecting to an external authentication authority? This is something important in case of network connectivity issues, when a fallback authentication method is required in order to allow you to connect to the system for troubleshooting.

    strong authentication login


    Remote Authentication

    Remote user authentication is about the system capability to use an external authority to authenticate the users. Typically this requires network connectivity to 3rd party servers, running software like TACACS, LDAP, etc. The benefit of remote user authentication is that it simplifies creation and maintenance of login credentials which is important for large organizations.

    authentication in security management

    Strong Authentication

    Strong Authentication is about enhancing the password. The user login is typically secured via a password, i.e. a password must be entered two times, and it is scrambled to prohibit accidental or on purpose view from other users.

    The way to enhance the password security is by implementing a set of features that target to further secure the password, such as:

    • Enforce users to use only strong passwords, with at least eight characters, letters, numbers and special characters.
    • Enforce passwords expiration: this requires the users to change their password frequently, e.g. every month.


    Two-factor Authentication

    Two-factor authentication is another authentication enhancement, which requires the usage of two authentication factors: a knowledge factor together with a possession factor or an inherence factor.

    We use the 2-factor authentication in order to decrease the probability of false evidence of identity. Example of factors are:

    • Something the user knows, such as a password, PIN, pattern, etc.;
    • Something the user has, such as ATM card, smart card; and
    • Something the user is, typically a biometric characteristic, such as a fingerprint.

    two factor authenticationTwo-factor authentication is not something new, having been used throughout history. Example of 2-factor authentication are local automated teller machines (ATM). When a bank customer visits an ATM, he uses as the first authentication factor the physical ATM card that he slides into the machine. He then uses as the second facto the PIN, which he customer enters through a keypad.

    Two-factor authentication is not very common in SNMP Network Management Systems, as the user usually performs the authentication in a controlled environment. Instead, strong authentication is frequently employed, except in tier-1 operators.



    Authorisation is defined as the process of giving individuals access to system objects based on their identity. Obviously, both authentication and authorisation are required in order to identify the individual (authentication) and provide him access rights (authorization).

    When evaluating the authorization security capabilities of a system software, you typically look for the following features:

    • Multiple roles according to predefined templates (Administrator / Power User / Alarm / Monitor, etc.) that grant specific rights of access to the system.
    • Role creation and removal (by the administrator).
    • Multiple users per role.
    • Fine grained privileges (per role, per user) – each role, and/or user, may have access to specific functions / views / network objects.

    Why we need predefined roles

    A good NMS system must have a set of predefined roles, to enable usage of the software out-of-the-box. Typically, predefined roles are:

    The Monitor role can monitor everything.

    The Alarm role can monitor everything plus the following actions:

    • Acknowledge alarms.
    • Clear alarms.
    • Delete alarms.
    • Set Maintenance Mode on / off.

    The Power User role can perform any action except the following:

    • Alarm Severity Mapping to define which alarms are critical, which major, etc.
    • Event Log Administration, to change the log-level configuration
    • Auto Archiving, to reduce the number of performance records stored in the database
    • Drag and Drop on Telecom Objects to re-arrange the network topology.
    • Create / Remove / Manipulate Schedules.

    • Create / Remove / Modify Users and Roles.
    • Create / Remove his own Reports / Network Navigators. 

    The Administrator role can create one or more users and assign them to one of the aforementioned roles or to a new role. The Administrator can perform any action. More specifically, concerning the security administration, the Administrator role can:

    • Modify the predefined Roles.
    • Create / Remove / Modify User entries.
    • Create / Remove / Modify Role entries.
    • Restrict User Access to the Network.

    Fine-grained Privileges

    Authorisation is useful only when the privileges are fine-grained, i.e. detailed, and can be fully customised. Only then you can really control the access rights of the user.

    security privileges


    Network Segmentation

    Segmentation of the network is about splitting the managed network into logical domains that are then assigned to roles or users in order to restrict access to domains and NEs.

    Network Segmentation is performed by the administrator, that creates one or more Network Access Domains (NADs) and assigns them existing Domains / Network Objects (i.e. Network Elements / Modules / Ports / Topological Links / Sub-networks / Service Fragments / Services).

    Then, these NADs can be assigned to specific users, thus permitting them to view only the Domains / Network Objects belonging to the NADs. In this case, the Network Navigator (hierarchical tree-view) , the Graphical View (topology map-view) as well as all types of reports (Active Alarms, Real Time Alarms & Events, Performance Reports etc.) will show information only for the Domains / Network Objects belonging to the specific NADs.

    Network Segmentation is a feature that enables Virtual Network Operators (VNOs), i.e. separate operators providing services over a network that belongs to another organisation. In this case each VNO can monitor only the part of the network that enables the services it provides, while the network owner can monitor the whole network.


    Secure Communication

    Secure Communication is about ensuring that the protocols used are secure or are configured with their secure features enabled. Typical checklist for secure communication includes:

    • Check that only secure protocols are used for communication with the network elements, e.g. the NMS uses Secure FTP (SFTP) instead of FTP and Secure Shell (SSH) instead of Telnet
    • Check that custom SNMP credentials are used, instead of the default public/private credentials.


    Server Hardening

    Server hardening is an activity that requires IT competence. Hardening typically includes:

    • Removal of unnecessary services and software packages that run on the server.
    • Database & OS customisation, to remove default security values
    • Elimination of plain text passwords and replacement with encrypted ones.

    To certify that a server is hardened, an external certification authority may be used, to provide an audit of the server in question.


    User Account Management

    User account management is about enabling the administrator to:

    • Add Users
    • Add Roles
    • Define Priviledges
    • Restrict User Access to the Network
    • Monitor login and logout of users
    • Force users to logout
    • Lock user accounts.

    It appears that the TMN model is not very clear at this part, as some Vendors include User Accounting in Security Management, while others include it in Accounting. This really does not matter as long the features are included!



    2016-10-24T07:47:52+00:00 May 25th, 2013|Categories: Functions (FCAPS)|Tags: |Comments Off on Security Management in the FCAPS model

    About the Author:

    Christos Rizos is a Network, Systems and Applications Management expert with 20+ years experience in the technology domain, providing consulting services to Vendors and Operators around the world.