5571 POL  Command  Center  Release 1.7.2

Server Hardening Guide
 
3JL-08001-APAA-RJZZA
 
Issue 01
 
October, 2022
 
Nokia — Proprietary and confidential.
Use pursuant to applicable agreements
 
 
Nokia is committed to diversity and inclusion. We are continuously reviewing our customer documentation and
consulting with standards bodies to ensure that terminology is inclusive and aligned with the industry. Our future
customer documentation will be updated accordingly.
Nokia is a registered trademark of Nokia Corporation. Other products and company names mentioned herein may
be trademarks or trade names of their respective owners.
The information presented is subject to change without notice. No responsibility is assumed for inaccuracies
contained herein.
© 2022 Nokia
Contains proprietary/trade secret information which is the property of Nokia and must not be made available to, or
copied or used by anyone outside Nokia without its written authorization. Not to be used or disclosed except in
accordance with applicable agreements.
 
 
5571 PCC Server Hardening Guide Release 1.7.2

Table of Contents
1 Getting Started With This Guide............................................................................ 3
1.1 About this guide ........................................................................................................................... 3
1.2 Server configuration overview .................................................................................................... 3
2 Basic operating system setup ............................................................................... 4
2.1 Power management..................................................................................................................... 4
2.2 Configuring a service ................................................................................................................... 4
3 Server hardware and configuration ...................................................................... 5
4 Network configuration........................................................................................... 6
4.1 Enhancing the networks .............................................................................................................. 6
4.2 NAT................................................................................................................................................ 6
4.2.1 NAT router in the client network ................................................................................................................................ 6
4.3 Network Firewall .......................................................................................................................... 7
5 Installing a secure server ..................................................................................... 12
5.1 Physical setup ............................................................................................................................ 12
5.2 Debugging .................................................................................................................................. 12
5.3 Checklist ..................................................................................................................................... 13
 

2
5571 PCC Server Hardening Guide Release 1.7.2
 
1 Getting Started With This Guide
• About this guide
• Server configuration overview

1.1 About this guide

The 5571 PCC Server Hardening Guide provides guidance on securing the PCC server. This guide includes
information related to:
• Preparing the hardware for installation of the 5571 PCC.
• Preparing a network for 5571 PCC operation.
• Securing the 5571 PCC installation.
To perform the procedures in this guide, you must be familiar with UNIX/Linux and networking concepts.
Contact your Channel Partner for any queries or technical assistance.

1.2 Server configuration overview

The 5571 PCC is designed to be installed on x86 server running the Red Hat Enterprise Linux 8.x (upto 8.3) and
CentOS 7.x (64 bits operating system). 
The scalability of the PCC setup is solely based on the dimensioning of the hardware. For more information on the
dimensioning guidelines, refer to the PCC Installation and User Guide.

Nokia Proprietary and Confidential 3

5571 PCC Server Hardening Guide Release 1.7.2
 
2 Basic operating system setup
• Power management
• Configuring a service
This section provides information about how to set up a more secure server on a Red Hat Enterprise Linux system.
For information about the installation, refer to the 5571 PCC Installation and User Guide.

2.1 Power management  

The 5571 PCC is designed to run continuously and therefore the server should not get powered down. Power
Management is mostly done on desktop systems. So, disable any power management.

2.2 Configuring a service 

Enable the tcp wrappers module to restrict access to specific services. Access is granted based on the files
host.allow and host.deny, which contain a list of the machines for which access is allowed or denied.

Nokia Proprietary and Confidential 4

5571 PCC Server Hardening Guide Release 1.7.2
 
3 Server hardware and configuration
This chapter provides details about securing 5571 PCC hardware.
For information about dimensioning of the 5571 PCC (for example, CPU power, disk space, and memory size), refer
to the 5571 PCC Installation and User Guide.
You need to secure the server running an operational 5571 PCC system. Use the following guidelines to physically
secure the server:
• Remove any keyboard, screens, or serial consoles that are physically attached to the server.
• If possible, lock the front panel of the server and/or disk arrays to prevent access to power buttons and
drives.
• Remove any storage device such as a DVD player or tape device that is not required for operational use.
• Verify that the server is always running the latest firmware. For more information, contact the vendor of the
server.
• When using a Net Management connection such as ILOM or Lights Out, configure it for SSH instead of Telnet.
• Disable the USB devices. This can be done by unloading/blacklisting usbcore kernel module or usb-storage.

 Note
• Unloading usbcore Kernel module affects all USB hardware.
• Unloading usb-storage disables external storage devices only. For example, USB flash drives.
• Disabling USB devices will cause USB keyboards and mouse devices to stop working.

For more information about disabling USB devices, refer to the Red Hat Enterprise Linux documentation.

Nokia Proprietary and Confidential 5

5571 PCC Server Hardening Guide Release 1.7.2
 
4 Network configuration
• Enhancing the networks
• NAT
• NAT router in the client network
• Network Firewall

4.1 Enhancing the networks

The 5571 PCC needs a reliable and high-performance network. Overall performance may decrease dramatically in
environments with sub-optimal networks.

4.2 NAT
The 5571 PCC can be used in networks that include Network Address Translation (NAT) routers. 
However, some restrictions apply and not all configurations are supported. A restriction common to all supported
configurations is that no port translation is supported.

4.2.1 NAT router in the client network

The following configurations are supported for a NAT router in the client network:
• Client behind NAT router
• Server behind NAT router
In both setups, it is possible to have some clients directly connected to the server and others connected through a
NAT router.
The following figure shows the setup where the client is behind the NAT router. In this setup, the client can reach
the 5571 PCC server on its real IP address (172.31.1.1) and the server cannot reach the client.

1 Client behind NAT router

For example, the client is being run from a PC at home that is connected to the internet using an ADSL modem. This
setup works for 5571 PCC configurations.
The following figure shows a setup where the server is behind the NAT router. The server can reach the client using
the real client IP address. But the client cannot reach the server using the server IP address. In this setup, the NAT
router should contain specific rules to forward incoming connection requests to the correct 5571 PCC server. For
this setup to work, the ams.conf file of the server must be modified manually to show the public IP address of the
NAT router.

2 Server behind NAT router

Nokia Proprietary and Confidential 6

5571 PCC Server Hardening Guide Release 1.7.2
 
4.3 Network Firewall
In 5571 PCC, firewall is automatically updated during installation. If there is an external firewall, appropriate port
access is required for communication between the components listed in the following tables:

Destination port Protocol Service Interface

9999 TCP, UDP Regular JNP, RMI bind address eth0

4447 TCP Jboss HA RMI eth0

5001 TCP Remoting bisocket secondary connection eth0

port

5002 TCP Remoting bisocket SSL secondary eth0

connection port

5445 TCP Hornetq Remoting Netty eth0

5455 TCP Hornetq Remoting Netty Batch eth0

5446 TCP Hornetq Remoting Netty SSL eth0

9876 TCP, UDP Hornetq discovery dg group1 port eth0

8009 TCP AJP connector eth0

8080 TCP HTTP eth0

8443 TCP HTTPS eth0

21 TCP FTP Service all

928, 929, 930, 931, UDP NE trace and debug all

932, 933, 934, 935,
936, 937, 938, 939

9001 UDP NE trap all

162 UDP SNMP port all

1 Network ports
Destination port Protocol Secure Service Notes

123 UDP N/A SNTP Time Sync

2 5571 PCC port activity - PCC server to/from SNTP server

Nokia Proprietary and Confidential 7

5571 PCC Server Hardening Guide Release 1.7.2
 
Destination port protocol Secure Service Notes

514 UDP NO SYSLOG Sending User Activity Log to SYSLOG

server.
Port 514 is a default syslog port.
It is assumed the default port is used.
Otherwise, the appropriate port to be
added to iptables in PCC as well as in
Firewall

3 5571 PCC port activity - PCC server to SYSLOG server

Destination Port Protocol Secure Service Notes

161 UDP YES/NO SNMP Management commands.

v3/v2 Note: It's secured when SNMP V3
communication is established.

22 TCP YES SNMP Secure CLI Communication, Secure ONT SW

Upload to OLT, NE Database Backup/
v3/v2
Restore

1022 TCP YES SSH Secure TL1 Communication

30 TCP YES SSH NE debugging over SSH.

Supports only on ISAM R5.3.02 and ISAM
R5.4.01
Supported Configuration:
• 7360 ANSI: ANSI FANT-F

11130 TCP YES SSH NE debugging over SSH.

Supports only on >=ISAM R5.4.01
Supported Configuration:
• 7360
• 7360 ANSI: ANSI FANT-F

50023 TCP YES SSH ONT debug interface. It uses SSH to

communicate with ONT through OLT
to
50030

Nokia Proprietary and Confidential 8

5571 PCC Server Hardening Guide Release 1.7.2
 
Destination Port Protocol Secure Service Notes

69 UDP NO TFTP NE Database Backup/Restore, NE Software

Download, ONT Software Upload to NE. See
the following Note.
Note:
• When you perform NE backup
operations, using the SFTP provides
better performance and success than
the TFTP.
• Although options are provided for the
services used by the software download
and backup and restore activities, the
service used really depends on the
protocols supported by the NE and the
protocol selection strategy in the 5571
PCC. Customers can choose, as
strategy, to use the protocol configured
on the NE or the protocol selected on
the 5571 PCC.

23 TCP NO Telnet / Telnet to NE / NE debugging.

/UDP Trace & Not opening these ports on the firewall may
lead to reduced or failing troubleshooting
Debug
access, or a failure to perform an ISAM
migration or both.

928 to 939 UDP NO Telnet Not opening these ports on the firewall may
lead to reduced or failing troubleshooting
access, or a failure to perform an NE
migration or both.

13001 UDP NO TL1 TL1 communication over UDP.

4 5571 PCC port activity - PCC server to NE

Destination port Protocol Secure Service Notes

22 TCP YES SSH NE Database Backup/Restore, NE Software

Download.
/SFTP

Nokia Proprietary and Confidential 9

5571 PCC Server Hardening Guide Release 1.7.2
 
Destination port Protocol Secure Service Notes

69 UDP NO TFTP NE Database Backup/Restore, NE

Software Download.
See the following Note.
Note:
• When you perform NE backup
operations, using the SFTP provides
better performance and success than
the TFTP.
• Although options are provided for the
services used by the software download
and backup and restore activities, the
service used really depends on the
protocols supported by the NE and the
protocol selection strategy in the 5571
PCC. Customers can choose, as strategy,
to use the protocol configured on the
NE or the protocol selected on the 5571
PCC.

928 to UDP NO Telnet NE Debugging.

939 Not opening these ports on the firewall may
lead to reduced or failing troubleshooting
access, or a failure to
perform an ISAM migration or both.

514 UDP NO SYSLO Only applicable if PCC acts as an

G SYSLOG Server for NE's.
Port 514 is a default syslog port. It is
assumed the default port is used.
Otherwise, the appropriate port to be added
to iptables in PCC as well as in Firewall.

5 5571 PCC port activity - NE to PCC server

Destination port Protocol Secure Service Notes

123 UDP N/A SNTP Time Sync

6 5571 PCC port activity - NE to/from SNTP server
Destination port Protocol Secure Service Notes

389 UDP NO LDAP User

Authentication

Nokia Proprietary and Confidential 10

5571 PCC Server Hardening Guide Release 1.7.2
 
Destination port Protocol Secure Service Notes

636 TCP YES LDAPS User

Authentication

7 5571 PCC port activity - PCC server to LDAP/S Authenticator

Destination port Protocol Secure Service Notes

1812 UDP N/A RADIUS It is the default standard port.

8 5571 PCC port activity - PCC server to RADIUS Authenticator

Destination port Protocol Secure Service Notes

13001 UDP NO TL1

9 5571 PCC port activity - TL1 gateway to NE

Nokia Proprietary and Confidential 11

5571 PCC Server Hardening Guide Release 1.7.2
 
5 Installing a secure server
• Physical setup
• Debugging
• Checklist
This chapter describes how to install a secure 5571 PCC server. The following figure shows the simplex setup to be
created.

3 Secure simplex setup

5.1 Physical setup

Guidelines for the physical setup are as follows:
1. Install the server according to guidelines provided by the manufacturer. Install the server in a server room
with access control.
2. Connect the cables to different controllers. Most servers are equipped with quad Ethernet ports on the main
board. If possible, insert another quad Ethernet board in a PCI slot. Connect one cable to the main board and
the other cable to the extender card.
3. The network management interface is used for management of the machine. To restrict access to the
network management, connect the interface to a different isolated network.
4. Verify that other cables or devices such as keyboards, consoles, or USB storage are not attached to the
server before you power on the server.
5. Verify whether the machine is reachable through remote management.
6. Perform all the tests. When the tests are successfully completed, lock the front of the machine and close the
cabinet, if possible.

5.2 Debugging
The most probable reasons for problems when you run the 5571 PCC are as follows:
• All services are not running
• Firewall or TCP wrapper issues

Nokia Proprietary and Confidential 12

5571 PCC Server Hardening Guide Release 1.7.2
 
5.3 Checklist
Check Item

Secure Networking

Remove the default route.

Remove the rhost files and disable it in the PAM.

Disable forwarding.

Disable NFS.

Enable tcp wrappers.

For information about enabling tcp wrappers, refer to the chapter Basic operating system
setup.

Enable a firewall.
For information about 5571 PCC firewall, refer to the chapter Network configuration.

Enable strong TC sequence number generation.

User account settings

Remove any unnecessary  login accounts.

Reduce the default PATH to the bare minimum with no " ".

Set password rules.

10 Checklist for server hardening

Nokia Proprietary and Confidential 13