Parental Control (+)

3

N°

Requirement

R331. Access restrictions in the HG MUST be able to be set up via the LM Remote UI by the

HG administrator based on device, time of day and application type, and arbitrary combinations thereof

S*

R332. The above access restrictions MUST be enforced in the HG S*

R333. It MUST be possible to enable/disable the parental control function in a HG from the

ACS.

S*

R334. The Parental control function MUST NOT be applied to Guest Access devices S*

R335. The HG MUST be able to be configured with the URLs of external servers (such as a

Parental Control Proxy) by the ACS or the LM Remote UI

S*

R336. The parental control function MUST restrict access as per the PCP, if the PCP is active.

This means blocking the service request and sending a ‘deny information’ to the device if it is browser based

S*

R337. The Parental Control Profile (PCP) MUST only be accessible and editable by the HG

local administrator and via the LM Remote UI.

S*

R338. The default value of the PCP MUST be unrestricted access S*

R339. On deactivation of the PCP, the settings in the PCP MUST be maintained. S*

R340. The HG MUST compile a log file tracking the blocking activity with reference to the

applications/protocols used. In the case of access through a HTTP browser the HG MUST also send a notification to the end device from which the HTTP request has been sent.

S*

R341. The Parental Control Profile in HG SHOULD allow the local administrator to associate

devices with pre-defined device groups based on sets of identified devices with defined access rights. In this case, the local administrator must be able to edit the device group name using the LM Remote UI.

+*

Home Gateway Technical Requirements: Residential Profile

Page 94 of 125 © Home Gateway Initiative – 2008 – All rights reserved 8.9.2 Firewalling

1

8.9.2.1 Firewall management 2

The RMS has to remotely manage the internal firewall of the HG. To implement this 3

operation, the RMS downloads to the HG an XML file. This file integrates the basic firewall 4

configuration that includes the HIGH and LOW configurations (see Security Section for more 5

details) 6

DSL Forum TR-069 provides mechanisms for configuration file downloads. However, some 7

additional mechanisms and specifications are needed to fully support the HGI requirements. 8

N°

Requirement

R342. The HG firewall parameters MUST be configurable via the RMS. If this is done using a

file, then the HG MUST only use the Download RPC defined in DSL Forum TR-069.

S

R343.

The version number of the firewall file MUST be readable by the RMS to determine if an update is necessary. The HG MUST support the VendorConfigFile objects defined in the TR-098, indicating the name and the version of the basic firewall configuration. (Note: this VendorConfigFile is not included in the Baseline:1 profile).

S

R344. The status (HIGH, LOW) of the firewall of the HG MUST be readable by the RMS. S

R345.

The HG MUST support the vendor specific parameters described in the following table for remote firewall configuration via the RMS. The names of the parameters are descriptive and left to DSL Forum to be further defined.

S

9

Name Description

FWConfig Vendor specific objects about the firewall

Status Indicates the status of the firewall. Enumeration of:

“LOW” “HIGH”

Date Date and time when the status of the firewall was modified

10

N°

Requirement

R346. A stateful firewall MUST be implemented performing security control of any incoming

flow entering the HN through the HG (note: this does not apply to bridged traffic)

Home Gateway Technical Requirements: Residential Profile

Page 95 of 125 © Home Gateway Initiative – 2008 – All rights reserved

N°

Requirement

R347.

At least the following basic firewall configuration MUST be supported by the HG: • Configuration HIGH: DROP by default

• WAN --> LAN: to refuse TCP SYN, to refuse connections INVALID, NEW, RELATED in TCP, UDP and ICMP; to authorize already established connections (and known by the stateful firewall)

• LAN --> WAN: to authorize known ports: o 25 – SMTP o 80 – HTTP o 109 (TCP) - POP2 o 443 – SSL o 587 – ESMTP o 995 (TCP) - POP3 o 123 - NTP o 587 - ESMTP

• to refuse ports 109/UDP, 110/UDP and WINS

S

R348.

A second alternative basic firewall configuration SHOULD be supported by the HG • Configuration LOW: ACCEPT by default

o WAN --> LAN: to refuse ports 137, 138, 139 (NETBIOS) o LAN --> WAN: all authorized.

+

R349. DMZ support MUST be provided by the firewall in cooperation with the routing and

address translation (NAT) or port address translation (PAT) capabilities of the HG.

S

R350.

The HG MUST reject packets from the WAN with MAC addresses of devices on the local LAN or invalid IP addresses (e.g. broadcast addresses, private IP addresses or IP Addresses matching those assigned to the LAN Segment).

S

R351. The HG MUST reject any unidentified Ethernet packets (i.e. any packet that is not

associated with IP or PPPoE protocols).

S

R352. The firewall configuration MUST be able to be remotely configured by a BSP via CWMP. S

R353. For Guest Access traffic the HG MUST provide Denial of Service protection only (i.e. no

other firewalling will be enabled for the Guest traffic).

S

8.10

Quality of Service

1

This section specifies the QoS datapath functions which need to be supported by the HG, 2

and the QoS management objects which are used to configure QoS policy within the HG. Core 3

QoS traffic management functions include classification, marking, congestion management, 4

queuing, shaping, and egress scheduling. 5

Home Gateway Technical Requirements: Residential Profile

Page 96 of 125 © Home Gateway Initiative – 2008 – All rights reserved Figure 21 shows a conceptual view of the core QoS traffic management functions as packets 1

are received from the LAN ingress ports or from internal HG sources. This diagram is not meant to 2

determine the implementation structure of the QoS functions nor those of the related datapath 3 functions. 4 5 Classifica tion D SCP & L2 Marking WAN Class shaping & queuing WAN Port Scheduler & Shaper WAN Egress 1 Upstream Congestion Management LAN Queuing LAN Ports Scheduler LAN Egress 1 LAN Congestion Management LAN Egress 2 LAN Egress n HG traffic sink Bridging, NAT/ Routing, Firewall HG traff ic source WAN Egress 2 WAN Egress n LAN Ingress 1 LAN Ingress 2 LAN Ingress n 6

Figure 21 QoS Functions from LAN Ingress 7

8

Figure 22 shows a conceptual view of the core QoS traffic management functions as packets 9

are received from the WAN ingress ports. Note that while these are logical WAN ports, there is only 10

one Physical WAN port. This diagram is not meant to determine the implementation structure of the 11

QoS functions nor those of the related datapath functions. 12 13 Classifica tion DSCP & L2 Marking LAN Queuing LAN Ports Scheduler LAN Egress 1 LAN Congestion Management LAN Egress 2 LAN Egress n HG traffic sink Bridging, NAT/ Routing, Firewall WAN Ingress 1 WAN Ingress 2 WAN Ingress n 14

Figure 22 QoS Functions from WAN Ingress 15

16

These functions are described in turn below. 17

18

8.10.1 Classification of traffic