1 .. Modifications Copyright © 2017-2018 AT&T Intellectual Property.
3 .. Licensed under the Creative Commons License, Attribution 4.0 Intl.
4 (the "License"); you may not use this documentation except in compliance
5 with the License. You may obtain a copy of the License at
7 .. https://creativecommons.org/licenses/by/4.0/
9 .. Unless required by applicable law or agreed to in writing, software
10 distributed under the License is distributed on an "AS IS" BASIS,
11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 See the License for the specific language governing permissions and
13 limitations under the License.
17 ----------------------
19 The objective of this section is to provide the key security
20 requirements that need to be met by VNFs. The security requirements are
21 grouped into five areas as listed below. Other security areas will be
22 addressed in future updates. These security requirements are applicable
23 to all VNFs. Additional security requirements for specific types of VNFs
24 will be applicable and are outside the scope of these general
27 Section 4.3 Security in *VNF Guidelines* outlines
28 the five broad security areas for VNFs that are detailed in the
31 - **VNF General Security**: This section addresses general security
32 requirements for the VNFs that the VNF provider will need to address.
34 - **VNF Identity and Access Management**: This section addresses
35 security requirements with respect to Identity and Access Management
36 as these pertain to generic VNFs.
38 - **VNF API Security**: This section addresses the generic security
39 requirements associated with APIs. These requirements are applicable
40 to those VNFs that use standard APIs for communication and data
43 - **VNF Security Analytics**: This section addresses the security
44 requirements associated with analytics for VNFs that deal with
45 monitoring, data collection and analysis.
47 - **VNF Data Protection**: This section addresses the security
48 requirements associated with data protection.
50 VNF General Security Requirements
51 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
53 This section provides details on the VNF general security requirements
54 on various security areas such as user access control, network security,
55 ACLs, infrastructure security, and vulnerability management. These
56 requirements cover topics associated with compliance, security patching,
57 logging/accounting, authentication, encryption, role-based access
58 control, least privilege access/authorization. The following security
59 requirements need to be met by the solution in a virtual environment:
61 General Security Requirements
63 Integration and operation within a robust security environment is necessary
64 and expected. The security architecture will include one or more of the
65 following: IDAM (Identity and Access Management) for all system and
66 applications access, Code scanning, network vulnerability scans, OS,
67 Database and application patching, malware detection and cleaning,
68 DDOS prevention, network security gateways (internal and external)
69 operating at various layers, host and application based tools for
70 security compliance validation, aggressive security patch application,
71 tightly controlled software distribution and change control processes
72 and other state of the art security solutions. The VNF is expected to
73 function reliably within such an environment and the developer is
74 expected to understand and accommodate such controls and can expected
75 to supply responsive interoperability support and testing throughout
76 the product’s lifecycle.
85 The VNF **MUST** implement and enforce the principle of least privilege
86 on all protected interfaces.
94 The VNF **MUST** provide a mechanism (e.g., access control list) to
95 permit and/or restrict access to services on the VNF by source,
96 destination, protocol, and/or port.
104 The VNF **SHOULD** provide a mechanism for performing automated
105 system configuration auditing at configurable time intervals.
113 The VNF **SHOULD** provide the capability for the Operator to run security
114 vulnerability scans of the operating system and all application layers.
121 The VNF **SHOULD** have source code scanned using scanning
122 tools (e.g., Fortify) and provide reports.
130 The VNF **MUST** have all code (e.g., QCOW2) and configuration files
131 (e.g., HEAT template, Ansible playbook, script) hardened, or with
132 documented recommended configurations for hardening and interfaces that
133 allow the Operator to harden the VNF. Actions taken to harden a system
134 include disabling all unnecessary services, and changing default values
135 such as default credentials and community strings.
143 The VNF **SHOULD** support Layer 3 VPNs that enable segregation of
144 traffic by application (i.e., AVPN, IPSec VPN for Internet routes).
152 The VNF **SHOULD** support the use of virtual trusted platform
160 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
161 it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
162 routing and forwarding rules.
170 The VNF Provider **MUST** have patches available for vulnerabilities
171 in the VNF as soon as possible. Patching shall be controlled via change
172 control process with vulnerabilities disclosed along with
173 mitigation recommendations.
181 The VNF **MUST** support encrypted access protocols, e.g., TLS,
189 The VNF **MUST**, if not using the NCSP's IDAM API, comply
190 with the NCSP's credential management policy.
198 For all GUI and command-line interfaces, the VNF **MUST** provide the
199 ability to present a warning notice that is set by the Operator. A warning
200 notice is a formal statement of resource intent presented to everyone
201 who accesses the system.
209 The VNF **MUST** allow the Operator to disable or remove any security
210 testing tools or programs included in the VNF, e.g., password cracker,
219 The VNF **MUST** provide functionality that enables the Operator to comply
220 with requests for information from law enforcement and government agencies.
228 The VNF **MUST NOT** allow vendor access to VNFs remotely.
234 :introduced: casablanca
235 :validation_mode: in_service
237 The VNF **MUST** log any security event required by the VNF Requirements to
238 Syslog using LOG_AUTHPRIV for any event that would contain sensitive
239 information and LOG_AUTH for all other relevant events.
241 VNF Identity and Access Management Requirements
242 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
244 The following security requirements for logging, identity, and access
245 management need to be met by the solution in a virtual environment:
248 Identity and Access Management Requirements
256 The VNF **MUST** allow the creation of multiple IDs so that
257 individual accountability can be supported.
265 The VNF **MUST** allow the Operator to restrict access based on
266 the assigned permissions associated with an ID in order to support
267 Least Privilege (no more privilege than required to perform job
276 Each layer of the VNF **MUST** support access restriction
277 independently of all other layers so that Segregation of Duties
286 The VNF **MUST NOT** not allow the assumption of the permissions of
287 another account to mask individual accountability.
294 The VNF **MUST** provide minimum privileges for initial
295 and default settings for new user accounts.
303 The VNF **MUST** set the default settings for user access
304 to deny authorization, except for a super user type of account.
305 When a VNF is added to the network, nothing should be able to use
306 it until the super user configures the VNF to allow other users
307 (human and application) have access.
314 The VNF **MUST** have greater restrictions for access and
315 execution, such as up to 3 factors of authentication and restricted
316 authorization, for commands affecting network services, such as
317 commands relating to VNFs.
324 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
332 The VNF **MUST** provide access controls that allow the Operator
333 to restrict access to VNF functions and data to authorized entities.
341 The VNF **SHOULD** support OAuth 2.0 authorization using an external
342 Authorization Server.
350 The VNF **MUST**, if not integrated with the Operator's Identity and
351 Access Management system, support configurable password expiration.
359 The VNF **MUST**, if not integrated with the Operator's Identity and
360 Access Management system, support Role-Based Access Control to enforce
369 The VNF **MUST**, if not integrated with the Operator’s Identity and
370 Access Management system, comply with “password complexity” policy. When
371 passwords are used, they shall be complex and shall at least meet the
372 following password construction requirements: (1) be a minimum configurable
373 number of characters in length, (2) include 3 of the 4 following types of
374 characters: upper-case alphabetic, lower-case alphabetic, numeric, and
375 special, (3) not be the same as the UserID with which they are associated
376 or other common strings as specified by the environment, (4) not contain
377 repeating or sequential characters or numbers, (5) not to use special
378 characters that may have command functions, and (6) new passwords must
379 not contain sequences of three or more characters from the previous
388 The VNF **MUST**, if not integrated with the Operator's Identity
389 and Access Management system, support the ability to disable the
390 userID after a configurable number of consecutive unsuccessful
391 authentication attempts using the same userID.
399 The VNF **MUST**, if not integrated with the Operator's identity and
400 access management system, authenticate all access to protected GUIs, CLIs,
409 The VNF **MUST** integrate with standard identity and access management
410 protocols such as LDAP, TACACS+, Windows Integrated Authentication
411 (Kerberos), SAML federation, or OAuth 2.0.
413 VNF API Security Requirements
414 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416 This section covers API security requirements when these are used by the
417 VNFs. Key security areas covered in API security are Access Control,
418 Authentication, Passwords, PKI Authentication Alarming, Anomaly
419 Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
420 Cryptography, Business continuity, Biometric Authentication,
421 Identification, Confidentiality and Integrity, and Denial of Service.
423 The solution in a virtual environment needs to meet the following API
424 security requirements:
435 The VNF **SHOULD** integrate with the Operator's authentication and
436 authorization services (e.g., IDAM).
443 The VNF **MUST** implement the following input validation
444 control: Check the size (length) of all input. Do not permit an amount
445 of input so great that it would cause the VNF to fail. Where the input
446 may be a file, the VNF API must enforce a size limit.
454 The VNF **MUST** implement the following input validation controls:
455 Do not permit input that contains content or characters inappropriate
456 to the input expected by the design. Inappropriate input, such as
457 SQL expressions, may cause the system to execute undesirable and
458 unauthorized transactions against the database or allow other
459 inappropriate access to the internal network (injection attacks).
467 The VNF **MUST** implement the following input validation control
468 on APIs: Validate that any input file has a correct and valid
469 Multipurpose Internet Mail Extensions (MIME) type. Input files
470 should be tested for spoofed MIME types.
472 VNF Security Analytics Requirements
473 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
475 This section covers VNF security analytics requirements that are mostly
476 applicable to security monitoring. The VNF Security Analytics cover the
477 collection and analysis of data following key areas of security
480 - Anti-virus software
490 - API based monitoring
492 - Detection and notification
494 - Resource exhaustion detection
496 - Proactive and scalable monitoring
498 - Mobility and guest VNF monitoring
500 - Closed loop monitoring
502 - Interfaces to management and orchestration
504 - Malformed packet detections
508 - Dynamic security control
510 - Dynamic load balancing
512 - Connection attempts to inactive ports (malicious port scanning)
514 The following requirements of security monitoring need to be met by the
515 solution in a virtual environment.
517 Security Analytics Requirements
525 The VNF **MUST** support Real-time detection and
526 notification of security events.
533 The VNF **MUST** support Integration functionality via
534 API/Syslog/SNMP to other functional modules in the network (e.g.,
535 PCRF, PCEF) that enable dynamic security control by blocking the
536 malicious traffic or malicious end users.
543 The VNF **MUST** support API-based monitoring to take care of
544 the scenarios where the control interfaces are not exposed, or are
545 optimized and proprietary in nature.
552 The VNF **MUST** support detection of malformed packets due to
553 software misconfiguration or software vulnerability.
560 The VNF **MUST** support proactive monitoring to detect and
561 report the attacks on resources so that the VNFs and associated VMs can
562 be isolated, such as detection techniques for resource exhaustion, namely
563 OS resource attacks, CPU attacks, consumption of kernel memory, local
572 The VNF **MUST** operate with anti-virus software which produces
573 alarms every time a virus is detected.
580 The VNF **MUST** protect all security audit logs (including
581 API, OS and application-generated logs), security audit software, data,
582 and associated documentation from modification, or unauthorized viewing,
583 by standard OS access control mechanisms, by sending to a remote system,
592 The VNF **MUST** log successful and unsuccessful authentication
593 attempts, e.g., authentication associated with a transaction,
594 authentication to create a session, authentication to assume elevated
602 The VNF **MUST** log logoffs.
609 The VNF **MUST** log starting and stopping of security
618 The VNF **MUST** log success and unsuccessful creation, removal, or
619 change to the inherent privilege level of users.
627 The VNF **MUST** log connections to the network listeners of the
635 The VNF **MUST** log the field "event type" in the security audit
643 The VNF **MUST** log the field "date/time" in the security audit
651 The VNF **MUST** log the field "protocol" in the security audit logs.
658 The VNF **MUST** log the field "service or program used for access"
659 in the security audit logs.
666 The VNF **MUST** log the field "success/failure" in the
674 The VNF **MUST** log the field "Login ID" in the security audit logs.
681 The VNF **MUST NOT** include an authentication credential,
682 e.g., password, in the security audit logs, even if encrypted.
690 The VNF **MUST** detect when its security audit log storage
691 medium is approaching capacity (configurable) and issue an alarm.
698 The VNF **MUST** support the capability of online storage of
707 The VNF **MUST** activate security alarms automatically when
708 a configurable number of consecutive unsuccessful login attempts
717 The VNF **MUST** activate security alarms automatically when
718 it detects the successful modification of a critical system or
727 The VNF **MUST** activate security alarms automatically when
728 it detects an unsuccessful attempt to gain permissions
729 or assume the identity of another user.
736 The VNF **MUST** include the field "date" in the Security alarms
737 (where applicable and technically feasible).
744 The VNF **MUST** include the field "time" in the Security alarms
745 (where applicable and technically feasible).
752 The VNF **MUST** include the field "service or program used for
753 access" in the Security alarms (where applicable and technically feasible).
760 The VNF **MUST** include the field "success/failure" in the
761 Security alarms (where applicable and technically feasible).
768 The VNF **MUST** include the field "Login ID" in the Security
769 alarms (where applicable and technically feasible).
777 The VNF **MUST** restrict changing the criticality level of a
778 system security alarm to users with administrative privileges.
785 The VNF **MUST** monitor API invocation patterns to detect
786 anomalous access patterns that may represent fraudulent access or other
787 types of attacks, or integrate with tools that implement anomaly and
796 The VNF **MUST** generate security audit logs that can be sent
797 to Security Analytics Tools for analysis.
805 The VNF **MUST** log successful and unsuccessful access to VNF
806 resources, including data.
813 The VNF **MUST** support the storage of security audit logs
814 for agreed period of time for forensic analysis.
821 The VNF **MUST** have security logging for VNFs and their
822 OSs be active from initialization. Audit logging includes automatic
823 routines to maintain activity records and cleanup programs to ensure
824 the integrity of the audit/logging systems.
832 The VNF **MUST** be implemented so that it is not vulnerable to OWASP
833 Top 10 web application security risks.
841 The VNF **MUST** protect against all denial of service
842 attacks, both volumetric and non-volumetric, or integrate with external
843 denial of service protection tools.
845 VNF Data Protection Requirements
846 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
848 This section covers VNF data protection requirements that are mostly
849 applicable to security monitoring.
852 Data Protection Requirements
860 The VNF **MUST** provide the capability to restrict read
861 and write access to data handled by the VNF.
868 The VNF **MUST** Provide the capability to encrypt data in
869 transit on a physical or virtual network.
877 The VNF **MUST** provide the capability to encrypt data on
878 non-volatile memory.Non-volative memory is storage that is
879 capable of retaining data without electrical power, e.g.
880 Complementary metal-oxide-semiconductor (CMOS) or hard drives.
887 The VNF **SHOULD** disable the paging of the data requiring
888 encryption, if possible, where the encryption of non-transient data is
889 required on a device for which the operating system performs paging to
890 virtual memory. If not possible to disable the paging of the data
891 requiring encryption, the virtual memory should be encrypted.
899 The VNF **MUST** use NIST and industry standard cryptographic
900 algorithms and standard modes of operations when implementing
909 The VNF **MUST NOT** use compromised encryption algorithms.
910 For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms.
911 Acceptable algorithms can be found in the NIST FIPS publications
912 (https://csrc.nist.gov/publications/fips) and in the
913 NIST Special Publications (https://csrc.nist.gov/publications/sp).
921 The VNF **MUST** use, whenever possible, standard implementations
922 of security applications, protocols, and formats, e.g., S/MIME, TLS, SSH,
923 IPSec, X.509 digital certificates for cryptographic implementations.
924 These implementations must be purchased from reputable vendors or obtained
925 from reputable open source communities and must not be developed in-house.
933 The VNF **MUST** provide the ability to migrate to newer
934 versions of cryptographic algorithms and protocols with minimal impact.
942 The VNF **MUST** support digital certificates that comply with X.509
950 The VNF **MUST NOT** use keys generated or derived from
951 predictable functions or values, e.g., values considered predictable
952 include user identity information, time of day, stored/transmitted data.
960 The VNF **MUST** provide the capability of using X.509 certificates
961 issued by an external Certificate Authority.
969 The VNF **MUST** be capable of protecting the confidentiality and integrity
970 of data at rest and in transit from unauthorized access and modification.
973 VNF Cryptography Requirements
974 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
976 This section covers VNF cryptography requirements that are mostly
977 applicable to encryption or protocol meethods.
985 The VNF **SHOULD** support an automated certificate management protocol
986 such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or
987 Automated Certificate Management Environment (ACME).
995 The VNF **SHOULD** provide the capability to integrate with an
996 external encryption service.
1002 :updated: casablanca
1004 The VNF **MUST** use symmetric keys of at least 112 bits in length.
1010 :updated: casablanca
1012 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
1018 :updated: casablanca
1020 The VNF **MUST** provide the capability to configure encryption
1021 algorithms or devices so that they comply with the laws of the jurisdiction
1022 in which there are plans to use data encryption.
1028 :updated: casablanca
1030 The VNF **MUST** provide the capability of allowing certificate
1031 renewal and revocation.
1037 :updated: casablanca
1039 The VNF **MUST** provide the capability of testing the validity
1040 of a digital certificate by validating the CA signature on the certificate.
1046 :updated: casablanca
1048 The VNF **MUST** provide the capability of testing the validity
1049 of a digital certificate by validating the date the certificate is being
1050 used is within the validity period for the certificate.
1056 :updated: casablanca
1058 The VNF **MUST** provide the capability of testing the
1059 validity of a digital certificate by checking the Certificate Revocation
1060 List (CRL) for the certificates of that type to ensure that the
1061 certificate has not been revoked.
1067 :updated: casablanca
1069 The VNF **MUST** provide the capability of testing the
1070 validity of a digital certificate by recognizing the identity represented
1071 by the certificate - the "distinguished name".
1077 :updated: casablanca
1079 The VNF **MUST** support HTTP/S using TLS v1.2 or higher
1080 with strong cryptographic ciphers.
1086 :updated: casablanca
1088 The VNF **MUST** support the use of X.509 certificates issued from any
1089 Certificate Authority (CA) that is compliant with RFC5280, e.g., a public
1090 CA such as DigiCert or Let's Encrypt, or an RFC5280 compliant Operator
1093 Note: The VNF provider cannot require the use of self-signed certificates
1094 in an Operator's run time environment.