1 .. Modifications Copyright © 2017-2018 AT&T Intellectual Property.
3 .. Licensed under the Creative Commons License, Attribution 4.0 Intl.
4 (the "License"); you may not use this documentation except in compliance
5 with the License. You may obtain a copy of the License at
7 .. https://creativecommons.org/licenses/by/4.0/
9 .. Unless required by applicable law or agreed to in writing, software
10 distributed under the License is distributed on an "AS IS" BASIS,
11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 See the License for the specific language governing permissions and
13 limitations under the License.
17 ----------------------
19 The objective of this section is to provide the key security
20 requirements that need to be met by VNFs. The security requirements are
21 grouped into five areas as listed below. Other security areas will be
22 addressed in future updates. These security requirements are applicable
23 to all VNFs. Additional security requirements for specific types of VNFs
24 will be applicable and are outside the scope of these general
27 Section 4.3 Security in *VNF Guidelines* outlines
28 the five broad security areas for VNFs that are detailed in the
31 - **VNF General Security**: This section addresses general security
32 requirements for the VNFs that the VNF provider will need to address.
34 - **VNF Identity and Access Management**: This section addresses
35 security requirements with respect to Identity and Access Management
36 as these pertain to generic VNFs.
38 - **VNF API Security**: This section addresses the generic security
39 requirements associated with APIs. These requirements are applicable
40 to those VNFs that use standard APIs for communication and data
43 - **VNF Security Analytics**: This section addresses the security
44 requirements associated with analytics for VNFs that deal with
45 monitoring, data collection and analysis.
47 - **VNF Data Protection**: This section addresses the security
48 requirements associated with data protection.
50 VNF General Security Requirements
51 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
53 This section provides details on the VNF general security requirements
54 on various security areas such as user access control, network security,
55 ACLs, infrastructure security, and vulnerability management. These
56 requirements cover topics associated with compliance, security patching,
57 logging/accounting, authentication, encryption, role-based access
58 control, least privilege access/authorization. The following security
59 requirements need to be met by the solution in a virtual environment:
61 General Security Requirements
63 Integration and operation within a robust security environment is necessary
64 and expected. The security architecture will include one or more of the
65 following: IDAM (Identity and Access Management) for all system and
66 applications access, Code scanning, network vulnerability scans, OS,
67 Database and application patching, malware detection and cleaning,
68 DDOS prevention, network security gateways (internal and external)
69 operating at various layers, host and application based tools for
70 security compliance validation, aggressive security patch application,
71 tightly controlled software distribution and change control processes
72 and other state of the art security solutions. The VNF is expected to
73 function reliably within such an environment and the developer is
74 expected to understand and accommodate such controls and can expected
75 to supply responsive interoperability support and testing throughout
76 the product's lifecycle.
85 The VNF **MUST** implement and enforce the principle of least privilege
86 on all protected interfaces.
94 The VNF **MUST** provide a mechanism (e.g., access control list) to
95 permit and/or restrict access to services on the VNF by source,
96 destination, protocol, and/or port.
104 The VNF **SHOULD** provide a mechanism that enables the operators to
105 perform automated system configuration auditing at configurable time
114 The VNF provider **MUST** follow GSMA vendor practices and SEI CERT Coding
115 Standards when developing the VNF in order to minimize the risk of
116 vulnerabilities. See GSMA NESAS Network Equipment Security Assurance Scheme –
117 Development and Lifecycle Security Requirements Version 1.0 (https://www.gsma.com/
118 security/wp-content/uploads/2019/11/FS.16-NESAS-Development-and-Lifecycle-Security-
119 Requirements-v1.0.pdf) and SEI CERT Coding Standards (https://wiki.sei.cmu.edu/
120 confluence/display/seccode/SEI+CERT+Coding+Standards).
128 The VNF **MUST** have all code (e.g., QCOW2) and configuration files
129 (e.g., HEAT template, Ansible playbook, script) hardened, or with
130 documented recommended configurations for hardening and interfaces that
131 allow the Operator to harden the VNF. Actions taken to harden a system
132 include disabling all unnecessary services, and changing default values
133 such as default credentials and community strings.
141 The VNF **SHOULD** support the separation of (1) signaling and payload traffic
142 (i.e., customer facing traffic), (2) operations, administration and management
143 traffic, and (3) internal VNF traffic (i.e., east-west traffic such as storage
144 access) using technologies such as VPN and VLAN.
152 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
153 it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
154 routing and forwarding rules. This does not preclude the VNF providing other
155 interfaces for modifying rules.
163 The VNF Provider **MUST** have patches available for vulnerabilities
164 in the VNF as soon as possible. Patching shall be controlled via change
165 control process with vulnerabilities disclosed along with
166 mitigation recommendations.
174 The VNF **MUST** support only encrypted access protocols, e.g., TLS,
181 :introduced: casablanca
183 The VNF **MUST** store Authentication Credentials used to authenticate to
184 other systems encrypted except where there is a technical need to store
185 the password unencrypted in which case it must be protected using other
186 security techniques that include the use of file and directory permissions.
187 Ideally, credentials SHOULD rely on a HW Root of Trust, such as a
196 For all GUI and command-line interfaces, the VNF **MUST** provide the
197 ability to present a warning notice that is set by the Operator. A warning
198 notice is a formal statement of resource intent presented to everyone
199 who accesses the system.
207 The VNF **MUST** not contain undocumented functionality.
215 VNFs that are subject to regulatory requirements **MUST** provide
216 functionality that enables the Operator to comply with ETSI TC LI
217 requirements, and, optionally, other relevant national equivalents.
225 The VNF **MUST** be able to authenticate and authorize all remote access.
231 :introduced: casablanca
232 :validation_mode: in_service
234 The VNF **MUST** log any security event required by the VNF Requirements to
235 Syslog using LOG_AUTHPRIV for any event that would contain sensitive
236 information and LOG_AUTH for all other relevant events.
242 :introduced: casablanca
244 The VNF **MUST** be operable without the use of Network File System (NFS).
250 :introduced: casablanca
252 The VNF **MUST NOT** contain any backdoors.
258 :introduced: casablanca
260 If SNMP is utilized, the VNF **MUST** support at least SNMPv3 with
261 message authentication.
267 :introduced: casablanca
270 The VNF application processes **SHOULD NOT** run as root. If a VNF
271 application process must run as root, the technical reason must
278 :introduced: casablanca
280 Login access (e.g., shell access) to the operating system layer, whether
281 interactive or as part of an automated process, **MUST** be through an
282 encrypted protocol such as SSH or TLS.
288 :introduced: casablanca
291 The VNF **MUST** include a configuration (e.g. a heat template or CSAR package)
292 that specifies the targeted parameters (e.g. a limited set of ports)
293 over which the VNF will communicate; including internal, external and
294 management communication.
300 :introduced: frankfurt
302 Containerized components of VNFs **SHOULD** follow the recommendations for
303 Container Base Images and Build File Configuration in the latest available version
304 of the CIS Docker Community Edition Benchmarks to ensure that containerized VNFs
305 are secure. All non-compliances with the benchmarks MUST be documented.
311 :introduced: frankfurt
313 Containerized components of VNFs **SHOULD** execute in a Docker run-time environment
314 that follows the Container Runtime Configuration in the latest available version
315 of the CIS Docker Community Edition Benchmarks to ensure that containerized VNFs
316 are secure. All non-compliances with the benchmarks MUST be documented.
318 VNF Identity and Access Management Requirements
319 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
321 The following security requirements for logging, identity, and access
322 management need to be met by the solution in a virtual environment:
325 Identity and Access Management Requirements
333 The VNF **MUST**, if not integrated with the Operator's Identity and
334 Access Management system, support the creation of multiple IDs so that
335 individual accountability can be supported.
343 The VNF **MUST** allow the Operator to restrict access to protected
344 resources based on the assigned permissions associated with an ID in
345 order to support Least Privilege (no more privilege than required to
346 perform job functions).
352 :introduced: frankfurt
354 The VNF **MUST** support at least the following roles: system administrator,
355 application administrator, network function O&M.
361 :introduced: frankfurt
363 The VNF **MUST**, if not integrated with the operator's IAM system, provide
364 a mechanism for assigning roles and/or permissions to an identity.
372 The VNF **MUST NOT** allow the assumption of the permissions of another
373 account to mask individual accountability. For example, use SUDO when a
374 user requires elevated permissions such as root or admin.
382 The VNF **MUST** set the default settings for user access
383 to deny authorization, except for a super user type of account.
391 The VNF **MUST**, if not integrated with the Operator’s Identity and
392 Access Management system, support multifactor authentication on all
393 protected interfaces exposed by the VNF for use by human users.
400 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
408 The VNF **MUST**, if not integrated with the Operator's Identity and
409 Access Management system, support configurable password expiration.
417 The VNF **MUST**, if not integrated with the Operator's Identity and
418 Access Management system, comply with "password complexity" policy. When
419 passwords are used, they shall be complex and shall at least meet the
420 following password construction requirements: (1) be a minimum configurable
421 number of characters in length, (2) include 3 of the 4 following types of
422 characters: upper-case alphabetic, lower-case alphabetic, numeric, and
423 special, (3) not be the same as the UserID with which they are associated
424 or other common strings as specified by the environment, (4) not contain
425 repeating or sequential characters or numbers, (5) not to use special
426 characters that may have command functions, and (6) new passwords must
427 not contain sequences of three or more characters from the previous
434 :introduced: casablanca
437 The VNF **MUST** not store authentication credentials to itself in clear
438 text or any reversible form and must use salting.
446 The VNF **MUST**, if not integrated with the Operator’s Identity
447 and Access Management system, support the ability to lock out the
448 userID after a configurable number of consecutive unsuccessful
449 authentication attempts using the same userID. The locking mechanism
450 must be reversible by an administrator and should be reversible after
451 a configurable time period.
459 The VNF **MUST**, if not integrated with the Operator's identity and
460 access management system, authenticate all access to protected resources.
468 The VNF **MUST** support LDAP in order to integrate with an external identity
469 and access manage system. It MAY support other identity and access management
476 :introduced: casablanca
479 The VNF **MUST** have the capability of allowing the Operator to create,
480 manage, and automatically provision user accounts using one of the protocols
481 specified in Chapter 7.
487 :introduced: casablanca
490 The VNF **MUST** support account names that contain at least A-Z, a-z,
491 and 0-9 character sets and be at least 6 characters in length.
497 :introduced: casablanca
500 The VNF **MUST NOT** identify the reason for a failed authentication,
501 only that the authentication failed.
507 :introduced: casablanca
510 The VNF **MUST** provide the capability of setting a configurable message
511 to be displayed after successful login. It MAY provide a list of supported
518 :introduced: casablanca
521 The VNF **MUST** provide a means to explicitly logout, thus ending that session.
527 :introduced: frankfurt
529 The VNF **MUST** provide explicit confirmation of a session termination
530 such as a message, new page, or rerouting to a login page.
536 :introduced: casablanca
539 The VNF **MUST**, if not integrated with the Operator's Identity and Access
540 Management system, enforce a configurable "terminate idle sessions"
541 policy by terminating the session after a configurable period of inactivity.
544 VNF API Security Requirements
545 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
547 This section covers API security requirements when these are used by the
548 VNFs. Key security areas covered in API security are Access Control,
549 Authentication, Passwords, PKI Authentication Alarming, Anomaly
550 Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
551 Cryptography, Business continuity, Biometric Authentication,
552 Identification, Confidentiality and Integrity, and Denial of Service.
554 The solution in a virtual environment needs to meet the following API
555 security requirements:
566 The VNF **SHOULD** integrate with the Operator's authentication and
567 authorization services (e.g., IDAM).
574 The VNF **MUST** implement the following input validation
575 control: Check the size (length) of all input. Do not permit an amount
576 of input so great that it would cause the VNF to fail. Where the input
577 may be a file, the VNF API must enforce a size limit.
585 The VNF **MUST** implement the following input validation controls:
586 Do not permit input that contains content or characters inappropriate
587 to the input expected by the design. Inappropriate input, such as
588 SQL expressions, may cause the system to execute undesirable and
589 unauthorized transactions against the database or allow other
590 inappropriate access to the internal network (injection attacks).
598 The VNF **MUST** implement the following input validation control
599 on APIs: Validate that any input file has a correct and valid
600 Multipurpose Internet Mail Extensions (MIME) type. Input files
601 should be tested for spoofed MIME types.
603 VNF Security Analytics Requirements
604 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
606 This section covers VNF security analytics requirements that are mostly
607 applicable to security monitoring. The VNF Security Analytics cover the
608 collection and analysis of data following key areas of security
611 - Anti-virus software
621 - API based monitoring
623 - Detection and notification
625 - Resource exhaustion detection
627 - Proactive and scalable monitoring
629 - Mobility and guest VNF monitoring
631 - Closed loop monitoring
633 - Interfaces to management and orchestration
635 - Malformed packet detections
639 - Dynamic security control
641 - Dynamic load balancing
643 - Connection attempts to inactive ports (malicious port scanning)
645 The following requirements of security monitoring need to be met by the
646 solution in a virtual environment.
648 Security Analytics Requirements
656 The VNF **MUST** support Real-time detection and
657 notification of security events.
664 The VNF **MUST** support API-based monitoring to take care of
665 the scenarios where the control interfaces are not exposed, or are
666 optimized and proprietary in nature.
674 The VNF **MUST** support detection of malformed packets due to software
675 misconfiguration or software vulnerability, and generate an error to the
676 syslog console facility.
683 The VNF **MUST** support proactive monitoring to detect and
684 report the attacks on resources so that the VNFs and associated VMs can
685 be isolated, such as detection techniques for resource exhaustion, namely
686 OS resource attacks, CPU attacks, consumption of kernel memory, local
695 The VNF **SHOULD** operate with anti-virus software which produces alarms
696 every time a virus is detected.
703 The VNF **MUST** protect all security audit logs (including
704 API, OS and application-generated logs), security audit software, data,
705 and associated documentation from modification, or unauthorized viewing,
706 by standard OS access control mechanisms, by sending to a remote system,
715 The VNF **MUST** log successful and unsuccessful authentication
716 attempts, e.g., authentication associated with a transaction,
717 authentication to create a session, authentication to assume elevated
725 The VNF **MUST** log logoffs.
732 The VNF **MUST** log starting and stopping of security
741 The VNF **MUST** log success and unsuccessful creation, removal, or
742 change to the inherent privilege level of users.
750 The VNF **MUST** log connections to the network listeners of the
758 The VNF **MUST** log the field "event type" in the security audit
766 The VNF **MUST** log the field "date/time" in the security audit
774 The VNF **MUST** log the field "protocol" in the security audit logs.
781 The VNF **MUST** log the field "service or program used for access"
782 in the security audit logs.
789 The VNF **MUST** log the field "success/failure" in the
797 The VNF **MUST** log the field "Login ID" in the security audit logs.
804 The VNF **MUST NOT** include an authentication credential,
805 e.g., password, in the security audit logs, even if encrypted.
813 The VNF **MUST** detect when its security audit log storage
814 medium is approaching capacity (configurable) and issue an alarm.
821 The VNF **MUST** support the capability of online storage of
830 The VNF **MUST** activate security alarms automatically when
831 a configurable number of consecutive unsuccessful login attempts
840 The VNF **MUST** activate security alarms automatically when
841 it detects the successful modification of a critical system or
850 The VNF **MUST** activate security alarms automatically when
851 it detects an unsuccessful attempt to gain permissions
852 or assume the identity of another user.
859 The VNF **MUST** include the field "date" in the Security alarms
860 (where applicable and technically feasible).
867 The VNF **MUST** include the field "time" in the Security alarms
868 (where applicable and technically feasible).
875 The VNF **MUST** include the field "service or program used for
876 access" in the Security alarms (where applicable and technically feasible).
883 The VNF **MUST** include the field "success/failure" in the
884 Security alarms (where applicable and technically feasible).
891 The VNF **MUST** include the field "Login ID" in the Security
892 alarms (where applicable and technically feasible).
900 The VNF **MUST** restrict changing the criticality level of a
901 system security alarm to users with administrative privileges.
908 The VNF **MUST** monitor API invocation patterns to detect
909 anomalous access patterns that may represent fraudulent access or other
910 types of attacks, or integrate with tools that implement anomaly and
919 The VNF **MUST** generate security audit logs that can be sent
920 to Security Analytics Tools for analysis.
928 The VNF **MUST** log successful and unsuccessful access to VNF
929 resources, including data.
937 The VNF **MUST** support the storage of security audit logs for a
938 configurable period of time.
945 The VNF **MUST** have security logging for VNFs and their
946 OSs be active from initialization. Audit logging includes automatic
947 routines to maintain activity records and cleanup programs to ensure
948 the integrity of the audit/logging systems.
956 The VNF **MUST** be implemented so that it is not vulnerable to OWASP
957 Top 10 web application security risks.
965 The VNF **MUST** protect against all denial of service
966 attacks, both volumetric and non-volumetric, or integrate with external
967 denial of service protection tools.
973 :introduced: casablanca
975 The VNF **MUST** be capable of automatically synchronizing the system clock
976 daily with the Operator's trusted time source, to assure accurate time
977 reporting in log files. It is recommended that Coordinated Universal Time
978 (UTC) be used where possible, so as to eliminate ambiguity owing to daylight
985 :introduced: casablanca
987 The VNF **MUST** log the Source IP address in the security audit logs.
993 :introduced: casablanca
995 The VNF **MUST** have the capability to securely transmit the security logs
996 and security events to a remote system before they are purged from the
1003 :introduced: casablanca
1005 The VNF **SHOULD** provide the capability of maintaining the integrity of
1006 its static files using a cryptographic method.
1012 :introduced: casablanca
1014 The VNF **MUST** log automated remote activities performed with
1015 elevated privileges.
1017 VNF Data Protection Requirements
1018 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1020 This section covers VNF data protection requirements that are mostly
1021 applicable to security monitoring.
1024 Data Protection Requirements
1030 :updated: casablanca
1032 The VNF **MUST** provide the capability to restrict read
1033 and write access to data handled by the VNF.
1040 The VNF **MUST** Provide the capability to encrypt data in
1041 transit on a physical or virtual network.
1047 :updated: casablanca
1049 The VNF **MUST** provide the capability to encrypt data on
1050 non-volatile memory.Non-volative memory is storage that is
1051 capable of retaining data without electrical power, e.g.
1052 Complementary metal-oxide-semiconductor (CMOS) or hard drives.
1059 The VNF **SHOULD** disable the paging of the data requiring
1060 encryption, if possible, where the encryption of non-transient data is
1061 required on a device for which the operating system performs paging to
1062 virtual memory. If not possible to disable the paging of the data
1063 requiring encryption, the virtual memory should be encrypted.
1069 :updated: casablanca
1071 The VNF **MUST** use NIST and industry standard cryptographic
1072 algorithms and standard modes of operations when implementing
1079 :updated: casablanca
1081 The VNF **MUST NOT** use compromised encryption algorithms.
1082 For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms.
1083 Acceptable algorithms can be found in the NIST FIPS publications
1084 (https://csrc.nist.gov/publications/fips) and in the
1085 NIST Special Publications (https://csrc.nist.gov/publications/sp).
1091 :updated: casablanca
1093 The VNF **MUST** use, whenever possible, standard implementations
1094 of security applications, protocols, and formats, e.g., S/MIME, TLS, SSH,
1095 IPSec, X.509 digital certificates for cryptographic implementations.
1096 These implementations must be purchased from reputable vendors or obtained
1097 from reputable open source communities and must not be developed in-house.
1103 :updated: casablanca
1105 The VNF **MUST** provide the ability to migrate to newer
1106 versions of cryptographic algorithms and protocols with minimal impact.
1112 :updated: casablanca
1114 The VNF **MUST** support digital certificates that comply with X.509
1122 The VNF **MUST NOT** use keys generated or derived from
1123 predictable functions or values, e.g., values considered predictable
1124 include user identity information, time of day, stored/transmitted data.
1130 :updated: casablanca
1132 The VNF **MUST** provide the capability of using X.509 certificates
1133 issued by an external Certificate Authority.
1139 :updated: casablanca
1141 The VNF **MUST** be capable of protecting the confidentiality and integrity
1142 of data at rest and in transit from unauthorized access and modification.
1145 VNF Cryptography Requirements
1146 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1148 This section covers VNF cryptography requirements that are mostly
1149 applicable to encryption or protocol meethods.
1155 :updated: casablanca
1157 The VNF **SHOULD** support an automated certificate management protocol
1158 such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or
1159 Automated Certificate Management Environment (ACME).
1165 :updated: casablanca
1167 The VNF **SHOULD** provide the capability to integrate with an
1168 external encryption service.
1174 :updated: casablanca
1176 The VNF **MUST** use symmetric keys of at least 112 bits in length.
1182 :updated: casablanca
1184 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
1190 :updated: casablanca
1192 The VNF **MUST** provide the capability to configure encryption
1193 algorithms or devices so that they comply with the laws of the jurisdiction
1194 in which there are plans to use data encryption.
1200 :updated: casablanca
1202 The VNF **MUST** provide the capability of allowing certificate
1203 renewal and revocation.
1209 :updated: casablanca
1211 The VNF **MUST** provide the capability of testing the validity
1212 of a digital certificate by validating the CA signature on the certificate.
1218 :updated: casablanca
1220 The VNF **MUST** provide the capability of testing the validity
1221 of a digital certificate by validating the date the certificate is being
1222 used is within the validity period for the certificate.
1228 :updated: casablanca
1230 The VNF **MUST** provide the capability of testing the
1231 validity of a digital certificate by checking the Certificate Revocation
1232 List (CRL) for the certificates of that type to ensure that the
1233 certificate has not been revoked.
1239 :updated: casablanca
1241 The VNF **MUST** provide the capability of testing the
1242 validity of a digital certificate by recognizing the identity represented
1243 by the certificate - the "distinguished name".
1251 The VNF or PNF **MUST** support HTTPS using TLS v1.2 or higher
1252 with strong cryptographic ciphers.
1258 :updated: casablanca
1260 The VNF **MUST** support the use of X.509 certificates issued from any
1261 Certificate Authority (CA) that is compliant with RFC5280, e.g., a public
1262 CA such as DigiCert or Let's Encrypt, or an RFC5280 compliant Operator
1265 Note: The VNF provider cannot require the use of self-signed certificates
1266 in an Operator's run time environment.