1 .. Modifications Copyright © 2017-2018 AT&T Intellectual Property.
3 .. Licensed under the Creative Commons License, Attribution 4.0 Intl.
4 (the "License"); you may not use this documentation except in compliance
5 with the License. You may obtain a copy of the License at
7 .. https://creativecommons.org/licenses/by/4.0/
9 .. Unless required by applicable law or agreed to in writing, software
10 distributed under the License is distributed on an "AS IS" BASIS,
11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 See the License for the specific language governing permissions and
13 limitations under the License.
17 ----------------------
19 The objective of this section is to provide the key security
20 requirements that need to be met by VNFs. The security requirements are
21 grouped into five areas as listed below. Other security areas will be
22 addressed in future updates. These security requirements are applicable
23 to all VNFs. Additional security requirements for specific types of VNFs
24 will be applicable and are outside the scope of these general
27 Section 4.3 Security in *VNF Guidelines* outlines
28 the five broad security areas for VNFs that are detailed in the
31 - **VNF General Security**: This section addresses general security
32 requirements for the VNFs that the VNF provider will need to address.
34 - **VNF Identity and Access Management**: This section addresses
35 security requirements with respect to Identity and Access Management
36 as these pertain to generic VNFs.
38 - **VNF API Security**: This section addresses the generic security
39 requirements associated with APIs. These requirements are applicable
40 to those VNFs that use standard APIs for communication and data
43 - **VNF Security Analytics**: This section addresses the security
44 requirements associated with analytics for VNFs that deal with
45 monitoring, data collection and analysis.
47 - **VNF Data Protection**: This section addresses the security
48 requirements associated with data protection.
50 VNF General Security Requirements
51 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
53 This section provides details on the VNF general security requirements
54 on various security areas such as user access control, network security,
55 ACLs, infrastructure security, and vulnerability management. These
56 requirements cover topics associated with compliance, security patching,
57 logging/accounting, authentication, encryption, role-based access
58 control, least privilege access/authorization. The following security
59 requirements need to be met by the solution in a virtual environment:
61 General Security Requirements
63 Integration and operation within a robust security environment is necessary
64 and expected. The security architecture will include one or more of the
65 following: IDAM (Identity and Access Management) for all system and
66 applications access, Code scanning, network vulnerability scans, OS,
67 Database and application patching, malware detection and cleaning,
68 DDOS prevention, network security gateways (internal and external)
69 operating at various layers, host and application based tools for
70 security compliance validation, aggressive security patch application,
71 tightly controlled software distribution and change control processes
72 and other state of the art security solutions. The VNF is expected to
73 function reliably within such an environment and the developer is
74 expected to understand and accommodate such controls and can expected
75 to supply responsive interoperability support and testing throughout
76 the product’s lifecycle.
85 The VNF **MUST** implement and enforce the principle of least privilege
86 on all protected interfaces.
93 The VNF **MUST** implement access control list for OA&M
94 services (e.g., restricting access to certain ports or applications).
101 The VNF **SHOULD** implement a mechanism for automated and
102 frequent "system configuration (automated provisioning / closed loop)"
111 The VNF **SHOULD** provide the capability for the Operator to run security
112 vulnerability scans of the operating system and all application layers.
119 The VNF **SHOULD** have source code scanned using scanning
120 tools (e.g., Fortify) and provide reports.
128 The VNF **MUST** have all code (e.g., QCOW2) and configuration files
129 (e.g., HEAT template, Ansible playbook, script) hardened, or with
130 documented recommended configurations for hardening and interfaces that
131 allow the Operator to harden the VNF. Actions taken to harden a system
132 include disabling all unnecessary services, and changing default values
133 such as default credentials and community strings.
141 The VNF **SHOULD** support Layer 3 VPNs that enable segregation of
142 traffic by application (i.e., AVPN, IPSec VPN for Internet routes).
149 The VNF **SHOULD** interoperate with various access control
150 mechanisms for the Network Cloud execution environment (e.g.,
151 Hypervisors, containers).
159 The VNF **SHOULD** support the use of virtual trusted platform
167 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
168 it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
169 routing and forwarding rules.
176 The VNF **SHOULD** support the ability to work with aliases
177 (e.g., gateways, proxies) to protect and encapsulate resources.
184 The VNF **MUST** pass all access to applications (Bearer,
185 signaling and OA&M) through various security tools and platforms from
186 ACLs, stateful firewalls and application layer gateways depending on
187 manner of deployment. The application is expected to function (and in
188 some cases, interwork) with these security tools.
195 The VNF **MUST** have all vulnerabilities patched as soon
196 as possible. Patching shall be controlled via change control process
197 with vulnerabilities disclosed along with mitigation recommendations.
204 The VNF **MUST** use the NCSP's IDAM API for Identification,
205 authentication and access control of customer or VNF application users.
212 The VNF **MUST** use the NCSP's IDAM API or comply with
213 the requirements if not using the NCSP's IDAM API, for identification,
214 authentication and access control of OA&M and other system level
222 The VNF **MUST**, if not using the NCSP's IDAM API, support
223 User-IDs and passwords to uniquely identify the user/application. VNF
224 needs to have appropriate connectors to the Identity, Authentication
225 and Authorization systems that enables access at OS, Database and
226 Application levels as appropriate.
233 The VNF **MUST**, if not using the NCSP's IDAM API, support
234 Role-Based Access Control to permit/limit the user/application to
235 performing specific activities.
243 The VNF **MUST** support encrypted access protocols, e.g., TLS,
251 The VNF **MUST**, if not using the NCSP's IDAM API, enforce
252 a configurable maximum number of Login attempts policy for the users.
253 VNF provider must comply with "terminate idle sessions" policy.
254 Interactive sessions must be terminated, or a secure, locking screensaver
255 must be activated requiring authentication, after a configurable period
256 of inactivity. The system-based inactivity timeout for the enterprise
257 identity and access management system must also be configurable.
264 The VNF **MUST**, if not using the NCSP's IDAM API, comply
265 with the NCSP's credential management policy.
272 The VNF **MUST**, if not using the NCSP's IDAM API, expire
273 passwords at regular configurable intervals.
280 The VNF **MUST**, if not using the NCSP's IDAM API, comply
281 with "password complexity" policy. When passwords are used, they shall
282 be complex and shall at least meet the following password construction
283 requirements: (1) be a minimum configurable number of characters in
284 length, (2) include 3 of the 4 following types of characters:
285 upper-case alphabetic, lower-case alphabetic, numeric, and special,
286 (3) not be the same as the UserID with which they are associated or
287 other common strings as specified by the environment, (4) not contain
288 repeating or sequential characters or numbers, (5) not to use special
289 characters that may have command functions, and (6) new passwords must
290 not contain sequences of three or more characters from the previous
298 The VNF **MUST**, if not using the NCSP's IDAM API, comply
299 with "password changes (includes default passwords)" policy. Products
300 will support password aging, syntax and other credential management
301 practices on a configurable basis.
308 The VNF **MUST**, if not using the NCSP's IDAM API, support
309 use of common third party authentication and authorization tools such
317 The VNF **MUST**, if not using the NCSP's IDAM API, comply
318 with "No Self-Signed Certificates" policy. Self-signed certificates
319 must be used for encryption only, using specified and approved
320 encryption protocols such as TLS 1.2 or higher or equivalent security
321 protocols such as IPSec, AES.
328 The VNF **MUST**, if not using the NCSP's IDAM API,
329 authenticate system to system communications where one system
330 accesses the resources of another system, and must never conceal
331 individual accountability.
333 VNF Identity and Access Management Requirements
334 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
336 The following security requirements for logging, identity, and access
337 management need to be met by the solution in a virtual environment:
340 Identity and Access Management Requirements
348 The VNF **MUST** host connectors for access to the application layer.
355 The VNF **MUST** host connectors for access to the OS (Operating System) layer.
362 The VNF **MUST** host connectors for access to the database layer.
370 The VNF **MUST** allow the creation of multiple IDs so that
371 individual accountability can be supported.
378 The VNF **MUST** comply with Least Privilege (no more
379 privilege than required to perform job functions) when persons
380 or non-person entities access VNFs.
388 Each layer of the VNF **MUST** support access restriction
389 independently of all other layers so that Segregation of Duties
397 The VNF **MUST NOT** allow vendor access to VNFs remotely.
404 The VNF **MUST** authorize VNF provider access through a
405 client application API by the client application owner and the resource
406 owner of the VNF before provisioning authorization through Role Based
407 Access Control (RBAC), Attribute Based Access Control (ABAC), or other
408 policy based mechanism.
415 The VNF **MUST** provide or support the Identity and Access
416 Management (IDAM) based threat detection data for OWASP Top 10.
423 The VNF provider **MUST**, where a VNF provider requires
424 the assumption of permissions, such as root or administrator, first
425 log in under their individual user login ID then switch to the other
426 higher level account; or where the individual user login is infeasible,
427 must login with an account with admin privileges in a way that
428 uniquely identifies the individual performing the function.
435 The VNF **MUST** authenticate system to system access and
436 do not conceal a VNF provider user's individual accountability for
444 The VNF **MUST** make visible a Warning Notice: A formal
445 statement of resource intent, i.e., a warning notice, upon initial
446 access to a VNF provider user who accesses private internal networks
447 or Company computer resources, e.g., upon initial logon to an internal
448 web site, system or application which requires authentication.
455 The VNF **MUST** use access controls for VNFs and their
456 supporting computing systems at all times to restrict access to
457 authorized personnel only, e.g., least privilege. These controls
458 could include the use of system configuration or access control
466 The VNF **MUST** provide minimum privileges for initial
467 and default settings for new user accounts.
474 The VNF **MUST** set the default settings for user access
475 to sensitive commands and data to deny authorization.
482 The VNF **MUST** conform to approved request, workflow
483 authorization, and authorization provisioning requirements when
484 creating privileged users.
491 The VNF **MUST** have greater restrictions for access and
492 execution, such as up to 3 factors of authentication and restricted
493 authorization, for commands affecting network services, such as
494 commands relating to VNFs.
501 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2)
502 transmission of data on internal and external networks.
509 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
517 The VNF **MUST** provide access controls that allow the Operator
518 to restrict access to VNF functions and data to authorized entities.
525 The VNF **MUST NOT** install or use systems, tools or
526 utilities capable of capturing or logging data that was not created
527 by them or sent specifically to them in production, without
528 authorization of the VNF system owner.
535 The VNF **MUST NOT** run security testing tools and
536 programs, e.g., password cracker, port scanners, hacking tools
537 in production, without authorization of the VNF system owner.
544 The VNF **MUST NOT** include authentication credentials
545 in security audit logs, even if encrypted.
553 The VNF **SHOULD** support OAuth 2.0 authorization using an external
554 Authorization Server.
561 The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol).
563 VNF API Security Requirements
564 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
566 This section covers API security requirements when these are used by the
567 VNFs. Key security areas covered in API security are Access Control,
568 Authentication, Passwords, PKI Authentication Alarming, Anomaly
569 Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
570 Cryptography, Business continuity, Biometric Authentication,
571 Identification, Confidentiality and Integrity, and Denial of Service.
573 The solution in a virtual environment needs to meet the following API
574 security requirements:
585 The VNF **MUST** provide a mechanism to restrict access based
586 on the attributes of the VNF and the attributes of the subject.
594 The VNF **SHOULD** integrate with the Operator's authentication and
595 authorization services (e.g., IDAM).
602 The VNF **MUST** use certificates issued from publicly
603 recognized Certificate Authorities (CA) for the authentication process
604 where PKI-based authentication is used.
611 The VNF **MUST** validate the CA signature on the certificate,
612 ensure that the date is within the validity period of the certificate,
613 check the Certificate Revocation List (CRL), and recognize the identity
614 represented by the certificate where PKI-based authentication is used.
621 The VNF **MUST** protect the confidentiality and integrity of
622 data at rest and in transit from unauthorized access and modification.
629 The VNF **MUST** protect against all denial of service
630 attacks, both volumetric and non-volumetric, or integrate with external
631 denial of service protection tools.
638 The VNF **MUST** implement the following input validation
639 control: Check the size (length) of all input. Do not permit an amount
640 of input so great that it would cause the VNF to fail. Where the input
641 may be a file, the VNF API must enforce a size limit.
648 The VNF **MUST** implement the following input validation
649 control: Do not permit input that contains content or characters
650 inappropriate to the input expected by the design. Inappropriate input,
651 such as SQL insertions, may cause the system to execute undesirable
652 and unauthorized transactions against the database or allow other
653 inappropriate access to the internal network.
660 The VNF **MUST** implement the following input validation
661 control: Validate that any input file has a correct and valid
662 Multipurpose Internet Mail Extensions (MIME) type. Input files
663 should be tested for spoofed MIME types.
665 VNF Security Analytics Requirements
666 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
668 This section covers VNF security analytics requirements that are mostly
669 applicable to security monitoring. The VNF Security Analytics cover the
670 collection and analysis of data following key areas of security
673 - Anti-virus software
683 - API based monitoring
685 - Detection and notification
687 - Resource exhaustion detection
689 - Proactive and scalable monitoring
691 - Mobility and guest VNF monitoring
693 - Closed loop monitoring
695 - Interfaces to management and orchestration
697 - Malformed packet detections
701 - Dynamic security control
703 - Dynamic load balancing
705 - Connection attempts to inactive ports (malicious port scanning)
707 The following requirements of security monitoring need to be met by the
708 solution in a virtual environment.
710 Security Analytics Requirements
718 The VNF **MUST** support Real-time detection and
719 notification of security events.
726 The VNF **MUST** support Integration functionality via
727 API/Syslog/SNMP to other functional modules in the network (e.g.,
728 PCRF, PCEF) that enable dynamic security control by blocking the
729 malicious traffic or malicious end users.
736 The VNF **MUST** support API-based monitoring to take care of
737 the scenarios where the control interfaces are not exposed, or are
738 optimized and proprietary in nature.
745 The VNF **MUST** support event logging, formats, and delivery
746 tools to provide the required degree of event data to ONAP.
753 The VNF **MUST** support detection of malformed packets due to
754 software misconfiguration or software vulnerability.
761 The VNF **MUST** support integrated DPI/monitoring functionality
762 as part of VNFs (e.g., PGW, MME).
769 The VNF **MUST** support proactive monitoring to detect and
770 report the attacks on resources so that the VNFs and associated VMs can
771 be isolated, such as detection techniques for resource exhaustion, namely
772 OS resource attacks, CPU attacks, consumption of kernel memory, local
780 The VNF **MUST** coexist and operate normally with commercial
781 anti-virus software which shall produce alarms every time when there is a
789 The VNF **MUST** protect all security audit logs (including
790 API, OS and application-generated logs), security audit software, data,
791 and associated documentation from modification, or unauthorized viewing,
792 by standard OS access control mechanisms, by sending to a remote system,
801 The VNF **MUST** log successful and unsuccessful authentication
802 attempts, e.g., authentication associated with a transaction,
803 authentication to create a session, authentication to assume elevated
811 The VNF **MUST** log logoffs.
818 The VNF **MUST** log starting and stopping of security
827 The VNF **MUST** log success and unsuccessful creation, removal, or
828 change to the inherent privilege level of users.
836 The VNF **MUST** log connections to the network listeners of the
844 The VNF **MUST** log the field "event type" in the security audit
852 The VNF **MUST** log the field "date/time" in the security audit
860 The VNF **MUST** log the field "protocol" in the security audit logs.
867 The VNF **MUST** log the field "service or program used for access"
868 in the security audit logs.
875 The VNF **MUST** log the field "success/failure" in the
883 The VNF **MUST** log the field "Login ID" in the security audit logs.
890 The VNF **MUST NOT** include an authentication credential,
891 e.g., password, in the security audit logs, even if encrypted.
899 The VNF **MUST** detect when its security audit log storage
900 medium is approaching capacity (configurable) and issue an alarm.
907 The VNF **MUST** support the capability of online storage of
916 The VNF **MUST** activate security alarms automatically when
917 a configurable number of consecutive unsuccessful login attempts
926 The VNF **MUST** activate security alarms automatically when
927 it detects the successful modification of a critical system or
936 The VNF **MUST** activate security alarms automatically when
937 it detects an unsuccessful attempt to gain permissions
938 or assume the identity of another user.
945 The VNF **MUST** include the field "date" in the Security alarms
946 (where applicable and technically feasible).
953 The VNF **MUST** include the field "time" in the Security alarms
954 (where applicable and technically feasible).
961 The VNF **MUST** include the field "service or program used for
962 access" in the Security alarms (where applicable and technically feasible).
969 The VNF **MUST** include the field "success/failure" in the
970 Security alarms (where applicable and technically feasible).
977 The VNF **MUST** include the field "Login ID" in the Security
978 alarms (where applicable and technically feasible).
986 The VNF **MUST** restrict changing the criticality level of a
987 system security alarm to users with administrative privileges.
994 The VNF **MUST** monitor API invocation patterns to detect
995 anomalous access patterns that may represent fraudulent access or other
996 types of attacks, or integrate with tools that implement anomaly and
1004 The VNF **MUST** support requests for information from law
1005 enforcement and government agencies.
1012 The VNF **MUST** generate security audit logs that must be sent
1013 to Security Analytics Tools for analysis.
1020 The VNF **MUST** provide audit logs that include user ID, dates,
1021 times for log-on and log-off, and terminal location at minimum.
1028 The VNF **MUST** provide security audit logs including records
1029 of successful and rejected system access data and other resource access
1037 The VNF **MUST** support the storage of security audit logs
1038 for agreed period of time for forensic analysis.
1045 The VNF **MUST** provide the capability of generating security
1046 audit logs by interacting with the operating system (OS) as appropriate.
1053 The VNF **MUST** have security logging for VNFs and their
1054 OSs be active from initialization. Audit logging includes automatic
1055 routines to maintain activity records and cleanup programs to ensure
1056 the integrity of the audit/logging systems.
1058 VNF Data Protection Requirements
1059 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1061 This section covers VNF data protection requirements that are mostly
1062 applicable to security monitoring.
1065 Data Protection Requirements
1071 :updated: casablanca
1073 The VNF **MUST** provide the capability to restrict read
1074 and write access to data handled by the VNF.
1081 The VNF **MUST** Provide the capability to encrypt data in
1082 transit on a physical or virtual network.
1088 :updated: casablanca
1090 The VNF **MUST** provide the capability to encrypt data on
1091 non-volatile memory.Non-volative memory is storage that is
1092 capable of retaining data without electrical power, e.g.
1093 Complementary metal–oxide–semiconductor (CMOS) or hard drives.
1100 The VNF **SHOULD** disable the paging of the data requiring
1101 encryption, if possible, where the encryption of non-transient data is
1102 required on a device for which the operating system performs paging to
1103 virtual memory. If not possible to disable the paging of the data
1104 requiring encryption, the virtual memory should be encrypted.
1111 The VNF **MUST** provide the capability to integrate with an
1112 external encryption service.
1118 :updated: casablanca
1120 The VNF **MUST** use NIST and industry standard cryptographic
1121 algorithms and standard modes of operations when implementing
1129 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and
1130 Skipjack algorithms or other compromised encryption.
1136 :updated: casablanca
1138 The VNF **MUST** use, whenever possible, standard implementations
1139 of security applications, protocols, and formats, e.g., S/MIME, TLS, SSH,
1140 IPSec, X.509 digital certificates for cryptographic implementations.
1141 These implementations must be purchased from reputable vendors or obtained
1142 from reputable open source communities and must not be developed in-house.
1148 :updated: casablanca
1150 The VNF **MUST** provide the ability to migrate to newer
1151 versions of cryptographic algorithms and protocols with minimal impact.
1158 The VNF **MUST** use symmetric keys of at least 112 bits in length.
1165 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
1171 :updated: casablanca
1173 The VNF **MUST** support digital certificates that comply with X.509
1181 The VNF **MUST NOT** use keys generated or derived from
1182 predictable functions or values, e.g., values considered predictable
1183 include user identity information, time of day, stored/transmitted data.
1190 The VNF **MUST** provide the capability to configure encryption
1191 algorithms or devices so that they comply with the laws of the jurisdiction
1192 in which there are plans to use data encryption.
1198 :updated: casablanca
1200 The VNF **MUST** provide the capability of using X.509 certificates
1201 issued by an external Certificate Authority.
1208 The VNF **MUST** provide the capability of allowing certificate
1209 renewal and revocation.
1216 The VNF **MUST** provide the capability of testing the validity
1217 of a digital certificate by validating the CA signature on the certificate.
1224 The VNF **MUST** provide the capability of testing the validity
1225 of a digital certificate by validating the date the certificate is being
1226 used is within the validity period for the certificate.
1233 The VNF **MUST** provide the capability of testing the
1234 validity of a digital certificate by checking the Certificate Revocation
1235 List (CRL) for the certificates of that type to ensure that the
1236 certificate has not been revoked.
1243 The VNF **MUST** provide the capability of testing the
1244 validity of a digital certificate by recognizing the identity represented
1245 by the certificate - the "distinguished name".