:id: R-61354
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** implement access control list for OA&M
- services (e.g., restricting access to certain ports or applications).
+ The VNF **MUST** provide a mechanism (e.g., access control list) to
+ permit and/or restrict access to services on the VNF by source,
+ destination, protocol, and/or port.
.. req::
:id: R-92207
it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
routing and forwarding rules.
-.. req::
- :id: R-26586
- :target: VNF
- :keyword: SHOULD
-
- The VNF **SHOULD** support the ability to work with aliases
- (e.g., gateways, proxies) to protect and encapsulate resources.
-
-.. req::
- :id: R-49956
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** pass all access to applications (Bearer,
- signaling and OA&M) through various security tools and platforms from
- ACLs, stateful firewalls and application layer gateways depending on
- manner of deployment. The application is expected to function (and in
- some cases, interwork) with these security tools.
-
.. req::
:id: R-69649
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** have all vulnerabilities patched as soon
- as possible. Patching shall be controlled via change control process
- with vulnerabilities disclosed along with mitigation recommendations.
+ The VNF Provider **MUST** have patches available for vulnerabilities
+ in the VNF as soon as possible. Patching shall be controlled via change
+ control process with vulnerabilities disclosed along with
+ mitigation recommendations.
.. req::
:id: R-78010
authentication and access control of OA&M and other system level
functions.
-.. req::
- :id: R-68589
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST**, if not using the NCSP's IDAM API, support
- User-IDs and passwords to uniquely identify the user/application. VNF
- needs to have appropriate connectors to the Identity, Authentication
- and Authorization systems that enables access at OS, Database and
- Application levels as appropriate.
-
-.. req::
- :id: R-98391
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST**, if not using the NCSP's IDAM API, support
- Role-Based Access Control to permit/limit the user/application to
- performing specific activities.
-
.. req::
:id: R-62498
:target: VNF
The VNF **MUST** support encrypted access protocols, e.g., TLS,
SSH, SFTP.
-.. req::
- :id: R-79107
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST**, if not using the NCSP's IDAM API, enforce
- a configurable maximum number of Login attempts policy for the users.
- VNF provider must comply with "terminate idle sessions" policy.
- Interactive sessions must be terminated, or a secure, locking screensaver
- must be activated requiring authentication, after a configurable period
- of inactivity. The system-based inactivity timeout for the enterprise
- identity and access management system must also be configurable.
-
.. req::
:id: R-35144
:target: VNF
The VNF **MUST**, if not using the NCSP's IDAM API, comply
with the NCSP's credential management policy.
-.. req::
- :id: R-75041
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST**, if not using the NCSP's IDAM API, expire
- passwords at regular configurable intervals.
-
-.. req::
- :id: R-46908
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST**, if not using the NCSP's IDAM API, comply
- with "password complexity" policy. When passwords are used, they shall
- be complex and shall at least meet the following password construction
- requirements: (1) be a minimum configurable number of characters in
- length, (2) include 3 of the 4 following types of characters:
- upper-case alphabetic, lower-case alphabetic, numeric, and special,
- (3) not be the same as the UserID with which they are associated or
- other common strings as specified by the environment, (4) not contain
- repeating or sequential characters or numbers, (5) not to use special
- characters that may have command functions, and (6) new passwords must
- not contain sequences of three or more characters from the previous
- password.
-
.. req::
:id: R-39342
:target: VNF
accesses the resources of another system, and must never conceal
individual accountability.
-VNF Identity and Access Management Requirements
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The following security requirements for logging, identity, and access
-management need to be met by the solution in a virtual environment:
-
-
-Identity and Access Management Requirements
-
-
.. req::
- :id: R-95105
+ :id: R-80335
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** host connectors for access to the application layer.
+ For all GUI and command-line interfaces, the VNF **MUST** provide the
+ ability to present a warning notice that is set by the Operator. A warning
+ notice is a formal statement of resource intent presented to everyone
+ who accesses the system.
.. req::
- :id: R-45496
+ :id: R-19082
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** host connectors for access to the OS (Operating System) layer.
+ The VNF **MUST** allow the Operator to disable or remove any security
+ testing tools or programs included in the VNF, e.g., password cracker,
+ port scanner.
.. req::
- :id: R-05470
+ :id: R-21819
:target: VNF
:keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST** provide functionality that enables the Operator to comply
+ with requests for information from law enforcement and government agencies.
- The VNF **MUST** host connectors for access to the database layer.
+VNF Identity and Access Management Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The following security requirements for logging, identity, and access
+management need to be met by the solution in a virtual environment:
+
+
+Identity and Access Management Requirements
.. req::
:id: R-99174
:id: R-42874
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** comply with Least Privilege (no more
- privilege than required to perform job functions) when persons
- or non-person entities access VNFs.
+ The VNF **MUST** allow the Operator to restrict access based on
+ the assigned permissions associated with an ID in order to support
+ Least Privilege (no more privilege than required to perform job
+ functions).
.. req::
:id: R-71787
The VNF **MUST NOT** allow vendor access to VNFs remotely.
-.. req::
- :id: R-34552
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** provide or support the Identity and Access
- Management (IDAM) based threat detection data for OWASP Top 10.
-
.. req::
:id: R-59391
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF provider **MUST**, where a VNF provider requires
- the assumption of permissions, such as root or administrator, first
- log in under their individual user login ID then switch to the other
- higher level account; or where the individual user login is infeasible,
- must login with an account with admin privileges in a way that
- uniquely identifies the individual performing the function.
-
-.. req::
- :id: R-80335
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** make visible a Warning Notice: A formal
- statement of resource intent, i.e., a warning notice, upon initial
- access to a VNF provider user who accesses private internal networks
- or Company computer resources, e.g., upon initial logon to an internal
- web site, system or application which requires authentication.
+ The VNF MUST NOT not allow the assumption of the permissions of
+ another account to mask individual accountability.
.. req::
:id: R-64503
The VNF **MUST** provide access controls that allow the Operator
to restrict access to VNF functions and data to authorized entities.
-.. req::
- :id: R-19082
- :target: VNF
- :keyword: MUST NOT
-
- The VNF **MUST NOT** run security testing tools and
- programs, e.g., password cracker, port scanners, hacking tools
- in production, without authorization of the VNF system owner.
-
.. req::
:id: R-85419
:target: VNF
Authorization Server.
.. req::
- :id: R-48080
+ :id: R-75041
:target: VNF
- :keyword: SHOULD
+ :keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST**, if not integrated the Operator's Identity and Access
+ Management system, support configurable password expiration.
+
+.. req::
+ :id: R-98391
+ :target: VNF
+ :keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST**, if not integrated with the Operator's Identity and
+ Access Management system, support Role-Based Access Control to enforce
+ least privilege.
+
+.. req::
+ :id: R-46908
+ :target: VNF
+ :keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST**, if not integrated with the Operator's Identity
+ and Access Management system, comply with "password complexity"
+ policy. When passwords are used, they shall be complex and shall at
+ least meet the following password construction requirements: (1) be a
+ minimum configurable number of characters in length, (2) include 3 of
+ the 4 following types of characters: upper-case alphabetic, lower-case
+ alphabetic, numeric, and special, (3) not be the same as the UserID
+ with which they are associated or other common strings as specified
+ by the environment, (4) not contain repeating or sequential characters
+ or numbers, (5) not to use special characters that may have command
+ functions, and (6) new passwords must not contain sequences of three
+ or more characters from the previous password.
+
+.. req::
+ :id: R-79107
+ :target: VNF
+ :keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST**, if not integrated with the Operator's Identity
+ and Access Management system, support the ability to disable the
+ userID after a configurable number of consecutive unsuccessful
+ authentication attempts using the same userID.
- The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol).
VNF API Security Requirements
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The VNF **SHOULD** integrate with the Operator's authentication and
authorization services (e.g., IDAM).
-.. req::
- :id: R-19804
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** validate the CA signature on the certificate,
- ensure that the date is within the validity period of the certificate,
- check the Certificate Revocation List (CRL), and recognize the identity
- represented by the certificate where PKI-based authentication is used.
-
-.. req::
- :id: R-47204
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** protect the confidentiality and integrity of
- data at rest and in transit from unauthorized access and modification.
-
.. req::
:id: R-33488
:target: VNF
:id: R-54930
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** implement the following input validation
- control: Do not permit input that contains content or characters
- inappropriate to the input expected by the design. Inappropriate input,
- such as SQL insertions, may cause the system to execute undesirable
- and unauthorized transactions against the database or allow other
- inappropriate access to the internal network.
+ The VNF **MUST** implement the following input validation controls:
+ Do not permit input that contains content or characters inappropriate
+ to the input expected by the design. Inappropriate input, such as
+ SQL expressions, may cause the system to execute undesirable and
+ unauthorized transactions against the database or allow other
+ inappropriate access to the internal network (injection attacks).
.. req::
:id: R-21210
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** implement the following input validation
- control: Validate that any input file has a correct and valid
+ The VNF **MUST** implement the following input validation control
+ on APIs: Validate that any input file has a correct and valid
Multipurpose Internet Mail Extensions (MIME) type. Input files
should be tested for spoofed MIME types.
:id: R-58370
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** coexist and operate normally with commercial
- anti-virus software which shall produce alarms every time when there is a
- security incident.
+ The VNF **MUST** operate with anti-virus software which produces
+ alarms every time a virus is detected.
.. req::
:id: R-56920
types of attacks, or integrate with tools that implement anomaly and
abuse detection.
-.. req::
- :id: R-21819
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** support requests for information from law
- enforcement and government agencies.
-
.. req::
:id: R-04492
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** generate security audit logs that must be sent
+ The VNF **MUST** generate security audit logs that can be sent
to Security Analytics Tools for analysis.
.. req::
:id: R-30932
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** provide security audit logs including records
- of successful and rejected system access data and other resource access
- attempts.
+ The VNF **MUST** log successful and unsuccessful access to VNF
+ resources, including data.
.. req::
:id: R-54816
routines to maintain activity records and cleanup programs to ensure
the integrity of the audit/logging systems.
+.. req::
+ :id: R-34552
+ :target: VNF
+ :keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST** be implemented so that it is not vulnerable to OWASP
+ Top 10 web application security risks.
+
VNF Data Protection Requirements
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
virtual memory. If not possible to disable the paging of the data
requiring encryption, the virtual memory should be encrypted.
-.. req::
- :id: R-93860
- :target: VNF
- :keyword: MUST
-
- The VNF **MUST** provide the capability to integrate with an
- external encryption service.
-
.. req::
:id: R-73067
:target: VNF
:id: R-12467
:target: VNF
:keyword: MUST NOT
+ :updated: casablanca
- The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and
- Skipjack algorithms or other compromised encryption.
+ The VNF **MUST NOT** use compromised encryption algorithms.
+ For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms.
+ Acceptable algorithms can be found in the NIST FIPS publications
+ (https://csrc.nist.gov/publications/fips) and in the
+ NIST Special Publications (https://csrc.nist.gov/publications/sp).
.. req::
:id: R-02170
versions of cryptographic algorithms and protocols with minimal impact.
.. req::
- :id: R-44723
+ :id: R-95864
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** use symmetric keys of at least 112 bits in length.
+ The VNF **MUST** support digital certificates that comply with X.509
+ standards.
.. req::
- :id: R-25401
+ :id: R-12110
+ :target: VNF
+ :keyword: MUST NOT
+
+ The VNF **MUST NOT** use keys generated or derived from
+ predictable functions or values, e.g., values considered predictable
+ include user identity information, time of day, stored/transmitted data.
+
+.. req::
+ :id: R-69610
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
+ The VNF **MUST** provide the capability of using X.509 certificates
+ issued by an external Certificate Authority.
.. req::
- :id: R-95864
+ :id: R-47204
:target: VNF
:keyword: MUST
:updated: casablanca
- The VNF **MUST** support digital certificates that comply with X.509
- standards.
+ The VNF **MUST** be capable of protecting the confidentiality and integrity
+ of data at rest and in transit from unauthorized access and modification.
+
+
+VNF Cryptography Requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This section covers VNF cryptography requirements that are mostly
+applicable to encryption or protocol meethods.
.. req::
- :id: R-12110
+ :id: R-48080
:target: VNF
- :keyword: MUST NOT
+ :keyword: SHOULD
+ :updated: casablanca
- The VNF **MUST NOT** use keys generated or derived from
- predictable functions or values, e.g., values considered predictable
- include user identity information, time of day, stored/transmitted data.
+ The VNF **SHOULD** support an automated certificate management protocol
+ such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or
+ Automated Certificate Management Environment (ACME).
.. req::
- :id: R-52060
+ :id: R-93860
+ :target: VNF
+ :keyword: SHOULD
+ :updated: casablanca
+
+ The VNF **SHOULD** provide the capability to integrate with an
+ external encryption service.
+
+.. req::
+ :id: R-44723
:target: VNF
:keyword: MUST
+ :updated: casablanca
- The VNF **MUST** provide the capability to configure encryption
- algorithms or devices so that they comply with the laws of the jurisdiction
- in which there are plans to use data encryption.
+ The VNF **MUST** use symmetric keys of at least 112 bits in length.
.. req::
- :id: R-69610
+ :id: R-25401
:target: VNF
:keyword: MUST
:updated: casablanca
- The VNF **MUST** provide the capability of using X.509 certificates
- issued by an external Certificate Authority.
+ The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
+
+.. req::
+ :id: R-52060
+ :target: VNF
+ :keyword: MUST
+ :updated: casablanca
+
+ The VNF **MUST** provide the capability to configure encryption
+ algorithms or devices so that they comply with the laws of the jurisdiction
+ in which there are plans to use data encryption.
.. req::
:id: R-83500
:target: VNF
:keyword: MUST
+ :updated: casablanca
The VNF **MUST** provide the capability of allowing certificate
renewal and revocation.
:id: R-29977
:target: VNF
:keyword: MUST
+ :updated: casablanca
The VNF **MUST** provide the capability of testing the validity
of a digital certificate by validating the CA signature on the certificate.
:id: R-24359
:target: VNF
:keyword: MUST
+ :updated: casablanca
The VNF **MUST** provide the capability of testing the validity
of a digital certificate by validating the date the certificate is being
:id: R-39604
:target: VNF
:keyword: MUST
+ :updated: casablanca
The VNF **MUST** provide the capability of testing the
validity of a digital certificate by checking the Certificate Revocation
:id: R-75343
:target: VNF
:keyword: MUST
+ :updated: casablanca
The VNF **MUST** provide the capability of testing the
validity of a digital certificate by recognizing the identity represented