diff options
| author |   Bozawglanian, Hagop (hb755d) <hb755d@att.com> | 2018-07-19 21:28:26 +0000 |
|---|---|---|
| committer | Bozawglanian, Hagop (hb755d) <hb755d@att.com> | 2018-07-24 18:08:03 +0000 |
| commit | fef9d88a38e010813c322c0eab4e852b05867f60 (patch) | |
| tree | 838d250d5700b297b09e2812dae831840e6172c7 /docs/Chapter4/Security.rst | |
| parent | 2fc6ebc537028f72788cf7b169970e1aa3ddfbb0 (diff) | |
VNFRQTS - Updating requirements to new structure
Updating the requirements to use the newly developed RST directive
Removing Chapter 7 updates to see if build would work.
Change-Id: I43bffa2b6c0a15e6f2e179c00d39f4ee46c5a046
Issue-ID: VNFRQTS-245
Signed-off-by: Bozawglanian, Hagop (hb755d) <hb755d@att.com>
Diffstat (limited to 'docs/Chapter4/Security.rst')
| -rw-r--r-- | docs/Chapter4/Security.rst | 1694 |
1 files changed, 1284 insertions, 410 deletions
diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst index a0691ae..7ea5612 100644 --- a/docs/Chapter4/Security.rst +++ b/docs/Chapter4/Security.rst @@ -64,119 +64,301 @@ expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. -* R-23740 The VNF **MUST** accommodate the security principle of - “least privilege” during development, implementation and operation. - The importance of “least privilege” cannot be overstated and must be - observed in all aspects of VNF development and not limited to security. - This is applicable to all sections of this document. -* R-61354 The VNF **MUST** implement access control list for OA&M - services (e.g., restricting access to certain ports or applications). -* R-85633 The VNF **MUST** implement Data Storage Encryption - (database/disk encryption) for Sensitive Personal Information (SPI) - and other subscriber identifiable data. Note: subscriber’s SPI/data - must be encrypted at rest, and other subscriber identifiable data - should be encrypted at rest. Other data protection requirements exist - and should be well understood by the developer. -* R-92207 The VNF **SHOULD** implement a mechanism for automated and - frequent "system configuration (automated provisioning / closed loop)" - auditing. -* R-23882 The VNF **SHOULD** be scanned using both network scanning - and application scanning security tools on all code, including underlying - OS and related configuration. Scan reports shall be provided. Remediation - roadmaps shall be made available for any findings. -* R-46986 The VNF **SHOULD** have source code scanned using scanning - tools (e.g., Fortify) and provide reports. -* R-55830 The VNF **MUST** distribute all production code from NCSP - internal sources only. No production code, libraries, OS images, etc. - shall be distributed from publically accessible depots. -* R-99771 The VNF **MUST** provide all code/configuration files in a - "Locked down" or hardened state or with documented recommendations for - such hardening. All unnecessary services will be disabled. VNF provider - default credentials, community strings and other such artifacts will be - removed or disclosed so that they can be modified or removed during - provisioning. -* R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of - traffic by application (dropping packets not belonging to the VPN) (i.e., - AVPN, IPSec VPN for Internet routes). -* R-33981 The VNF **SHOULD** interoperate with various access control - mechanisms for the Network Cloud execution environment (e.g., - Hypervisors, containers). -* R-40813 The VNF **SHOULD** support the use of virtual trusted platform - module, hypervisor security testing and standards scanning tools. -* R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that - it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual - routing and forwarding rules. -* R-26586 The VNF **SHOULD** support the ability to work with aliases - (e.g., gateways, proxies) to protect and encapsulate resources. -* R-49956 The VNF **MUST** pass all access to applications (Bearer, - signaling and OA&M) through various security tools and platforms from - ACLs, stateful firewalls and application layer gateways depending on - manner of deployment. The application is expected to function (and in - some cases, interwork) with these security tools. -* R-69649 The VNF **MUST** have all vulnerabilities patched as soon - as possible. Patching shall be controlled via change control process - with vulnerabilities disclosed along with mitigation recommendations. -* R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification, - authentication and access control of customer or VNF application users. -* R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with - the requirements if not using the NCSP’s IDAM API, for identification, - authentication and access control of OA&M and other system level - functions. -* R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support - User-IDs and passwords to uniquely identify the user/application. VNF - needs to have appropriate connectors to the Identity, Authentication - and Authorization systems that enables access at OS, Database and - Application levels as appropriate. -* R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide - the ability to support Multi-Factor Authentication (e.g., 1st factor = - Software token on device (RSA SecureID); 2nd factor = User Name+Password, - etc.) for the users. -* R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support - Role-Based Access Control to permit/limit the user/application to - performing specific activities. -* R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support - logging via ONAP for a historical view of “who did what and when”. -* R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt - OA&M access (e.g., SSH, SFTP). -* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce - a configurable maximum number of Login attempts policy for the users. - VNF provider must comply with "terminate idle sessions" policy. - Interactive sessions must be terminated, or a secure, locking screensaver - must be activated requiring authentication, after a configurable period - of inactivity. The system-based inactivity timeout for the enterprise - identity and access management system must also be configurable. -* R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with the NCSP’s credential management policy. -* R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire - passwords at regular configurable intervals. -* R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with "password complexity" policy. When passwords are used, they shall - be complex and shall at least meet the following password construction - requirements: (1) be a minimum configurable number of characters in - length, (2) include 3 of the 4 following types of characters: - upper-case alphabetic, lower-case alphabetic, numeric, and special, - (3) not be the same as the UserID with which they are associated or - other common strings as specified by the environment, (4) not contain - repeating or sequential characters or numbers, (5) not to use special - characters that may have command functions, and (6) new passwords must - not contain sequences of three or more characters from the previous - password. -* R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with "password changes (includes default passwords)" policy. Products - will support password aging, syntax and other credential management - practices on a configurable basis. -* R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support - use of common third party authentication and authorization tools such - as TACACS+, RADIUS. -* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with "No Self-Signed Certificates" policy. Self-signed certificates - must be used for encryption only, using specified and approved - encryption protocols such as TLS 1.2 or higher or equivalent security - protocols such as IPSec, AES. -* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, - authenticate system to system communications where one system - accesses the resources of another system, and must never conceal - individual accountability. + +.. req:: + :id: R-23740 + :target: VNF + :keyword: MUST + + The VNF **MUST** accommodate the security principle of + "least privilege" during development, implementation and operation. + The importance of "least privilege" cannot be overstated and must be + observed in all aspects of VNF development and not limited to security. + This is applicable to all sections of this document. + +.. req:: + :id: R-61354 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement access control list for OA&M + services (e.g., restricting access to certain ports or applications). + +.. req:: + :id: R-85633 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement Data Storage Encryption + (database/disk encryption) for Sensitive Personal Information (SPI) + and other subscriber identifiable data. + + Note: Subscribers SPI/data must be encrypted at rest, and other + subscriber identifiable data should be encrypted at rest. Other + data protection requirements exist and should be well understood + by the developer. + +.. req:: + :id: R-92207 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** implement a mechanism for automated and + frequent "system configuration (automated provisioning / closed loop)" + auditing. + +.. req:: + :id: R-23882 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** be scanned using both network scanning + and application scanning security tools on all code, including underlying + OS and related configuration. Scan reports shall be provided. Remediation + roadmaps shall be made available for any findings. + +.. req:: + :id: R-46986 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** have source code scanned using scanning + tools (e.g., Fortify) and provide reports. + +.. req:: + :id: R-55830 + :target: VNF + :keyword: MUST + + The VNF **MUST** distribute all production code from NCSP + internal sources only. No production code, libraries, OS images, etc. + shall be distributed from publically accessible depots. + +.. req:: + :id: R-99771 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide all code/configuration files in a + "Locked down" or hardened state or with documented recommendations for + such hardening. All unnecessary services will be disabled. VNF provider + default credentials, community strings and other such artifacts will be + removed or disclosed so that they can be modified or removed during + provisioning. + +.. req:: + :id: R-19768 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** support L3 VPNs that enable segregation of + traffic by application (dropping packets not belonging to the VPN) (i.e., + AVPN, IPSec VPN for Internet routes). + +.. req:: + :id: R-33981 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** interoperate with various access control + mechanisms for the Network Cloud execution environment (e.g., + Hypervisors, containers). + +.. req:: + :id: R-40813 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** support the use of virtual trusted platform + module, hypervisor security testing and standards scanning tools. + +.. req:: + :id: R-56904 + :target: VNF + :keyword: MUST + + The VNF **MUST** interoperate with the ONAP (SDN) Controller so that + it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual + routing and forwarding rules. + +.. req:: + :id: R-26586 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** support the ability to work with aliases + (e.g., gateways, proxies) to protect and encapsulate resources. + +.. req:: + :id: R-49956 + :target: VNF + :keyword: MUST + + The VNF **MUST** pass all access to applications (Bearer, + signaling and OA&M) through various security tools and platforms from + ACLs, stateful firewalls and application layer gateways depending on + manner of deployment. The application is expected to function (and in + some cases, interwork) with these security tools. + +.. req:: + :id: R-69649 + :target: VNF + :keyword: MUST + + The VNF **MUST** have all vulnerabilities patched as soon + as possible. Patching shall be controlled via change control process + with vulnerabilities disclosed along with mitigation recommendations. + +.. req:: + :id: R-78010 + :target: VNF + :keyword: MUST + + The VNF **MUST** use the NCSP's IDAM API for Identification, + authentication and access control of customer or VNF application users. + +.. req:: + :id: R-42681 + :target: VNF + :keyword: MUST + + The VNF **MUST** use the NCSP's IDAM API or comply with + the requirements if not using the NCSP's IDAM API, for identification, + authentication and access control of OA&M and other system level + functions. + +.. req:: + :id: R-68589 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, support + User-IDs and passwords to uniquely identify the user/application. VNF + needs to have appropriate connectors to the Identity, Authentication + and Authorization systems that enables access at OS, Database and + Application levels as appropriate. + +.. req:: + :id: R-52085 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, provide + the ability to support Multi-Factor Authentication (e.g., 1st factor = + Software token on device (RSA SecureID); 2nd factor = User Name+Password, + etc.) for the users. + +.. req:: + :id: R-98391 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, support + Role-Based Access Control to permit/limit the user/application to + performing specific activities. + +.. req:: + :id: R-63217 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, support + logging via ONAP for a historical view of "who did what and when." + +.. req:: + :id: R-62498 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSPs IDAM API, encrypt + OA&M access (e.g., SSH, SFTP). + +.. req:: + :id: R-79107 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, enforce + a configurable maximum number of Login attempts policy for the users. + VNF provider must comply with "terminate idle sessions" policy. + Interactive sessions must be terminated, or a secure, locking screensaver + must be activated requiring authentication, after a configurable period + of inactivity. The system-based inactivity timeout for the enterprise + identity and access management system must also be configurable. + +.. req:: + :id: R-35144 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, comply + with the NCSP's credential management policy. + +.. req:: + :id: R-75041 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, expire + passwords at regular configurable intervals. + +.. req:: + :id: R-46908 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, comply + with "password complexity" policy. When passwords are used, they shall + be complex and shall at least meet the following password construction + requirements: (1) be a minimum configurable number of characters in + length, (2) include 3 of the 4 following types of characters: + upper-case alphabetic, lower-case alphabetic, numeric, and special, + (3) not be the same as the UserID with which they are associated or + other common strings as specified by the environment, (4) not contain + repeating or sequential characters or numbers, (5) not to use special + characters that may have command functions, and (6) new passwords must + not contain sequences of three or more characters from the previous + password. + +.. req:: + :id: R-39342 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, comply + with "password changes (includes default passwords)" policy. Products + will support password aging, syntax and other credential management + practices on a configurable basis. + +.. req:: + :id: R-40521 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, support + use of common third party authentication and authorization tools such + as TACACS+, RADIUS. + +.. req:: + :id: R-41994 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, comply + with "No Self-Signed Certificates" policy. Self-signed certificates + must be used for encryption only, using specified and approved + encryption protocols such as TLS 1.2 or higher or equivalent security + protocols such as IPSec, AES. + +.. req:: + :id: R-23135 + :target: VNF + :keyword: MUST + + The VNF **MUST**, if not using the NCSP's IDAM API, + authenticate system to system communications where one system + accesses the resources of another system, and must never conceal + individual accountability. VNF Identity and Access Management Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -187,101 +369,307 @@ management need to be met by the solution in a virtual environment: Identity and Access Management Requirements -* R-95105 The VNF **MUST** host connectors for access to the application - layer. -* R-45496 The VNF **MUST** host connectors for access to the OS - (Operating System) layer. -* R-05470 The VNF **MUST** host connectors for access to the database layer. -* R-99174 The VNF **MUST** comply with Individual Accountability - (each person must be assigned a unique ID) when persons or non-person - entities access VNFs. -* R-42874 The VNF **MUST** comply with Least Privilege (no more - privilege than required to perform job functions) when persons - or non-person entities access VNFs. -* R-71787 The VNF **MUST** comply with Segregation of Duties (access to a - single layer and no developer may access production without special - oversight) when persons or non-person entities access VNFs. -* R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely. -* R-49945 The VNF **MUST** authorize VNF provider access through a - client application API by the client application owner and the resource - owner of the VNF before provisioning authorization through Role Based - Access Control (RBAC), Attribute Based Access Control (ABAC), or other - policy based mechanism. -* R-31751 The VNF **MUST** subject VNF provider access to privilege - reconciliation tools to prevent access creep and ensure correct - enforcement of access policies. -* R-34552 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for OWASP Top 10. -* R-29301 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Password Attacks. -* R-72243 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Phishing / SMishing. -* R-58998 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Malware (Key Logger). -* R-14025 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Session Hijacking. -* R-31412 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for XSS / CSRF. -* R-51883 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Replay. -* R-44032 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Man in the Middle (MITM). -* R-58977 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Eavesdropping. -* R-24825 The VNF **MUST** provide Context awareness data (device, - location, time, etc.) and be able to integrate with threat detection system. -* R-59391 The VNF provider **MUST**, where a VNF provider requires - the assumption of permissions, such as root or administrator, first - log in under their individual user login ID then switch to the other - higher level account; or where the individual user login is infeasible, - must login with an account with admin privileges in a way that - uniquely identifies the individual performing the function. -* R-85028 The VNF **MUST** authenticate system to system access and - do not conceal a VNF provider user’s individual accountability for - transactions. -* R-80335 The VNF **MUST** make visible a Warning Notice: A formal - statement of resource intent, i.e., a warning notice, upon initial - access to a VNF provider user who accesses private internal networks - or Company computer resources, e.g., upon initial logon to an internal - web site, system or application which requires authentication. -* R-73541 The VNF **MUST** use access controls for VNFs and their - supporting computing systems at all times to restrict access to - authorized personnel only, e.g., least privilege. These controls - could include the use of system configuration or access control - software. -* R-64503 The VNF **MUST** provide minimum privileges for initial - and default settings for new user accounts. -* R-86835 The VNF **MUST** set the default settings for user access - to sensitive commands and data to deny authorization. -* R-77157 The VNF **MUST** conform to approved request, workflow - authorization, and authorization provisioning requirements when - creating privileged users. -* R-81147 The VNF **MUST** have greater restrictions for access and - execution, such as up to 3 factors of authentication and restricted - authorization, for commands affecting network services, such as - commands relating to VNFs. -* R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) - transmission of data on internal and external networks. -* R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. -* R-15671 The VNF **MUST NOT** provide public or unrestricted access - to any data without the permission of the data owner. All data - classification and access controls must be followed. -* R-89753 The VNF **MUST NOT** install or use systems, tools or - utilities capable of capturing or logging data that was not created - by them or sent specifically to them in production, without - authorization of the VNF system owner. -* R-19082 The VNF **MUST NOT** run security testing tools and - programs, e.g., password cracker, port scanners, hacking tools - in production, without authorization of the VNF system owner. -* R-19790 The VNF **MUST NOT** include authentication credentials - in security audit logs, even if encrypted. -* R-85419 The VNF **SHOULD** use REST APIs exposed to Client - Applications for the implementation of OAuth 2.0 Authorization - Code Grant and Client Credentials Grant, as the standard interface - for a VNF. -* R-48080 The VNF **SHOULD** support SCEP (Simple Certificate - Enrollment Protocol). +.. req:: + :id: R-95105 + :target: VNF + :keyword: MUST + + The VNF **MUST** host connectors for access to the application layer. + +.. req:: + :id: R-45496 + :target: VNF + :keyword: MUST + + The VNF **MUST** host connectors for access to the OS (Operating System) layer. + +.. req:: + :id: R-05470 + :target: VNF + :keyword: MUST + + The VNF **MUST** host connectors for access to the database layer. + +.. req:: + :id: R-99174 + :target: VNF + :keyword: MUST + + The VNF **MUST** comply with Individual Accountability + (each person must be assigned a unique ID) when persons or non-person + entities access VNFs. + +.. req:: + :id: R-42874 + :target: VNF + :keyword: MUST + + The VNF **MUST** comply with Least Privilege (no more + privilege than required to perform job functions) when persons + or non-person entities access VNFs. + +.. req:: + :id: R-71787 + :target: VNF + :keyword: MUST + + The VNF **MUST** comply with Segregation of Duties (access to a + single layer and no developer may access production without special + oversight) when persons or non-person entities access VNFs. + +.. req:: + :id: R-86261 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** allow vendor access to VNFs remotely. + +.. req:: + :id: R-49945 + :target: VNF + :keyword: MUST + + The VNF **MUST** authorize VNF provider access through a + client application API by the client application owner and the resource + owner of the VNF before provisioning authorization through Role Based + Access Control (RBAC), Attribute Based Access Control (ABAC), or other + policy based mechanism. + +.. req:: + :id: R-31751 + :target: VNF + :keyword: MUST + + The VNF **MUST** subject VNF provider access to privilege + reconciliation tools to prevent access creep and ensure correct + enforcement of access policies. + +.. req:: + :id: R-34552 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for OWASP Top 10. + +.. req:: + :id: R-29301 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Password Attacks. + +.. req:: + :id: R-72243 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Phishing / SMishing. + +.. req:: + :id: R-58998 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Malware (Key Logger). + +.. req:: + :id: R-14025 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Session Hijacking. + +.. req:: + :id: R-31412 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for XSS / CSRF. + +.. req:: + :id: R-51883 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Replay. + +.. req:: + :id: R-44032 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Man in the Middle (MITM). + +.. req:: + :id: R-58977 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Eavesdropping. + +.. req:: + :id: R-24825 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide Context awareness data (device, + location, time, etc.) and be able to integrate with threat detection system. + +.. req:: + :id: R-59391 + :target: VNF + :keyword: MUST + + The VNF provider **MUST**, where a VNF provider requires + the assumption of permissions, such as root or administrator, first + log in under their individual user login ID then switch to the other + higher level account; or where the individual user login is infeasible, + must login with an account with admin privileges in a way that + uniquely identifies the individual performing the function. + +.. req:: + :id: R-85028 + :target: VNF + :keyword: MUST + + The VNF **MUST** authenticate system to system access and + do not conceal a VNF provider user's individual accountability for + transactions. + +.. req:: + :id: R-80335 + :target: VNF + :keyword: MUST + + The VNF **MUST** make visible a Warning Notice: A formal + statement of resource intent, i.e., a warning notice, upon initial + access to a VNF provider user who accesses private internal networks + or Company computer resources, e.g., upon initial logon to an internal + web site, system or application which requires authentication. + +.. req:: + :id: R-73541 + :target: VNF + :keyword: MUST + + The VNF **MUST** use access controls for VNFs and their + supporting computing systems at all times to restrict access to + authorized personnel only, e.g., least privilege. These controls + could include the use of system configuration or access control + software. + +.. req:: + :id: R-64503 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide minimum privileges for initial + and default settings for new user accounts. + +.. req:: + :id: R-86835 + :target: VNF + :keyword: MUST + + The VNF **MUST** set the default settings for user access + to sensitive commands and data to deny authorization. + +.. req:: + :id: R-77157 + :target: VNF + :keyword: MUST + + The VNF **MUST** conform to approved request, workflow + authorization, and authorization provisioning requirements when + creating privileged users. + +.. req:: + :id: R-81147 + :target: VNF + :keyword: MUST + + The VNF **MUST** have greater restrictions for access and + execution, such as up to 3 factors of authentication and restricted + authorization, for commands affecting network services, such as + commands relating to VNFs. + +.. req:: + :id: R-49109 + :target: VNF + :keyword: MUST + + The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) + transmission of data on internal and external networks. + +.. req:: + :id: R-39562 + :target: VNF + :keyword: MUST + + The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. + +.. req:: + :id: R-15671 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** provide public or unrestricted access + to any data without the permission of the data owner. All data + classification and access controls must be followed. + +.. req:: + :id: R-89753 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** install or use systems, tools or + utilities capable of capturing or logging data that was not created + by them or sent specifically to them in production, without + authorization of the VNF system owner. + +.. req:: + :id: R-19082 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** run security testing tools and + programs, e.g., password cracker, port scanners, hacking tools + in production, without authorization of the VNF system owner. + +.. req:: + :id: R-19790 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** include authentication credentials + in security audit logs, even if encrypted. + +.. req:: + :id: R-85419 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** use REST APIs exposed to Client + Applications for the implementation of OAuth 2.0 Authorization + Code Grant and Client Credentials Grant, as the standard interface + for a VNF. + +.. req:: + :id: R-48080 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol). VNF API Security Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -299,49 +687,139 @@ security requirements: API Requirements -* R-37608 The VNF **MUST** provide a mechanism to restrict access based - on the attributes of the VNF and the attributes of the subject. -* R-43884 The VNF **MUST** integrate with external authentication - and authorization services (e.g., IDAM). -* R-25878 The VNF **MUST** use certificates issued from publicly - recognized Certificate Authorities (CA) for the authentication process - where PKI-based authentication is used. -* R-19804 The VNF **MUST** validate the CA signature on the certificate, - ensure that the date is within the validity period of the certificate, - check the Certificate Revocation List (CRL), and recognize the identity - represented by the certificate where PKI-based authentication is used. -* R-47204 The VNF **MUST** protect the confidentiality and integrity of - data at rest and in transit from unauthorized access and modification. -* R-33488 The VNF **MUST** protect against all denial of service - attacks, both volumetric and non-volumetric, or integrate with external - denial of service protection tools. -* R-21652 The VNF **MUST** implement the following input validation - control: Check the size (length) of all input. Do not permit an amount - of input so great that it would cause the VNF to fail. Where the input - may be a file, the VNF API must enforce a size limit. -* R-54930 The VNF **MUST** implement the following input validation - control: Do not permit input that contains content or characters - inappropriate to the input expected by the design. Inappropriate input, - such as SQL insertions, may cause the system to execute undesirable - and unauthorized transactions against the database or allow other - inappropriate access to the internal network. -* R-21210 The VNF **MUST** implement the following input validation - control: Validate that any input file has a correct and valid - Multipurpose Internet Mail Extensions (MIME) type. Input files - should be tested for spoofed MIME types. -* R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs. -* R-87135 The VNF **MUST** comply with NIST standards and industry - best practices for all implementations of cryptography. -* R-02137 The VNF **MUST** implement all monitoring and logging as - described in the Security Analytics section. -* R-15659 The VNF **MUST** restrict changing the criticality level of - a system security alarm to administrator(s). -* R-19367 The VNF **MUST** monitor API invocation patterns to detect - anomalous access patterns that may represent fraudulent access or - other types of attacks, or integrate with tools that implement anomaly - and abuse detection. -* R-78066 The VNF **MUST** support requests for information from law - enforcement and government agencies. + +.. req:: + :id: R-37608 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide a mechanism to restrict access based + on the attributes of the VNF and the attributes of the subject. + +.. req:: + :id: R-43884 + :target: VNF + :keyword: MUST + + The VNF **MUST** integrate with external authentication + and authorization services (e.g., IDAM). + +.. req:: + :id: R-25878 + :target: VNF + :keyword: MUST + + The VNF **MUST** use certificates issued from publicly + recognized Certificate Authorities (CA) for the authentication process + where PKI-based authentication is used. + +.. req:: + :id: R-19804 + :target: VNF + :keyword: MUST + + The VNF **MUST** validate the CA signature on the certificate, + ensure that the date is within the validity period of the certificate, + check the Certificate Revocation List (CRL), and recognize the identity + represented by the certificate where PKI-based authentication is used. + +.. req:: + :id: R-47204 + :target: VNF + :keyword: MUST + + The VNF **MUST** protect the confidentiality and integrity of + data at rest and in transit from unauthorized access and modification. + +.. req:: + :id: R-33488 + :target: VNF + :keyword: MUST + + The VNF **MUST** protect against all denial of service + attacks, both volumetric and non-volumetric, or integrate with external + denial of service protection tools. + +.. req:: + :id: R-21652 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement the following input validation + control: Check the size (length) of all input. Do not permit an amount + of input so great that it would cause the VNF to fail. Where the input + may be a file, the VNF API must enforce a size limit. + +.. req:: + :id: R-54930 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement the following input validation + control: Do not permit input that contains content or characters + inappropriate to the input expected by the design. Inappropriate input, + such as SQL insertions, may cause the system to execute undesirable + and unauthorized transactions against the database or allow other + inappropriate access to the internal network. + +.. req:: + :id: R-21210 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement the following input validation + control: Validate that any input file has a correct and valid + Multipurpose Internet Mail Extensions (MIME) type. Input files + should be tested for spoofed MIME types. + +.. req:: + :id: R-23772 + :target: VNF + :keyword: MUST + + The VNF **MUST** validate input at all layers implementing VNF APIs. + +.. req:: + :id: R-87135 + :target: VNF + :keyword: MUST + + The VNF **MUST** comply with NIST standards and industry + best practices for all implementations of cryptography. + +.. req:: + :id: R-02137 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement all monitoring and logging as + described in the Security Analytics section. + +.. req:: + :id: R-15659 + :target: VNF + :keyword: MUST + + The VNF **MUST** restrict changing the criticality level of + a system security alarm to administrator(s). + +.. req:: + :id: R-19367 + :target: VNF + :keyword: MUST + + The VNF **MUST** monitor API invocation patterns to detect + anomalous access patterns that may represent fraudulent access or + other types of attacks, or integrate with tools that implement anomaly + and abuse detection. + +.. req:: + :id: R-78066 + :target: VNF + :keyword: MUST + + The VNF **MUST** support requests for information from law + enforcement and government agencies. VNF Security Analytics Requirements @@ -391,111 +869,374 @@ solution in a virtual environment. Security Analytics Requirements -* R-48470 The VNF **MUST** support Real-time detection and - notification of security events. -* R-22286 The VNF **MUST** support Integration functionality via - API/Syslog/SNMP to other functional modules in the network (e.g., - PCRF, PCEF) that enable dynamic security control by blocking the - malicious traffic or malicious end users -* R-32636 The VNF **MUST** support API-based monitoring to take care of - the scenarios where the control interfaces are not exposed, or are - optimized and proprietary in nature. -* R-61648 The VNF **MUST** support event logging, formats, and delivery - tools to provide the required degree of event data to ONAP -* R-22367 The VNF **MUST** support detection of malformed packets due to - software misconfiguration or software vulnerability. -* R-31961 The VNF **MUST** support integrated DPI/monitoring functionality - as part of VNFs (e.g., PGW, MME). -* R-20912 The VNF **MUST** support alternative monitoring capabilities - when VNFs do not expose data or control traffic or use proprietary and - optimized protocols for inter VNF communication. -* R-73223 The VNF **MUST** support proactive monitoring to detect and - report the attacks on resources so that the VNFs and associated VMs can - be isolated, such as detection techniques for resource exhaustion, namely - OS resource attacks, CPU attacks, consumption of kernel memory, local - storage attacks. -* R-58370 The VNF **MUST** coexist and operate normally with commercial - anti-virus software which shall produce alarms every time when there is a - security incident. -* R-56920 The VNF **MUST** protect all security audit logs (including - API, OS and application-generated logs), security audit software, data, - and associated documentation from modification, or unauthorized viewing, - by standard OS access control mechanisms, by sending to a remote system, - or by encryption. -* R-54520 The VNF **MUST** log successful and unsuccessful login attempts. -* R-55478 The VNF **MUST** log logoffs. -* R-08598 The VNF **MUST** log successful and unsuccessful changes to - a privilege level. -* R-13344 The VNF **MUST** log starting and stopping of security - logging. -* R-07617 The VNF **MUST** log creating, removing, or changing the - inherent privilege level of users. -* R-94525 The VNF **MUST** log connections to a network listener of the - resource. -* R-31614 The VNF **MUST** log the field “event type” in the security - audit logs. -* R-97445 The VNF **MUST** log the field “date/time” in the security - audit logs. -* R-25547 The VNF **MUST** log the field “protocol” in the security audit logs. -* R-06413 The VNF **MUST** log the field “service or program used for - access” in the security audit logs. -* R-15325 The VNF **MUST** log the field “success/failure” in the - security audit logs. -* R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs. -* R-04982 The VNF **MUST NOT** include an authentication credential, - e.g., password, in the security audit logs, even if encrypted. -* R-63330 The VNF **MUST** detect when the security audit log storage - medium is approaching capacity (configurable) and issue an alarm via - SMS or equivalent as to allow time for proper actions to be taken to - pre-empt loss of audit data. -* R-41252 The VNF **MUST** support the capability of online storage of - security audit logs. -* R-41825 The VNF **MUST** activate security alarms automatically when - the following event is detected: configurable number of consecutive - unsuccessful login attempts -* R-43332 The VNF **MUST** activate security alarms automatically when - the following event is detected: successful modification of critical - system or application files -* R-74958 The VNF **MUST** activate security alarms automatically when - the following event is detected: unsuccessful attempts to gain permissions - or assume the identity of another user -* R-15884 The VNF **MUST** include the field “date” in the Security alarms - (where applicable and technically feasible). -* R-23957 The VNF **MUST** include the field “time” in the Security alarms - (where applicable and technically feasible). -* R-71842 The VNF **MUST** include the field “service or program used for - access” in the Security alarms (where applicable and technically feasible). -* R-57617 The VNF **MUST** include the field “success/failure” in the - Security alarms (where applicable and technically feasible). -* R-99730 The VNF **MUST** include the field “Login ID” in the Security - alarms (where applicable and technically feasible). -* R-29705 The VNF **MUST** restrict changing the criticality level of a - system security alarm to administrator(s). -* R-13627 The VNF **MUST** monitor API invocation patterns to detect - anomalous access patterns that may represent fraudulent access or other - types of attacks, or integrate with tools that implement anomaly and - abuse detection. -* R-21819 The VNF **MUST** support requests for information from law - enforcement and government agencies. -* R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation - (without human intervention) for Known Threats with detection rate in low - false positives. -* R-25094 The VNF **MUST** perform data capture for security functions. -* R-04492 The VNF **MUST** generate security audit logs that must be sent - to Security Analytics Tools for analysis. -* R-19219 The VNF **MUST** provide audit logs that include user ID, dates, - times for log-on and log-off, and terminal location at minimum. -* R-30932 The VNF **MUST** provide security audit logs including records - of successful and rejected system access data and other resource access - attempts. -* R-54816 The VNF **MUST** support the storage of security audit logs - for agreed period of time for forensic analysis. -* R-57271 The VNF **MUST** provide the capability of generating security - audit logs by interacting with the operating system (OS) as appropriate. -* R-84160 The VNF **MUST** have security logging for VNFs and their - OSs be active from initialization. Audit logging includes automatic - routines to maintain activity records and cleanup programs to ensure - the integrity of the audit/logging systems. + +.. req:: + :id: R-48470 + :target: VNF + :keyword: MUST + + The VNF **MUST** support Real-time detection and + notification of security events. + +.. req:: + :id: R-22286 + :target: VNF + :keyword: MUST + + The VNF **MUST** support Integration functionality via + API/Syslog/SNMP to other functional modules in the network (e.g., + PCRF, PCEF) that enable dynamic security control by blocking the + malicious traffic or malicious end users. + +.. req:: + :id: R-32636 + :target: VNF + :keyword: MUST + + The VNF **MUST** support API-based monitoring to take care of + the scenarios where the control interfaces are not exposed, or are + optimized and proprietary in nature. + +.. req:: + :id: R-61648 + :target: VNF + :keyword: MUST + + The VNF **MUST** support event logging, formats, and delivery + tools to provide the required degree of event data to ONAP. + +.. req:: + :id: R-22367 + :target: VNF + :keyword: MUST + + The VNF **MUST** support detection of malformed packets due to + software misconfiguration or software vulnerability. + +.. req:: + :id: R-31961 + :target: VNF + :keyword: MUST + + The VNF **MUST** support integrated DPI/monitoring functionality + as part of VNFs (e.g., PGW, MME). + +.. req:: + :id: R-20912 + :target: VNF + :keyword: MUST + + The VNF **MUST** support alternative monitoring capabilities + when VNFs do not expose data or control traffic or use proprietary and + optimized protocols for inter VNF communication. + +.. req:: + :id: R-73223 + :target: VNF + :keyword: MUST + + The VNF **MUST** support proactive monitoring to detect and + report the attacks on resources so that the VNFs and associated VMs can + be isolated, such as detection techniques for resource exhaustion, namely + OS resource attacks, CPU attacks, consumption of kernel memory, local + storage attacks. + +.. req:: + :id: R-58370 + :target: VNF + :keyword: MUST + + The VNF **MUST** coexist and operate normally with commercial + anti-virus software which shall produce alarms every time when there is a + security incident. + +.. req:: + :id: R-56920 + :target: VNF + :keyword: MUST + + The VNF **MUST** protect all security audit logs (including + API, OS and application-generated logs), security audit software, data, + and associated documentation from modification, or unauthorized viewing, + by standard OS access control mechanisms, by sending to a remote system, + or by encryption. + +.. req:: + :id: R-54520 + :target: VNF + :keyword: MUST + + The VNF **MUST** log successful and unsuccessful login attempts. + +.. req:: + :id: R-55478 + :target: VNF + :keyword: MUST + + The VNF **MUST** log logoffs. + +.. req:: + :id: R-08598 + :target: VNF + :keyword: MUST + + The VNF **MUST** log successful and unsuccessful changes to a privilege level. + +.. req:: + :id: R-13344 + :target: VNF + :keyword: MUST + + The VNF **MUST** log starting and stopping of security + logging. + +.. req:: + :id: R-07617 + :target: VNF + :keyword: MUST + + The VNF **MUST** log creating, removing, or changing the + inherent privilege level of users. + +.. req:: + :id: R-94525 + :target: VNF + :keyword: MUST + + The VNF **MUST** log connections to a network listener of the + resource. + +.. req:: + :id: R-31614 + :target: VNF + :keyword: MUST + + The VNF **MUST** log the field "event type" in the security audit + logs. + +.. req:: + :id: R-97445 + :target: VNF + :keyword: MUST + + The VNF **MUST** log the field "date/time" in the security audit + logs. + +.. req:: + :id: R-25547 + :target: VNF + :keyword: MUST + + The VNF **MUST** log the field "protocol" in the security audit logs. + +.. req:: + :id: R-06413 + :target: VNF + :keyword: MUST + + The VNF **MUST** log the field "service or program used for access" + in the security audit logs. + +.. req:: + :id: R-15325 + :target: VNF + :keyword: MUST + + The VNF **MUST** log the field "success/failure" in the + security audit logs. + +.. req:: + :id: R-89474 + :target: VNF + :keyword: MUST + + The VNF **MUST** log the field "Login ID" in the security audit logs. + +.. req:: + :id: R-04982 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** include an authentication credential, + e.g., password, in the security audit logs, even if encrypted. + +.. req:: + :id: R-63330 + :target: VNF + :keyword: MUST + + The VNF **MUST** detect when the security audit log storage + medium is approaching capacity (configurable) and issue an alarm via + SMS or equivalent as to allow time for proper actions to be taken to + pre-empt loss of audit data. + +.. req:: + :id: R-41252 + :target: VNF + :keyword: MUST + + The VNF **MUST** support the capability of online storage of + security audit logs. + +.. req:: + :id: R-41825 + :target: VNF + :keyword: MUST + + The VNF **MUST** activate security alarms automatically when + the following event is detected: configurable number of consecutive + unsuccessful login attempts. + +.. req:: + :id: R-43332 + :target: VNF + :keyword: MUST + + The VNF **MUST** activate security alarms automatically when + the following event is detected: successful modification of critical + system or application files. + +.. req:: + :id: R-74958 + :target: VNF + :keyword: MUST + + The VNF **MUST** activate security alarms automatically when + the following event is detected: unsuccessful attempts to gain permissions + or assume the identity of another user. + +.. req:: + :id: R-15884 + :target: VNF + :keyword: MUST + + The VNF **MUST** include the field "date" in the Security alarms + (where applicable and technically feasible). + +.. req:: + :id: R-23957 + :target: VNF + :keyword: MUST + + The VNF **MUST** include the field "time" in the Security alarms + (where applicable and technically feasible). + +.. req:: + :id: R-71842 + :target: VNF + :keyword: MUST + + The VNF **MUST** include the field "service or program used for + access" in the Security alarms (where applicable and technically feasible). + +.. req:: + :id: R-57617 + :target: VNF + :keyword: MUST + + The VNF **MUST** include the field "success/failure" in the + Security alarms (where applicable and technically feasible). + +.. req:: + :id: R-99730 + :target: VNF + :keyword: MUST + + The VNF **MUST** include the field "Login ID" in the Security + alarms (where applicable and technically feasible). + +.. req:: + :id: R-29705 + :target: VNF + :keyword: MUST + + The VNF **MUST** restrict changing the criticality level of a + system security alarm to administrator(s). + +.. req:: + :id: R-13627 + :target: VNF + :keyword: MUST + + The VNF **MUST** monitor API invocation patterns to detect + anomalous access patterns that may represent fraudulent access or other + types of attacks, or integrate with tools that implement anomaly and + abuse detection. + +.. req:: + :id: R-21819 + :target: VNF + :keyword: MUST + + The VNF **MUST** support requests for information from law + enforcement and government agencies. + +.. req:: + :id: R-56786 + :target: VNF + :keyword: MUST + + The VNF **MUST** implement "Closed Loop" automatic implementation + (without human intervention) for Known Threats with detection rate in low + false positives. + +.. req:: + :id: R-25094 + :target: VNF + :keyword: MUST + + The VNF **MUST** perform data capture for security functions. + +.. req:: + :id: R-04492 + :target: VNF + :keyword: MUST + + The VNF **MUST** generate security audit logs that must be sent + to Security Analytics Tools for analysis. + +.. req:: + :id: R-19219 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide audit logs that include user ID, dates, + times for log-on and log-off, and terminal location at minimum. + +.. req:: + :id: R-30932 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide security audit logs including records + of successful and rejected system access data and other resource access + attempts. + +.. req:: + :id: R-54816 + :target: VNF + :keyword: MUST + + The VNF **MUST** support the storage of security audit logs + for agreed period of time for forensic analysis. + +.. req:: + :id: R-57271 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of generating security + audit logs by interacting with the operating system (OS) as appropriate. + +.. req:: + :id: R-84160 + :target: VNF + :keyword: MUST + + The VNF **MUST** have security logging for VNFs and their + OSs be active from initialization. Audit logging includes automatic + routines to maintain activity records and cleanup programs to ensure + the integrity of the audit/logging systems. VNF Data Protection Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -506,58 +1247,191 @@ applicable to security monitoring. Data Protection Requirements -* R-58964 The VNF **MUST** provide the capability to restrict read - and write access to data. -* R-99112 The VNF **MUST** provide the capability to restrict access - to data to specific users. -* R-83227 The VNF **MUST** Provide the capability to encrypt data in - transit on a physical or virtual network. -* R-32641 The VNF **MUST** provide the capability to encrypt data on - non-volatile memory. -* R-13151 The VNF **SHOULD** disable the paging of the data requiring - encryption, if possible, where the encryption of non-transient data is - required on a device for which the operating system performs paging to - virtual memory. If not possible to disable the paging of the data - requiring encryption, the virtual memory should be encrypted. -* R-93860 The VNF **MUST** provide the capability to integrate with an - external encryption service. -* R-73067 The VNF **MUST** use industry standard cryptographic algorithms - and standard modes of operations when implementing cryptography. -* R-22645 The VNF **SHOULD** use commercial algorithms only when there - are no applicable governmental standards for specific cryptographic - functions, e.g., public key cryptography, message digests. -* R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and - Skipjack algorithms or other compromised encryption. -* R-02170 The VNF **MUST** use, whenever possible, standard implementations - of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, - IPSec, X.509 digital certificates for cryptographic implementations. - These implementations must be purchased from reputable vendors and must - not be developed in-house. -* R-70933 The VNF **MUST** provide the ability to migrate to newer - versions of cryptographic algorithms and protocols with no impact. -* R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length. -* R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length. -* R-95864 The VNF **MUST** use commercial tools that comply with X.509 - standards and produce x.509 compliant keys for public/private key generation. -* R-12110 The VNF **MUST NOT** use keys generated or derived from - predictable functions or values, e.g., values considered predictable - include user identity information, time of day, stored/transmitted data. -* R-52060 The VNF **MUST** provide the capability to configure encryption - algorithms or devices so that they comply with the laws of the jurisdiction - in which there are plans to use data encryption. -* R-69610 The VNF **MUST** provide the capability of using certificates - issued from a Certificate Authority not provided by the VNF provider. -* R-83500 The VNF **MUST** provide the capability of allowing certificate - renewal and revocation. -* R-29977 The VNF **MUST** provide the capability of testing the validity - of a digital certificate by validating the CA signature on the certificate. -* R-24359 The VNF **MUST** provide the capability of testing the validity - of a digital certificate by validating the date the certificate is being - used is within the validity period for the certificate. -* R-39604 The VNF **MUST** provide the capability of testing the - validity of a digital certificate by checking the Certificate Revocation - List (CRL) for the certificates of that type to ensure that the - certificate has not been revoked. -* R-75343 The VNF **MUST** provide the capability of testing the - validity of a digital certificate by recognizing the identity represented - by the certificate — the "distinguished name". + +.. req:: + :id: R-58964 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability to restrict read + and write access to data. + +.. req:: + :id: R-99112 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability to restrict access + to data to specific users. + +.. req:: + :id: R-83227 + :target: VNF + :keyword: MUST + + The VNF **MUST** Provide the capability to encrypt data in + transit on a physical or virtual network. + +.. req:: + :id: R-32641 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability to encrypt data on + non-volatile memory. + +.. req:: + :id: R-13151 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** disable the paging of the data requiring + encryption, if possible, where the encryption of non-transient data is + required on a device for which the operating system performs paging to + virtual memory. If not possible to disable the paging of the data + requiring encryption, the virtual memory should be encrypted. + +.. req:: + :id: R-93860 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability to integrate with an + external encryption service. + +.. req:: + :id: R-73067 + :target: VNF + :keyword: MUST + + The VNF **MUST** use industry standard cryptographic algorithms + and standard modes of operations when implementing cryptography. + +.. req:: + :id: R-22645 + :target: VNF + :keyword: SHOULD + + The VNF **SHOULD** use commercial algorithms only when there + are no applicable governmental standards for specific cryptographic + functions, e.g., public key cryptography, message digests. + +.. req:: + :id: R-12467 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and + Skipjack algorithms or other compromised encryption. + +.. req:: + :id: R-02170 + :target: VNF + :keyword: MUST + + The VNF **MUST** use, whenever possible, standard implementations + of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, + IPSec, X.509 digital certificates for cryptographic implementations. + These implementations must be purchased from reputable vendors and must + not be developed in-house. + +.. req:: + :id: R-70933 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the ability to migrate to newer + versions of cryptographic algorithms and protocols with no impact. + +.. req:: + :id: R-44723 + :target: VNF + :keyword: MUST + + The VNF **MUST** use symmetric keys of at least 112 bits in length. + +.. req:: + :id: R-25401 + :target: VNF + :keyword: MUST + + The VNF **MUST** use asymmetric keys of at least 2048 bits in length. + +.. req:: + :id: R-95864 + :target: VNF + :keyword: MUST + + The VNF **MUST** use commercial tools that comply with X.509 + standards and produce x.509 compliant keys for public/private key generation. + +.. req:: + :id: R-12110 + :target: VNF + :keyword: MUST NOT + + The VNF **MUST NOT** use keys generated or derived from + predictable functions or values, e.g., values considered predictable + include user identity information, time of day, stored/transmitted data. + +.. req:: + :id: R-52060 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability to configure encryption + algorithms or devices so that they comply with the laws of the jurisdiction + in which there are plans to use data encryption. + +.. req:: + :id: R-69610 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of using certificates + issued from a Certificate Authority not provided by the VNF provider. + +.. req:: + :id: R-83500 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of allowing certificate + renewal and revocation. + +.. req:: + :id: R-29977 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of testing the validity + of a digital certificate by validating the CA signature on the certificate. + +.. req:: + :id: R-24359 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of testing the validity + of a digital certificate by validating the date the certificate is being + used is within the validity period for the certificate. + +.. req:: + :id: R-39604 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of testing the + validity of a digital certificate by checking the Certificate Revocation + List (CRL) for the certificates of that type to ensure that the + certificate has not been revoked. + +.. req:: + :id: R-75343 + :target: VNF + :keyword: MUST + + The VNF **MUST** provide the capability of testing the + validity of a digital certificate by recognizing the identity represented + by the certificate - the "distinguished name". + |