diff options
| author |   PATTEN <hp1256@att.com> | 2017-09-06 10:57:14 -0700 |
|---|---|---|
| committer | PATTEN <hp1256@att.com> | 2017-09-06 10:57:14 -0700 |
| commit | db73cc463ca44cca98fa591a6925c7ac8fa3b0a8 (patch) | |
| tree | 0830fef717629ca10ed9ea013da045e8da3a2f17 /docs | |
| parent | aae98f40234970b701d750f8975960c2a5d150c6 (diff) | |
VNFRQTS -Requirements Ch4 Std Reqs
VNFRQTS -Requirements Update chanpter 4b and 4c requirements to std
format
Change-Id: Ia9b5a4eaa9e3cecd80cd5ef7e43d61efb3645b5d
Issue-ID:VNFRQTS-82
Signed-off-by: PATTEN <hp1256@att.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Chapter4.rst | 705 |
1 files changed, 234 insertions, 471 deletions
diff --git a/docs/Chapter4.rst b/docs/Chapter4.rst index 7487f1f..9dcc40c 100644 --- a/docs/Chapter4.rst +++ b/docs/Chapter4.rst @@ -72,23 +72,16 @@ would include techniques such as multiple vLANs, multiple local and geographic instances, multiple local and geographic data replication, and virtualized services such as Load Balancers. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| All Layer Redundancy Requirements | Type | ID # | -+=======================================================================================================================================================================================================================================================================================================+========+=========+ -| VNFs are responsible to meet their own resiliency goals and not rely on the Network Cloud. | Must | 30010 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time. | Must | 30020 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| VNFs must survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure). | Must | 30030 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| VNFs must survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues). | Must | 30040 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Design, build and package VNFs to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained. | Must | 30050 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF. | Must | 30060 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades. | Must | 30070 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +All Layer Redundancy Requirements + +* R-xxxxx The VNF **MUST** meet their own resiliency goals and not rely on the Network Cloud. +* R-xxxxx The VNF **MUST** design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time. +* R-xxxxx The VNF **MUST** survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure). +* R-xxxxx The VNF **MUST** survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues). +* R-xxxxx The VNF **MUST** be designed, built and packaged to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained. +* R-xxxxx The VNF **MUST** support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF. +* R-xxxxx The VNF **MUST** support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades. Minimize Cross Data-Center Traffic ---------------------------------- @@ -100,11 +93,9 @@ concept of stickiness (i.e., once a client is routed to data center "A", the client will stay with Data center “A” until the entire session is completed). -+------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Minimize Cross Data-Center Traffic Requirements | Type | ID # | -+==================================================================================================================+==========+=========+ -| Minimize the propagation of state information across multiple data centers to avoid cross data center traffic. | Should | 31010 | -+------------------------------------------------------------------------------------------------------------------+----------+---------+ +Minimize Cross Data-Center Traffic Requirements + +* R-xxxxx The VNF **SHOULD** minimize the propagation of state information across multiple data centers to avoid cross data center traffic. Application Resilient Error Handling ------------------------------------ @@ -115,25 +106,17 @@ exceptions seamlessly - implement smart retry logic and implement multi-point entry (multiple data centers) for back-end system applications. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Application Resilient Error Handling Requirements | Type | ID # | -+==============================================================================================================================================================================================================================================================================================================================+========+=========+ -| Detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity. | Must | 32010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted. | Must | 32020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order. | Must | 32030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity. | Must | 32040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior. | Must | 32050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language. | Must | 32060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity. | Must | 32070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate. | Must | 32080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +Application Resilient Error Handling Requirements + +* R-xxxxx The VNF **MUST** detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity. +* R-xxxxx The VNF **MUST** handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted. +* R-xxxxx The VNF **MUST** handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order. +* R-xxxxx The VNF **MUST** handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity. +* R-xxxxx The VNF **MUST** provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior. +* R-xxxxx The VNF **MUST** fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language. +* R-xxxxx The VNF **MUST** handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity. +* R-xxxxx The VNF **MUST** automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate. + System Resource Optimization ---------------------------- @@ -145,29 +128,20 @@ processes or eating memory if they are unable to complete. Critical sections should only contain memory operation, and should not contain any network or IO operation. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| System Resource Optimization Requirements | Type | ID # | -+=================================================================================================================================================================================================================================================+==========+=========+ -| Do not execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput. | Must | 33010 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Automatically advertise newly scaled components so there is no manual intervention required. | Must | 33020 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize FQDNs (and not IP address) for both Service Chaining and scaling. | Must | 33030 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it. | Must | 33040 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Automatically enable/disable added/removed sub-components or component so there is no manual intervention required. | Should | 33050 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance. | Should | 33060 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support load balancing and discovery mechanisms in resource pools containing VNFC instances. | Should | 33070 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead. | Should | 33080 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list. | Should | 33090 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities. | Should | 33100 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +System Resource Optimization Requirements + +* R-xxxxx The VNF **MUST NOT** execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput. +* R-xxxxx The VNF **MUST** automatically advertise newly scaled components so there is no manual intervention required. +* R-xxxxx The VNF **MUST** utilize FQDNs (and not IP address) for both Service Chaining and scaling. +* R-xxxxx The VNF **MUST** deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it. +* R-xxxxx The VNF **SHOULD** automatically enable/disable added/removed sub-components or component so there is no manual intervention required. +* R-xxxxx The VNF **SHOULD** support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance. +* R-xxxxx The VNF **SHOULD** support load balancing and discovery mechanisms in resource pools containing VNFC instances. +* R-xxxxx The VNF **SHOULD** utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead. +* R-xxxxx The VNF **SHOULD** use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list. +* R-xxxxx The VNF **SHOULD** release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities. + Application Configuration Management ------------------------------------ @@ -175,15 +149,12 @@ Application Configuration Management Leverage configuration management audit capability to drive conformity to develop gold configurations for technologies like Java, Python, etc. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Application Configuration Management Requirements | Type | ID # | -+===================================================================================================================================================================================+========+=========+ -| Allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback. | Must | 34010 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration. | Must | 34020 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected. | Must | 34030 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +Application Configuration Management Requirements + +* R-xxxxx The VNF **MUST** allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback. +* R-xxxxx The VNF **MUST** allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration. +* R-xxxxx The VNF **MUST** allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected. + Intelligent Transaction Distribution & Management ------------------------------------------------- @@ -198,15 +169,11 @@ in all layers (software and hardware) at local and remote data centers; minimizing interdependencies of components (i.e. data replication, deploying non-related elements in the same container). -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Intelligent Transaction Distribution & Management Requirements | Type | ID # | -+==================================================================================================================================================================================================================================+==========+=========+ -| Use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints. | Should | 35010 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source. | Should | 35020 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF. | Should | 35030 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +Intelligent Transaction Distribution & Management Requirements + +* R-xxxxx The VNF **SHOULD** use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints. +* R-xxxxx The VNF **SHOULD** use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source. +* R-xxxxx The VNF **SHOULD** include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF. Deployment Optimization ----------------------- @@ -216,25 +183,16 @@ deployment practices and automation. This can include rolling code deployments, additional testing strategies, and smarter deployment automation (remove the human from the mix). -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Deployment Optimization Requirements | Type | ID # | -+=====================================================================================================================================================================================================================================================+==========+=========+ -| Support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner. | Must | 36010 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage. | Must | 36020 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads. | Must | 36030 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service. | Must | 36040 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget. | Must | 36050 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met. | Must | 36060 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements. | Should | 36070 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met. | Should | 36080 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +Deployment Optimization Requirements + +* R-xxxxx The VNF **MUST** support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner. +* R-xxxxx The VNF **MUST** support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage. +* R-xxxxx The VNF **MUST** support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads. +* R-xxxxx The VNF **MUST** support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service. +* R-xxxxx The VNF **MUST** test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget. +* R-xxxxx The VNF **MUST** test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met. +* R-xxxxx The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements. +* R-xxxxx The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met. Monitoring & Dashboard ---------------------- @@ -247,25 +205,16 @@ indicate failure or the potential for failure. This would contribute to improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and post-incident diagnostics. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Monitoring & Dashboard Requirements | Type | ID # | -+================================================================================================================================================================================================================================================+==========+=========+ -| Provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed. | Must | 37010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting. | Must | 37020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries. | Must | 37030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity. | Must | 37040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors. | Must | 37050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging. | Should | 37060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed. | Should | 37070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF. | Must | 37080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +Monitoring & Dashboard Requirements + +* R-xxxxx The VNF **MUST** provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed. +* R-xxxxx The VNF **MUST** provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting. +* R-xxxxx The VNF **MUST** provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries. +* R-xxxxx The VNF **MUST** provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity. +* R-xxxxx The VNF **MUST** monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors. +* R-xxxxx The VNF **SHOULD** use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging. +* R-xxxxx The VNF **SHOULD** utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed. +* R-xxxxx The VNF **MUST** conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF. c. VNF Security =============== @@ -312,83 +261,40 @@ logging/accounting, authentication, encryption, role-based access control, least privilege access/authorization. The following security requirements need to be met by the solution in a virtual environment: -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| General Security Requirements | Type | ID # | -+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================+=========+=========+ -| Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. | Informational | 40010 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| The VNF must accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document. | Must | 40020 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Implement access control list for OA&M services (e.g., restricting access to certain ports or applications). | Must | 40030 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer. | Must | 40040 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing. | Should | 40050 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Use both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings. | Should | 40060 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Perform source code to scanning tools (e.g., Fortify) and provide reports. | Should | 40070 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Production code shall be distributed from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots. | Must | 40080 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning. | Must | 40090 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes). | Should | 40100 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers). | Should | 40110 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| VNF should support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools. | Should | 40120 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. | Must | 40130 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources. | Should | 40140 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| All access to applications (Bearer, signaling and OA&M) will pass through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools. | Must | 40150 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Patch vulnerabilities in VNFs as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations. | Must | 40160 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Identification, authentication and access control of **customer** or **VNF application users** must be performed by utilizing the NCSP’s IDAM API. | Must | 40170 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Identification, authentication and access control of **OA&M** and other system level functions must use the NCSP’s IDAM API or comply with the following is expected. | Must | 40180 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate. | Must | 40190 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users. | Must | 40200 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support Role-Based Access Control to permit/limit the user/application to performing specific activities. | Must | 40210 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support logging via ONAP for a historical view of “who did what and when”. | Must | 40220 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Encrypt OA&M access (e.g., SSH, SFTP). | Must | 40230 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable. | Must | 40240 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with the NCSP’s credential management policy. | Must | 40250 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Password expiration must be required at regular configurable intervals. | Must | 40260 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: | Must | 40270 | -| | | | | -| | - Be a minimum configurable number of characters in length. | | | -| | | | | -| | - Include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special. | | | -| | | | | -| | - Not be the same as the UserID with which they are associated or other common strings as specified by the environment. | | | -| | | | | -| | - Not contain repeating or sequential characters or numbers. | | | -| | | | | -| | - Not to use special characters that may have command functions. | | | -| | | | | -| | - New passwords must not contain sequences of three (3) or more characters from the previous password. | | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. | Must | 40280 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support use of common third party authentication and authorization tools such as TACACS+, RADIUS. | Must | 40290 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. | Must | 40300 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. | Must | 40310 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +General Security Requirements + +Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. + +* R-xxxxx The VNF **MUST** accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document. +* R-xxxxx The VNF **MUST** implement access control list for OA&M services (e.g., restricting access to certain ports or applications). +* R-xxxxx The VNF **MUST** implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer. +* R-xxxxx The VNF **SHOULD** implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing. +* R-xxxxx The VNF **SHOULD** be scanned using both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings. +* R-xxxxx The VNF **SHOULD** have source code scanned using scanning tools (e.g., Fortify) and provide reports. +* R-xxxxx The VNF **MUST** distribute all production code from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots. +* R-xxxxx The VNF **MUST** provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning. +* R-xxxxx The VNF **SHOULD** support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes). +* R-xxxxx The VNF **SHOULD** interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers). +* R-xxxxx The VNF **SHOULD** support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools. +* R-xxxxx The VNF **MUST** interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. +* R-xxxxx The VNF **SHOULD** support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources. +* R-xxxxx The VNF **MUST** pass all access to applications (Bearer, signaling and OA&M) through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools. +* R-xxxxx The VNF **MUST** have all vulnerabilities patched as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations. +* R-xxxxx The VNF **MUST** use the NCSP’s IDAM API for Identification, authentication and access control of customer or VNF application users. +* R-xxxxx The VNF **MUST** use the NCSP’s IDAM API or comply with the requirements if not using the NCSP’s IDAM API, for identification, authentication and access control of OA&M and other system level functions. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support Role-Based Access Control to permit/limit the user/application to performing specific activities. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support logging via ONAP for a historical view of “who did what and when”. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt OA&M access (e.g., SSH, SFTP). +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with the NCSP’s credential management policy. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, expire passwords at regular configurable intervals. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support use of common third party authentication and authorization tools such as TACACS+, RADIUS. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. +* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications were one system accesses the resources of another system, and must never conceal individual accountability. VNF Identity and Access Management Requirements ----------------------------------------------- @@ -396,91 +302,47 @@ VNF Identity and Access Management Requirements The following security requirements for logging, identity, and access management need to be met by the solution in a virtual environment: -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Identity and Access Management Requirements | Type | ID # | -+================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ -| Access to VNFs will be required at several layers. Hence, VNF vendor needs to be able to host connectors for access to the following layers: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Application | Must | 41010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. OS (Operating System) | Must | 41020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Database | Must | 41030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Manage access to VNF, its OS, or Database by an enterprise access request process. | Must | 41040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Comply with the following when persons or non-person entities access VNFs: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Individual Accountability (each person must be assigned a unique ID) | Must | 41050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Least Privilege (no more privilege than required to perform job functions) | Must | 41060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Segregation of Duties (access to a single layer and no developer may access production without special oversight) | Must | 41070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Vendors will not be allowed to access VNFs remotely, e.g., VPN | Must | 41080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Vendors accessing VNFs through a client application API must be authorized by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism. | Must | 41090 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Vendor VNF access will be subject to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies. | Must | 41100 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide or Support the Identity and Access Management (IDAM) based threat detection data for: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. OWASP Top 10 | Must | 41110 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Password Attacks | Must | 41120 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Phishing / SMishing | Must | 41130 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Malware (Key Logger) | Must | 41140 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Session Hijacking | Must | 41150 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. XSS / CSRF | Must | 41160 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Replay | Must | 41170 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Man in the Middle (MITM) | Must | 41180 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Eavesdropping | Must | 41190 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. | Must | 41200 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Where a VNF vendor requires the assumption of permissions, such as root or administrator, the vendor user must first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. | Must | 41210 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions. | Must | 41220 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Warning Notices: A formal statement of resource intent, i.e., a warning notice, must be made visible upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. | Must | 41230 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. | Must | 41240 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Initial and default settings for new user accounts must provide minimum privileges only. | Must | 41250 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Default settings for user access to sensitive commands and data must be denied authorization. | Must | 41260 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Privileged users may be created conforming to approved request, workflow authorization, and authorization provisioning requirements. | Must | 41270 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Commands affecting network services, such as commands relating to VNFs, must have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization. | Must | 41280 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. | Must | 41290 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Unnecessary or vulnerable cgi-bin programs must be disabled. | Must | 41300 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| No public or unrestricted access to any data should be provided without the permission of the data owner. All data classification and access controls must be followed. | Must | 41310 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| When in production, vendors or developers must not do the following without authorization of the VNF system owner including: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them; | Must | 41320 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Run security testing tools and programs, e.g., password cracker, port scanners, hacking tools. | Must | 41330 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Authentication credentials must not be included in security audit logs, even if encrypted. | Must | 41340 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| The standard interface for a VNF should be REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant. | Should | 41350 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support hosting connectors for OS Level and Application Access. | Should | 41360 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support SCEP (Simple Certificate Enrollment Protocol). | Should | 41370 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Identity and Access Management Requirements + +* R-xxxxx The VNF **MUST** host connectors for access to the application layer. +* R-xxxxx The VNF **MUST** host connectors for access to the OS (Operating System) layer. +* R-xxxxx The VNF **MUST** host connectors for access to the database layer. +* R-xxxxx The VNF **MUST** +* R-xxxxx The VNF **MUST** comply with Individual Accountability (each person must be assigned a unique ID) when persons or non-person entities access VNFs. +* R-xxxxx The VNF **MUST** comply with Least Privilege (no more privilege than required to perform job functions) when persons or non-person entities access VNFs. +* R-xxxxx The VNF **MUST** comply with Segregation of Duties (access to a single layer and no developer may access production without special oversight) when persons or non-person entities access VNFs. +* R-xxxxx The VNF **MUST NOT** allow vendor access to VNFs remotely. +* R-xxxxx The VNF **MUST** authorize vendor access through a client application API by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism. +* R-xxxxx The VNF **MUST** subject vendor VNF access to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for OWASP Top 10. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Password Attacks. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Phishing / SMishing. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Malware (Key Logger). +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Session Hijacking. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for XSS / CSRF. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Replay. +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Man in the Middle (MITM). +* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Eavesdropping. +* R-xxxxx The VNF **MUST** provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. +* R-xxxxx The VNF vendor **MUST**, where a VNF vendor requires the assumption of permissions, such as root or administrator, first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. +* R-xxxxx The VNF **MUST** authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions. +* R-xxxxx The VNF **MUST** make visible a Warning Notices: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. +* R-xxxxx The VNF **MIST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. +* R-xxxxx The VNF **MUST** provide minimum privileges for initial and default settings for new user accounts. +* R-xxxxx The VNF **MUST** set the default settings for user access to sensitive commands and data to deny authorization. +* R-xxxxx The VNF **MUST** conform to approved request, workflow authorization, and authorization provisioning requirements when creating privileged users. +* R-xxxxx The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs, must. +* R-xxxxx The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. +* R-xxxxx The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. +* R-xxxxx The VNF **MUST NOT** provide public or unrestricted access to any data without the permission of the data owner. All data classification and access controls must be followed. +* R-xxxxx The VNF **MUST NOT** install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them in production, without authorization of the VNF system owner. +* R-xxxxx The VNF **MUST NOT** run security testing tools and programs, e.g., password cracker, port scanners, hacking tools in production, without authorization of the VNF system owner. +* R-xxxxx The VNF **MUST NOT** include authentication credentials in security audit logs, even if encrypted. +* R-xxxxx The VNF **SHOULD** use REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant, as the standard interface for a VNF. +* R-xxxxx The VNF **SHOULD** support hosting connectors for OS Level and Application Access. +* R-xxxxx The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol). + VNF API Security Requirements ----------------------------- @@ -495,41 +357,25 @@ Identification, Confidentiality and Integrity, and Denial of Service. The solution in a virtual environment needs to meet the following API security requirements: -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| API Requirements | Type | ID # | -+==========================================================================================================================================================================================================================================================================================================================+========+=========+ -| Provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject. | Must | 42010 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Integrate with external authentication and authorization services (e.g., IDAM). | Must | 42020 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used | Must | 42030 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used. | Must | 42040 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. | Must | 42050 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools | Must | 42060 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Implement at minimum the following input validation controls: | | | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. | Must | 42070 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network. | Must | 42080 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. | Must | 42090 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Validate input at all layers implementing VNF APIs. | Must | 42100 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Comply with NIST standards and industry best practices for all implementations of cryptography | Must | 42110 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Implement all monitoring and logging as described in the Security Analytics section. | Must | 42120 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 42130 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 42140 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support requests for information from law enforcement and government agencies. | Must | 42150 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +API Requirements + +* R-xxxxx The VNF **MUST** provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject. +* R-xxxxx The VNF **MUST** integrate with external authentication and authorization services (e.g., IDAM). +* R-xxxxx The VNF **MUST** use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used. +* R-xxxxx The VNF **MUST** validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used. +* R-xxxxx The VNF **MUST** protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. +* R-xxxxx The VNF **MUST** protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools. +* R-xxxxx The VNF **MUST** implement the following input validation control: Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. +* R-xxxxx The VNF **MUST** implement the following input validation control: Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network. +* R-xxxxx The VNF **MUST** implement the following input validation control: Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. +* R-xxxxx The VNF **MUST** validate input at all layers implementing VNF APIs. +* R-xxxxx The VNF **MUST** comply with NIST standards and industry best practices for all implementations of cryptography. +* R-xxxxx The VNF **MUST** implement all monitoring and logging as described in the Security Analytics section. +* R-xxxxx The VNF **MUST** restrict changing the criticality level of a system security alarm to administrator(s). +* R-xxxxx The VNF **MUST** monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. +* R-xxxxx The VNF **MUST** support requests for information from law enforcement and government agencies. + VNF Security Analytics Requirements ----------------------------------- @@ -576,107 +422,52 @@ monitoring: The following requirements of security monitoring need to be met by the solution in a virtual environment. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Security Analytics Requirements | Type | ID # | -+==========================================================================================================================================================================================================================================================================================+========+=========+ -| Support the following monitoring features by the VNF: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Real-time detection and notification of security events. | Must | 43010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users | Must | 43020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature | Must | 43030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Event logging, formats, and delivery tools to provide the required degree of event data to ONAP | Must | 43040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Detection of malformed packets due to software misconfiguration or software vulnerability | Must | 43050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME) | Must | 43060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication | Must | 43070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. | Must | 43080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident. | Must | 43090 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. | Must | 43100 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Log the following events: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Successful and unsuccessful login attempts | Must | 43110 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Logoffs | Must | 43120 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Successful and unsuccessful changes to a privilege level | Must | 43130 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Starting and stopping of security logging | Must | 43140 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Creating, removing, or changing the inherent privilege level of users | Must | 43150 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Connections to a network listener of the resource | Must | 43160 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Log, at minimum, the following fields (where applicable and technically feasible) in the security audit logs: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Event type | Must | 43170 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Date/time | Must | 43180 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Protocol | Must | 43190 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Service or program used for access | Must | 43200 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Success/failure | Must | 43210 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Login ID | Must | 43220 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Security audit logs must never contain an authentication credential, e.g., password, even if encrypted. | Must | 43230 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data. | Must | 43240 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the capability of online storage of security audit logs. | Must | 43250 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Activate security alarms automatically when the following events, at a minimum, are detected: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Configurable number of consecutive unsuccessful login attempts | Must | 43260 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Successful modification of critical system or application files | Must | 43270 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Unsuccessful attempts to gain permissions or assume the identity of another user | Must | 43280 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Include, at a minimum, the following fields in the Security alarms (where applicable and technically feasible): | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Date | Must | 43290 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Time | Must | 43300 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Service or program used for access | Must | 43310 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Success/failure | Must | 43320 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Login ID | Must | 43330 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 43340 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 43350 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support requests for information from law enforcement and government agencies. | Must | 43360 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives. | Must | 43370 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Perform data capture for security functions. | Must | 43380 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Generate security audit logs that must be sent to Security Analytics Tools for analysis. | Must | 43390 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum. | Must | 43400 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide security audit logs including records of successful and rejected system access data and other resource access attempts. | Must | 43410 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the storage of security audit logs for agreed period of time for forensic analysis. | Must | 43420 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate. | Must | 43430 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Security logging for VNFs and their OSs must be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. | Must | 43440 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +Security Analytics Requirements + +* R-xxxxx The VNF **MUST** support Real-time detection and notification of security events. +* R-xxxxx The VNF **MUST** support Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users +* R-xxxxx The VNF **MUST** support API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature. +* R-xxxxx The VNF **MUST** support event logging, formats, and delivery tools to provide the required degree of event data to ONAP +* R-xxxxx The VNF **MUST** support detection of malformed packets due to software misconfiguration or software vulnerability. +* R-xxxxx The VNF **MUST** support integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME). +* R-xxxxx The VNF **MUST** support alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication. +* R-xxxxx The VNF **MUST** support proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. +* R-xxxxx The VNF **MUST** coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident. +* R-xxxxx The VNF **MUST** protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. +* R-xxxxx The VNF **MUST** log successful and unsuccessful login attempts. +* R-xxxxx The VNF **MUST** log logoffs. +* R-xxxxx The VNF **MUST** log successful and unsuccessful changes to a privilege level. +* R-xxxxx The VNF **MUST** log starting and stopping of security logging +* R-xxxxx The VNF **MUST** log creating, removing, or changing the inherent privilege level of users. +* R-xxxxx The VNF **MUST** log connections to a network listener of the resource. +* R-xxxxx The VNF **MUST** log the field “event type” in the security audit logs. +* R-xxxxx The VNF **MUST** log the field “date/time” in the security audit logs. +* R-xxxxx The VNF **MUST** log the field “protocol” in the security audit logs. +* R-xxxxx The VNF **MUST** log the field “service or program used for access” in the security audit logs. +* R-xxxxx The VNF **MUST** log the field “success/failure” in the security audit logs. +* R-xxxxx The VNF **MUST** log the field “Login ID” in the security audit logs. +* R-xxxxx The VNF **MUST NOT** include an authentication credential, e.g., password, in the security audit logs, even if encrypted. +* R-xxxxx The VNF **MUST** detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data. +* R-xxxxx The VNF **MUST** support the capability of online storage of security audit logs. +* R-xxxxx The VNF **MUST** activate security alarms automatically when the following event is detected: configurable number of consecutive unsuccessful login attempts +* R-xxxxx The VNF **MUST** activate security alarms automatically when the following event is detected: successful modification of critical system or application files +* R-xxxxx The VNF **MUST** activate security alarms automatically when the following event is detected: unsuccessful attempts to gain permissions or assume the identity of another user +* R-xxxxx The VNF **MUST** include the field “date” in the Security alarms (where applicable and technically feasible). +* R-xxxxx The VNF **MUST** include the field “time” in the Security alarms (where applicable and technically feasible). +* R-xxxxx The VNF **MUST** include the field “service or program used for access” in the Security alarms (where applicable and technically feasible). +* R-xxxxx The VNF **MUST** include the field “success/failure” in the Security alarms (where applicable and technically feasible). +* R-xxxxx The VNF **MUST** include the field “Login ID” in the Security alarms (where applicable and technically feasible). +* R-xxxxx The VNF **MUST** restrict changing the criticality level of a system security alarm to administrator(s). +* R-xxxxx The VNF **MUST** monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. +* R-xxxxx The VNF **MUST** support requests for information from law enforcement and government agencies. +* R-xxxxx The VNF **MUST** implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives. +* R-xxxxx The VNF **MUST** perform data capture for security functions. +* R-xxxxx The VNF **MUST** generate security audit logs that must be sent to Security Analytics Tools for analysis. +* R-xxxxx The VNF **MUST** provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum. +* R-xxxxx The VNF **MUST** provide security audit logs including records of successful and rejected system access data and other resource access attempts. +* R-xxxxx The VNF **MUST** support the storage of security audit logs for agreed period of time for forensic analysis. +* R-xxxxx The VNF **MUST** provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate. +* R-xxxxx The VNF **MUST** have security logging for VNFs and their OSs be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. VNF Data Protection Requirements -------------------------------- @@ -684,59 +475,31 @@ VNF Data Protection Requirements This section covers VNF data protection requirements that are mostly applicable to security monitoring. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Data Protection Requirements | Type | ID # | -+======================================================================================================================================================================================================================================================================================================================+==========+=========+ -| Provide the capability to restrict read and write access to data. | Must | 44010 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to restrict access to data to specific users. | Must | 44020 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to encrypt data in transit on a physical or virtual network. | Must | 44030 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to encrypt data on non-volatile memory. | Must | 44040 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory, then if possible disable the paging of the data requiring encryption, if not the virtual memory should be encrypted. | Should | 44050 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to integrate with an external encryption service. | Must | 44060 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. | Must | 44070 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests. | Should | 44080 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| The SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption must not be used. | Must | 44090 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house. | Must | 44100 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| A VNF must provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact. | Must | 44110 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use symmetric keys of at least 112 bits in length. | Must | 44120 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use asymmetric keys of at least 2048 bits in length. | Must | 44130 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. Keys must not be generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. | Must | 44140 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption. | Must | 44150 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor. | Must | 44160 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of allowing certificate renewal and revocation. | Must | 44170 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of testing the validity of a digital certificate by performing the following: | | | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The CA signature on the certificate must be validated | Must | 44180 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The date the certificate is being used must be within the validity period for the certificate | Must | 44190 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The Certificate Revocation List (CRL) for the certificates of that type must be checked to ensure that the certificate has not been revoked | Must | 44200 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The identity represented by the certificate — the "distinguished name" — must be recognized | Must | 44210 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of encrypting selected data fields stored or bound for security logs. | Must | 44220 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of deleting data stored in the VNF. | Must | 44230 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to make data available in order to support requests from law enforcement and government agencies as required by legal or regulatory mandates. Capability must be configurable for MOW deployment. | Must | 44240 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Data Protection Requirements + +* R-xxxxx The VNF **MUST** provide the capability to restrict read and write access to data. +* R-xxxxx The VNF **MUST** provide the capability to restrict access to data to specific users. +* R-xxxxx The VNF **MUST** Provide the capability to encrypt data in transit on a physical or virtual network. +* R-xxxxx The VNF **MUST** provide the capability to encrypt data on non-volatile memory. +* R-xxxxx The VNF **SHOULD** disable the paging of the data requiring encryption, if possible, where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory. If not possible to disable the paging of the data requiring encryption, the virtual memory should be encrypted. +* R-xxxxx The VNF **MUST** provide the capability to integrate with an external encryption service. +* R-xxxxx The VNF **MUST** use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. +* R-xxxxx The VNF **SHOULD** use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests. +* R-xxxxx The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption. +* R-xxxxx The VNF **MUST** use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house. +* R-xxxxx The VNF **MUST** provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact. +* R-xxxxx The VNF **MUST** use symmetric keys of at least 112 bits in length. +* R-xxxxx The VNF **MUST** use asymmetric keys of at least 2048 bits in length. +* R-xxxxx The VNF **MUST** use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. +* R-xxxxx The VNF **MUST NOT** use keys generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. +* R-xxxxx The VNF **MUST** provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption. +* R-xxxxx The VNF **MUST** provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor. +* R-xxxxx The VNF **MUST** provide the capability of allowing certificate renewal and revocation. +* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate. +* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate. +* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked. +* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate — the "distinguished name". d. VNF Modularity ================= |