...
| VNF Security Ref | Description | Notes | CNTT Relevant | Exists | CNTT Ref# | Current Description, if exists | Recommended Description (may be a modification of existing) | ||
|---|---|---|---|---|---|---|---|---|---|
| 1 | R-21210 | The VNF MUST implement the following input validation control on APIs: Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. | |||||||
| 2 | R-21652 | The VNF MUST implement the following input validation control: Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. | |||||||
| 3 | R-43884 | The VNF SHOULD integrate with the Operator’s authentication and authorization services (e.g., IDAM). | see also R-78010 above | ||||||
| 4 | R-54930 | The VNF MUST implement the following input validation controls: Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL expressions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network (injection attacks). |
...
| VNF Security Ref | Description | Notes | CNTT Relevant | Exists | CNTT Ref# | Current Description, if exists | Recommended Description (may be a modification of existing) | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | R-04492 | The VNF MUST generate security audit logs that can be sent to Security Analytics Tools for analysis. | Y | Y | 7.11.7. Monitoring and Security Audit sec.mon.011 sec.mon.016 | ||||||
| 2 | R-04982 | The VNF MUST NOT include an authentication credential, e.g., password, in the security audit logs, even if encrypted. | N | ||||||||
| 3 | R-06413 | The VNF MUST log the field “service or program used for access” in the security audit logs. | |||||||||
| 4 | R-07617 | The VNF MUST log success and unsuccessful creation, removal, or change to the inherent privilege level of users. | |||||||||
| 5 | R-13344 | The VNF MUST log starting and stopping of security logging. | |||||||||
| 6 | R-13627 | The VNF MUST monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Y | Y | 7.11.7. Monitoring and Security Audit sec.mon.008 | ||||||
| 7 | R-15325 | The VNF MUST log the field “success/failure” in the security audit logs. | |||||||||
| 8 | R-15884 | The VNF MUST include the field “date” in the Security alarms (where applicable and technically feasible). | |||||||||
| 9 | R-22367 | The VNF MUST support detection of malformed packets due to software misconfiguration or software vulnerability, and generate an error to the syslog console facility. | 10Y | Y | 7.11.7. Monitoring and Security Audit sec.mon.009 | ||||||
| 10 | R-23957 | The VNF MUST | R-23957 | The VNF MUST include the field “time” in the Security alarms (where applicable and technically feasible). | |||||||
| 11 | R-25547 | The VNF MUST log the field “protocol” in the security audit logs. | |||||||||
| 12 | R-29705 | The VNF MUST restrict changing the criticality level of a system security alarm to users with administrative privileges. | |||||||||
| 13 | R-303569 | The VNF MUST log the Source IP address in the security audit logs. | |||||||||
| 14 | R-30932 | The VNF MUST log successful and unsuccessful access to VNF resources, including data. | |||||||||
| 15 | R-31614 | The VNF MUST log the field “event type” in the security audit logs. | |||||||||
| 16 | R-32636 | The VNF MUST support API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature. | |||||||||
| 17 | R-33488 | The VNF MUST protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools. | |||||||||
| 18 | R-34552 | The VNF MUST be implemented so that it is not vulnerable to OWASP Top 10 web application security risks. | Y | Y | 7.11.8. Compliance with Standards sec.std.004 | ||||||
| 19 | R-41252 | The VNF MUST support the capability of online storage of security audit logs. | |||||||||
| 20 | R-41825 | The VNF MUST activate security alarms automatically when a configurable number of consecutive unsuccessful login attempts is reached. | |||||||||
| 21 | R-43332 | The VNF MUST activate security alarms automatically when it detects the successful modification of a critical system or application file. | Y | Y | General for all monitoring requirements | ||||||
| 22 | R-465236 | The VNF SHOULD provide the capability of maintaining the integrity of its static files using a cryptographic method. | |||||||||
| 23 | R-48470 | The VNF MUST support Real-time detection and notification of security events. | |||||||||
| 24 | R-54520 | The VNF MUST log successful and unsuccessful authentication attempts, e.g., authentication associated with a transaction, authentication to create a session, authentication to assume elevated privilege. | |||||||||
| 25 | R-54816 | The VNF MUST support the storage of security audit logs for a configurable period of time. | |||||||||
| 26 | R-55478 | The VNF MUST log logoffs. | |||||||||
| 27 | R-56920 | The VNF MUST protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. | |||||||||
| 28 | R-57617 | The VNF MUST include the field “success/failure” in the Security alarms (where applicable and technically feasible). | |||||||||
| 29 | R-58370 | The VNF SHOULD operate with anti-virus software which produces alarms every time a virus is detected. | |||||||||
| 30 | R-629534 | The VNF MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible, so as to eliminate ambiguity owing to daylight savings time. | |||||||||
| 31 | R-63330 | The VNF MUST detect when its security audit log storage medium is approaching capacity (configurable) and issue an alarm. | |||||||||
| 32 | R-703767 | The VNF MUST have the capability to securely transmit the security logs and security events to a remote system before they are purged from the system. | |||||||||
| 33 | R-71842 | The VNF MUST include the field “service or program used for access” in the Security alarms (where applicable and technically feasible). | |||||||||
| 34 | R-73223 | The VNF MUST support proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. | |||||||||
| 35 | R-74958 | The VNF MUST activate security alarms automatically when it detects an unsuccessful attempt to gain permissions or assume the identity of another user. | |||||||||
| 36 | R-84160 | The VNF MUST have security logging for VNFs and their OSs be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. | |||||||||
| 37 | R-859208 | The VNF MUST log automated remote activities performed with elevated privileges | |||||||||
| 38 | R-89474 | The VNF MUST log the field “Login ID” in the security audit logs. | |||||||||
| 39 | R-94525 | The VNF MUST log connections to the network listeners of the resource. | |||||||||
| 40 | R-97445 | The VNF MUST log the field “date/time” in the security audit logs. | |||||||||
| 41 | R-99730 | The VNF MUST include the field “Login ID” in the Security alarms (where applicable and technically feasible). |
...
| VNF Security Ref | Description | Notes | CNTT Relevant | Exists | CNTT Ref# | Current Description, if exists | Recommended Description (may be a modification of existing) | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | R-02170 | The VNF MUST use, whenever possible, standard implementations of security applications, protocols, and formats, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors or obtained from reputable open source communities and must not be developed in-house. | |||||||||
| 2 | R-12110 | R-69610 | |||||||||
| 3 | R-12467 | The VNF MUST NOT use compromised encryption algorithms. For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms. Acceptable algorithms can be found in the NIST FIPS publications (https://csrc.nist.gov/publications/fips) and in the NIST Special Publications (https://csrc.nist.gov/publications/sp). | |||||||||
| 4 | R-13151 | R-73067 | |||||||||
| 5 | R-32641 | The VNF MUST provide the capability to encrypt data on non-volatile memory.Non-volative memory is storage that is capable of retaining data without electrical power, e.g. Complementary metal-oxide-semiconductor (CMOS) or hard drives. | |||||||||
| 6 | R-47204 | The VNF MUST be capable of protecting the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. | 7Y | Y | 7.11.3. Confidentiality and Integrity sec.ci.001 | ||||||
| 7 | R-58964 | The VNF MUST | R-58964 | The VNF MUST provide the capability to restrict read and write access to data handled by the VNF. | |||||||
| 8 | R-69610 | The VNF MUST provide the capability of using X.509 certificates issued by an external Certificate Authority. | |||||||||
| 9 | R-70933 | The VNF MUST provide the ability to migrate to newer versions of cryptographic algorithms and protocols with minimal impact. | |||||||||
| 10 | R-73067 | The VNF MUST use NIST and industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. | |||||||||
| 11 | R-83227 | R-32641 | |||||||||
| 12 | R-95864 | The VNF MUST support digital certificates that comply with X.509 standards. |
...
| VNF Security Ref | Description | Notes | CNTT Relevant | Exists | CNTT Ref# | Current Description, if exists | Recommended Description (may be a modification of existing) | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 |
| The VNF SHOULD support an automated certificate management protocol such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or Automated Certificate Management Environment (ACME). | Y | N | The Platform should support an automated certificate management protocol such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or Automated Certificate Management Environment (ACME). | |||||||
| 2 | R-93860 | The VNF SHOULD provide the capability to integrate with an external encryption service. | 3Y | Y | sec.sys.012 | |||||||
| 3 | R-44723 | The VNF MUST use symmetric | R-44723 | The VNF MUST use symmetric keys of at least 112 bits in length. | Y | N | The Platform must use symmetric keys of at least 112 bits in length. | |||||
| 4 | R-25401 | The VNF MUST use asymmetric keys of at least 2048 bits in length. | Y | N | The Platform must use asymmetric keys of at least 2048 bits in length. | |||||||
| 5 | R-52060 | The VNF MUST provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption. | 6Y | R-83500 N | The VNF MUST Platform must provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption. | |||||||
| 6 | R-83500 | The VNF MUST provide the capability of allowing certificate renewal and revocation. | Y | N | The Platform must allow certificate renewal and revocation. | |||||||
| 7 | R-29977 | The VNF MUST provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate. | 8Y | R-24359 N | The VNF MUST Platform must provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate.CA signature on the certificate. | |||||||
| 8 | R-24359 | The VNF MUST provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate. | Y | N | The Platform must provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate. | |||||||
| 9 | R-39604 | The VNF MUST provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked. | Y | N | The Platform must | 9 | R-39604 | The VNF MUST provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked. | ||||
| 10 | R-75343 | The VNF MUST provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate - the “distinguished name”. | Y | N | The Platform must provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate - the “distinguished name”. | |||||||
| 11 | R-49109 | The VNF or PNF MUST support HTTPS using TLS v1.2 or higher with strong cryptographic ciphers. | see R-118669 | |||||||||
| 12 | R-41994 | The VNF MUST support the use of X.509 certificates issued from any Certificate Authority (CA) that is compliant with RFC5280, e.g., a public CA such as DigiCert or Let’s Encrypt, or an RFC5280 compliant Operator CA. Note: The VNF provider cannot require the use of self-signed certificates in an Operator’s run time environment. |
...