Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TS 33.526
Security Assurance Specification (SCAS) for the
Management Function (MnF)

3GPP‑Page   ETSI‑search  
V18.1.0 (PDF)  2023/09  17 p.
Rapporteur:
Dr. Ben Henda, Noamen
Huawei Technologies Sweden AB

full Table of Contents for  TS 33.526  Word version:  18.1.0

Here   Top
1 Scope2 References3 Definitions of terms, symbols and abbreviations4 MnF-specific security requirements and related test cases$ Change history

 

1  Scopep. 7

The present document contains objectives, requirements and test cases that are specific to the MnF network product class. It refers to the Catalogue of General Security Assurance Requirements and formulates specific adaptions of the requirements and test cases given there, as well as specifying requirements and test cases unique to the MnF network product class. In the present document, the MnF network product class represents independently deployed management product supporting 3GPP defined management services.
Up

2  Referencesp. 7

3  Definitions of terms, symbols and abbreviationsp. 7

3.1  Termsp. 7

3.2  Symbolsp. 7

3.3  Abbreviationsp. 7

4  MnF-specific security requirements and related test casesp. 8

4.1  Introductionp. 8

4.2  MnF-specific security functional adaptations of requirements and related test casesp. 8

4.2.1  Introductionp. 8

4.2.2  Security functional requirements on the MnF deriving from 3GPP specifications and related test casesp. 8

4.2.3  Technical Baselinep. 8

4.2.3.1  Introductionp. 8

4.2.3.2  Protecting data and informationp. 8

4.2.3.2.1  Protecting data and information - generalp. 8
4.2.3.2.2  Protecting data and information - unauthorized viewingp. 8
4.2.3.2.3  Protecting data and information in storagep. 8
4.2.3.2.4  Protecting data and information in transferp. 8
4.2.3.2.5  Logging access to personal datap. 8

4.2.3.3  Protecting availability and integrityp. 9

4.2.3.3.1  System handling during overload situationsp. 9
4.2.3.3.2  Boot from intended memory devices onlyp. 9
4.2.3.3.3  System handling during excessive overload situationsp. 9
4.2.3.3.4  System robustness against unexpected input.p. 9
4.2.3.3.5  Network Product software package integrityp. 9

4.2.3.4  Authentication and authorizationp. 9

4.2.3.4.1  Authentication policyp. 9
4.2.3.4.2  Authentication attributesp. 9
4.2.3.4.2.1  Account protection by at least one authentication attribute.p. 9
4.2.3.4.2.2  Predefined accounts shall be deleted or disabled.p. 9
4.2.3.4.2.3  Predefined or default authentication attributes shall be deleted or disabled.p. 9
4.2.3.4.3  Password policyp. 9
4.2.3.4.3.1  Password Structurep. 9
4.2.3.4.3.2  Password changesp. 10
4.2.3.4.3.3  Protection against brute force and dictionary attacksp. 10
4.2.3.4.3.4  Hiding password displayp. 10
4.2.3.4.4  Specific Authentication use casesp. 10
4.2.3.4.4.1  Network Product Management and Maintenance interfacesp. 10
4.2.3.4.5  Policy regarding consecutive failed login attemptsp. 10
4.2.3.4.6  Authorization and access controlp. 10
4.2.3.4.6.1  Authorization policyp. 10
4.2.3.4.6.2  Role-based access controlp. 10

4.2.3.5  Protecting sessionsp. 10

4.2.3.5.1  Protecting sessions - logout functionp. 10
4.2.3.5.2  Protecting sessions - Inactivity timeoutp. 10

4.2.3.6  Loggingp. 10

4.2.3.6.1  Security event loggingp. 10
4.2.3.6.2  Log transfer to centralized storagep. 10
4.2.3.6.3  Protection of security event log filesp. 11

4.2.4  Operating systemsp. 11

4.2.5  Web serversp. 11

4.2.5.1  HTTPSp. 11

4.2.5.2  Loggingp. 11

4.2.5.3  HTTP User sessionsp. 11

4.2.5.4  HTTP input validationp. 11

4.2.6  Network devicesp. 11

4.2.6.1  Protection of data and informationp. 11

4.2.6.2  Protecting availability and integrityp. 11

4.2.6.2.1  Packet filteringp. 11
4.2.6.2.2  Interface robustness requirementsp. 11
4.2.6.2.3  GTP-C Filteringp. 11
4.2.6.2.4  GTP-U Filteringp. 11

4.3  MnF-specific adaptations of hardening requirements and related test cases.p. 12

4.3.1  Introductionp. 12

4.3.2  Technical Baselinep. 12

4.3.3  Operating Systemsp. 12

4.3.3.1  General operating system requirements and test casesp. 12

4.3.3.1.1  IP-Source address spoofing mitigationp. 12
4.3.3.1.2  Minimized kernel network functionsp. 12
4.3.3.1.3  No automatic launch of removable mediap. 12
4.3.3.1.4  SYN Flood Preventionp. 12
4.3.3.1.5  Protection from buffer overflowsp. 12
4.3.3.1.6  External file system mount restrictionsp. 12

4.3.4  Web Serversp. 12

4.3.4.1  Generalp. 12

4.3.4.2  No system privileges for web serverp. 12

4.3.4.3  No unused HTTP methodsp. 12

4.3.4.4  No unused add-onsp. 13

4.3.4.5  No compiler, interpreter, or shell via CGI or other server-side scriptingp. 13

4.3.4.6  No CGI or other scripting for uploadsp. 13

4.3.4.7  No execution of system commands with SSIp. 13

4.3.4.8  Access rights for web server configurationp. 13

4.3.4.9  No default contentp. 13

4.3.4.10  No directory listingsp. 13

4.3.4.11  Web server information in HTTP headersp. 13

4.3.4.12  Web server information in error pagesp. 13

4.3.4.13  Minimized file type mappingsp. 13

4.3.4.14  Restricted file accessp. 13

4.3.4.15  Execute rights exclusive for CGI/Scripting directoryp. 13

4.3.5  Network Devicesp. 13

4.3.5.1  Traffic Separationp. 13

4.3.6  Network Functions in service-based architecturep. 13

4.3.6.1  Introductionp. 14

4.3.6.2  No code execution or inclusion of external resources by JSON parsersp. 14

4.3.6.3  Unique key values in IEsp. 14

4.3.6.4  The valid format and range of values for IEsp. 14

4.4  MnF-specific adaptations of basic vulnerability testing requirements and related test casesp. 14

$  Change historyp. 15

Up   Top