Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TS 33.526
Security Assurance Specification (SCAS) for the
Management Function (MnF)

3GPP‑Page   ETSI‑search   fToC   Partial Content
V19.0.0 (PDF)  2025/09  17 p.
V18.1.0  2023/09  17 p.
Rapporteur:
Dr. Ben Henda, Noamen
Huawei Technologies Sweden AB

full Table of Contents for  TS 33.526  Word version:  19.0.0

each clause number in 'red' refers to the equivalent title in the Partial Content
Here   Top
1Scope  p. 7
2References  p. 7
3Definitions of terms, symbols and abbreviations  p. 7
3.1Terms  p. 7
3.2Symbols  p. 7
3.3Abbreviations  p. 7
4MnF-specific security requirements and related test cases  p. 8
4.1Introduction  p. 8
4.2MnF-specific security functional adaptations of requirements and related test cases  p. 8
4.2.1Introduction  p. 8
4.2.2Security functional requirements on the MnF deriving from 3GPP specifications and related test cases  p. 8
4.2.3Technical Baseline  p. 8
4.2.3.1Introduction  p. 8
4.2.3.2Protecting data and information  p. 8
4.2.3.2.1Protecting data and information - general  p. 8
4.2.3.2.2Protecting data and information - unauthorized viewing  p. 8
4.2.3.2.3Protecting data and information in storage  p. 8
4.2.3.2.4Protecting data and information in transfer  p. 8
4.2.3.2.5Logging access to personal data  p. 8
4.2.3.3Protecting availability and integrity  p. 9
4.2.3.3.1System handling during overload situations  p. 9
4.2.3.3.2Boot from intended memory devices only  p. 9
4.2.3.3.3System handling during excessive overload situations  p. 9
4.2.3.3.4System robustness against unexpected input.  p. 9
4.2.3.3.5Network Product software package integrity  p. 9
4.2.3.4Authentication and authorization  p. 9
4.2.3.4.1Authentication policy  p. 9
4.2.3.4.2Authentication attributes  p. 9
4.2.3.4.2.1Account protection by at least one authentication attribute.  p. 9
4.2.3.4.2.2Predefined accounts shall be deleted or disabled.  p. 9
4.2.3.4.2.3Predefined or default authentication attributes shall be deleted or disabled.  p. 9
4.2.3.4.3Password policy  p. 9
4.2.3.4.3.1Password Structure  p. 9
4.2.3.4.3.2Password changes  p. 10
4.2.3.4.3.3Protection against brute force and dictionary attacks  p. 10
4.2.3.4.3.4Hiding password display  p. 10
4.2.3.4.4Specific Authentication use cases  p. 10
4.2.3.4.4.1Network Product Management and Maintenance interfaces  p. 10
4.2.3.4.5Policy regarding consecutive failed login attempts  p. 10
4.2.3.4.6Authorization and access control  p. 10
4.2.3.4.6.1Authorization policy  p. 10
4.2.3.4.6.2Role-based access control  p. 10
4.2.3.5Protecting sessions  p. 10
4.2.3.5.1Protecting sessions - logout function  p. 10
4.2.3.5.2Protecting sessions - Inactivity timeout  p. 10
4.2.3.6Logging  p. 10
4.2.3.6.1Security event logging  p. 10
4.2.3.6.2Log transfer to centralized storage  p. 10
4.2.3.6.3Protection of security event log files  p. 11
4.2.4Operating systems  p. 11
4.2.5Web servers  p. 11
4.2.5.1HTTPS  p. 11
4.2.5.2Logging  p. 11
4.2.5.3HTTP User sessions  p. 11
4.2.5.4HTTP input validation  p. 11
4.2.6Network devices  p. 11
4.2.6.1Protection of data and information  p. 11
4.2.6.2Protecting availability and integrity  p. 11
4.2.6.2.1Packet filtering  p. 11
4.2.6.2.2Interface robustness requirements  p. 11
4.2.6.2.3GTP-C Filtering  p. 11
4.2.6.2.4GTP-U Filtering  p. 11
4.3MnF-specific adaptations of hardening requirements and related test cases.  p. 12
4.3.1Introduction  p. 12
4.3.2Technical Baseline  p. 12
4.3.3Operating Systems  p. 12
4.3.3.1General operating system requirements and test cases  p. 12
4.3.3.1.1IP-Source address spoofing mitigation  p. 12
4.3.3.1.2Minimized kernel network functions  p. 12
4.3.3.1.3No automatic launch of removable media  p. 12
4.3.3.1.4SYN Flood Prevention  p. 12
4.3.3.1.5Protection from buffer overflows  p. 12
4.3.3.1.6External file system mount restrictions  p. 12
4.3.4Web Servers  p. 12
4.3.4.1General  p. 12
4.3.4.2No system privileges for web server  p. 12
4.3.4.3No unused HTTP methods  p. 12
4.3.4.4No unused add-ons  p. 13
4.3.4.5No compiler, interpreter, or shell via CGI or other server-side scripting  p. 13
4.3.4.6No CGI or other scripting for uploads  p. 13
4.3.4.7No execution of system commands with SSI  p. 13
4.3.4.8Access rights for web server configuration  p. 13
4.3.4.9No default content  p. 13
4.3.4.10No directory listings  p. 13
4.3.4.11Web server information in HTTP headers  p. 13
4.3.4.12Web server information in error pages  p. 13
4.3.4.13Minimized file type mappings  p. 13
4.3.4.14Restricted file access  p. 13
4.3.4.15Execute rights exclusive for CGI/Scripting directory  p. 13
4.3.5Network Devices  p. 13
4.3.5.1Traffic Separation  p. 13
4.3.6Network Functions in service-based architecture  p. 13
4.3.6.1Introduction  p. 14
4.3.6.2No code execution or inclusion of external resources by JSON parsers  p. 14
4.3.6.3Unique key values in IEs  p. 14
4.3.6.4The valid format and range of values for IEs  p. 14
4.4MnF-specific adaptations of basic vulnerability testing requirements and related test cases  p. 14
$Change history  p. 15

Up   Top