1 Introduction

This document describes the security functions implemented by the vMRF. The document also describes the security-related procedures that can be performed.

2 Functions and Concepts

This document covers the following security functions provided by vMRF:

Traffic separation
O&M Traffic Protection
O&M Administrator Access Control

For a complete list of vMRF functions, including other security functions, see vMRF Overview.

2.1 Traffic Separation

The traffic for O&M, signaling, trusted payload, and untrusted payload uses separate vNICs. Virtual switch traffic separation is also a requirement in the cloud environment for vMRF. For more information on security requirements in the cloud environment, see vMRF Infrastructure Requirements.

2.2 O&M Traffic Protection

The Northbound Interface (NBI) is assumed to be accessed from a trusted O&M network. O&M traffic is secured using various security protocols, see Services, Ports, and Protocols for the details. Other protocols, for example, Telnet or FTP, are not permitted on the O&M interface.

It is recommended to configure a rate limit in an external firewall for protection of the NBI. For a description of the O&M traffic architecture, see Security Management for ECLI, NETCONF, and SFTP Users.

2.3 O&M Administrator Access Control

vMRF uses Role-Based Access Control (RBAC) with different rules that can be granted to various role groups. vMRF uses an external Lightweight Directory Access Protocol (LDAP) server to provide user authentication. It is recommended to follow the security policy of the operator when defining O&M users and assigning specific roles to them. It is recommended that access to sensitive information is restricted to those roles and operations personnel who need the access.

Table 1 shows the default roles defined in vMRF:

Table 1 vMRF Roles
Role	Permission	MOM Fragment	Command and File Access
SystemAdministrator	R	ManagedElement,SystemFunctions,SecM (only the MO, but not the attributes) ManagedElement,SystemFunctions,SecM,CertM,*	Access to all vMRF CLI commands except for MSR
	RW	ManagedElement,SystemFunctions,SwInventory,*
	RWX	ManagedElement ManagedElement,SystemFunctions ManagedElement,SystemFunctions,Fm,* ManagedElement,SystemFunctions,Pm,* ManagedElement,SystemFunctions,SwM,* ManagedElement,SystemFunctions,SysM,* ManagedElement,Transport
SystemSecurityAdministrator	R	ManagedElement ManagedElement,SystemFunctions ManagedElement,SystemFunctions,Fm,* ManagedElement,SystemFunctions,SwInventory,*	Access to system logs and logs produced by the vMRF for troubleshooting purposes Access to all vMRF CLI commands for information printing
SystemSecurityAdministrator	RWX	ManagedElement,SystemFunctions,SecM*
SystemTroubleshooter	-	-	Access to commands of the underlying Ericsson Component Based Architecture (CBA) application Access to imm OpenSAF commands Access to system logs and logs produced by the vMRF for troubleshooting purposes Access to all vMRF CLI commands except for MSR
MrfApplicationOperator	R	ManagedElement,*	Access to all vMRF CLI commands for information printing Read access to PM files and alarm and event logs through SSH/SFTP
MrfApplicationOperator	RX	ManagedElement,SystemFunctions,SysM,*
MrfApplicationAdministrator	RWX	ManagedElement,*	Access to all vMRF CLI commands for information printing Read and write access to PM files and alarm and event logs through SSH/SFTP
MrfApplicationAdministrator	R	ManagedElement,SystemFunctions,SecM,*
MrfApplicationSecurityAdministrator	R	ManagedElement,*	Access to all vMRF CLI commands for information printing Read access to PM files and alarm and event logs through SSH/SFTP
MrfApplicationSecurityAdministrator	RWX	ManagedElement,SystemFunctions,SecM,*
MrfApplicationTroubleshooter	-	-	Access to all vMRF CLI commands except for MSR
MrfApplicationTroubleshooter	-	-	Access to MSR commands
MrfApplicationSftpUser	R	ManagedElement,SystemFunctions,FileM,*	Read access to PM files and alarm and event logs through SFTP port (115) only Restricts all other access
MrfApplicationMomAccess	-	-	Only provides access to CLISS and NETCONF ⁽¹⁾

(1) This role does not provide access to MOs.
It can be used as a base for custom roles to provide access to a specific set of MOs. For more information, see Create Custom Role.

Users are given access to CLI commands based on their roles as shown in Table 1. A user can be assigned multiple roles simultaneously. MrfApplicationSftpUser is a special role that restricts all other access and allows only SFTP access even when combined with other roles. Media Stream Recording (MSR) access must only be granted to Ericsson troubleshooters.

2.3.1 Reserved POSIX Groups

Table 2 lists POSIX groups, their corresponding Group Identifiers (GIDs), and their function in vMRF. Users are automatically given command access based on their role, as described in Table 1. The following GID ranges are reserved and should not be assigned for LDAP users to avoid unintentional command access assignment: 0–1001, 2000–2008, and 7000–7999.

Table 2 Reserved vMRF POSIX Groups
Name	GID	Description
system-ts	2000	Troubleshooter; Access to commands of the underlying Ericsson Component Based Architecture (CBA) application; Has root privileges
mrf-op	2005	Normal operator; Access to all vMRF CLI commands for information printing
mrf-ts	2006	Troubleshooter; Access to all vMRF CLI commands except for MSR
mrf-msr	2008	Ericsson troubleshooter; Access to MSR commands
cmw-imm-users	2004	IMM troubleshooter; Access to imm OpenSAF commands
sftpusers⁽¹⁾	2007	Restricted operator; Access to PM files and alarm and event logs through SFTP port (115) only
mrsv-admin	1001	Emergency user; Has root privileges
systemd-journal	994	Access to logs produced by the vMRF for troubleshooting

(1) The sftpusers POSIX group restricts all other group rights. A member of the sftpusers POSIX group only has SFTP access rights and cannot be a member of any other POSIX group.

The system-ts group is intended to perform privileged troubleshooting activities in the VNF application and in the Linux Guest OS of the VMs. The users of this group must be highly trusted because the system-ts group has equivalent privileges to a root user. Member of this group needs to issue sudo command to execute a Linux® shell privileged command.

The emergency user (default value is mrsv-admin) is a user that can log on to the system controller using SSH through the NBI, even when the LDAP server is unavailable. The emergency user is defined during deployment by editing the deployment template and cannot be changed during operation. For more information, see the relevant deployment guide. The emergency user has access to all MOs and can therefore log on to the system to restore LDAP connectivity and return the system to normal operation.

Note:

The emergency user must only be used for emergency recovery purposes and not as a shared account for normal O&M operations.

SSH login for the root user is not permitted for normal users. The root user is locked, so that normal users cannot change to root with the su root command. The emergency and the troubleshooter (system-ts) users can change to root with the sudo -i command.

Logging in through the serial port is not permitted.

SSH host keys (RSA, DSA, ECDSA) for the VMs of the VNF cluster are generated automatically by the first VM during the deployment process, and copied to all other VMs. The fingerprints of the SSH host keys are visible in the console tool after deployment.

2.4 Idle Session Time-out

An SSH session is an interval that starts when a user is authenticated and can start operations. It ends when the user exits, or when the connection to the VNF is closed because of user inactivity. If the session ends because of inactivity, the situation is called idle session time-out.

Idle session time-out is a fixed time of 30 minutes and is enforced for all CLI command, NETCONF, and file access sessions. Traffic is monitored only in the client-to-server direction.

2.5 Brute-Force Attack Protection

The vMRF SSH interface uses a mechanism to protect against password cracking with brute-force attacks. The mechanism temporarily bans login attempts from IP addresses that reach the maximum allowed number of failed login attempts. The ban period and the maximum allowed number of failed login attempts are preconfigured in vMRF.

The ban period is set to 10 minutes, and the maximum allowed number of failed login attempts is five. This means that after five unsuccessful login attempts, no more login attempts are allowed from the given IP address for 10 minutes.

3 Services, Ports, and Protocols

The services, ports, and protocols that are used by vMRF are listed in Table 3.

Table 3 Services, Ports, and Protocols on the O&M Interface
Service or Interface Name	Protocol	Source	Destination	Direction	IP Address Type	Port	Transport Protocol	IP Version
CLI access	SSH	User client	vMRF MIP	Incoming	O&M IP	22	TCP	IPv4
PM report file access Alarm and alert log file access	SFTP	ENM	vMRF MIP	Incoming	O&M IP	115	TCP	IPv4
LDAP	TLS	vMRF MIP	LDAP server	Outgoing	O&M IP	389 (configurable)	TCP	IPv4
LDAP	LDAPS	vMRF MIP	LDAP server	Outgoing	O&M IP	636 (configurable)	TCP	IPv4
NeLS	TLS	vMRF VM	Network license server	Incoming	LM	9095	TCP	IPv4 or IPv6
NETCONF	SSH	ENM	vMRF MIP	Incoming	O&M IP	830	TCP	IPv4
NETCONF	TLS	ENM	vMRF MIP	Incoming	O&M IP	6513	TCP	IPv4
SNMP	SNMP	SNMP server	vMRF MIP	Incoming	O&M IP	161 (SNMP) configurable⁽¹⁾	UDP	IPv4
SNMP	SNMP	vMRF MIP	SNMP target	Outgoing	O&M IP	162 (SNMP trap) configurable⁽²⁾	UDP	IPv4
Synchronization	NTP	vMRF VM (MIP or fixed management IP)	NTP server	Bidirectional⁽³⁾	O&M IP	123	UDP	IPv4

(1) Local port for SNMP messages.

(2) Remote port for SNMP trap target.

(3) Association is initiated by vMRF VM.

Table 4 Services, Ports, and Protocols on the Control Plane Interface
Service or Interface Name	Protocol	Source	Destination	Direction	IP Address Type	Port	Transport Protocol	IP Version
Ia, Ix, or Iq	H.248	vMRF VM	MTAS	Bidirectional	Signaling IP	2944⁽⁴⁾	SCTP	IPv4

(4) This SCTP port can be configured with the attribute localPortNumber of the MrfH248Control MO.

Table 5 Services, Ports, and Protocols on the User Plane Interfaces
Service or Interface Name	Protocol	Source	Destination	Direction	IP Address Type	Port	Transport Protocol	IP Version
Trusted network (IMS Core)	RTP, RTCP, UDPTL	Remote media server	vMRF	Bidirectional	Traffic IP	1024–65535	UDP	IPv4 or IPv6

4 Security Configuration

This section describes how to configure the security functions in vMRF.

4.1 O&M Administrator Access Control

This section provides the instructions for operating the security functionality of the product.

4.1.1 Configure LDAP Authentication and Authorization in vMRF

This procedure describes how to configure vMRF to use an LDAP server for authentication and authorization.

Prerequisites

vMRF has been deployed.
LDAP authentication and authorization has not yet been configured in the vMRF VNF, or the configuration needs to be changed. For instructions on how to import the LDAP configuration below into the VNF during deployment, see the relevant deployment guide.
An LDAP server is available for vMRF and its IP address and port are known.
The LDAP server has TLS enabled and one issuer certificate of its node credentials has been installed as trusted certificate.
You have logged in to vMRF either as the emergency user, or as the security administrator.
An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.

Steps

Install vMRF node credentials using offline enrollment, as described in Install or Renew Node Credential by PKCS 12.
Install trusted certificates for the CA and the LDAP server, as described in Install Trusted Certificate.
Create a trust category for the LDAP server certificate, as described in Create Trust Category.

In the MOM, navigate to the Ldap MO and configure it:

>ManagedElement=1,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1

(Ldap=1)>configure

(config-Ldap=1)>baseDn="dc=example,dc=org"

(config-Ldap=1)>bindDn="cn=admin,dc=example,dc=org"

Note:

Replace the values with the actual DNs.

(config-Ldap=1)>ldapIpAddress="<IP_address_of_the_LDAP_server>"

(config-Ldap=1)>serverPort=<Port_of_the_LDAP_server>

Note:

Available LDAP server ports are the following:

389, if attribute useTls is false.
389, if attribute useTls is true and tlsMode is STARTTLS.
636, if attribute useTls is true and tlsMode is LDAPS.

(config-Ldap=1)>nodeCredential="ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1"

(config-Ldap=1)>trustCategory="ManagedElement=1,SystemFunctions=1,SecM=1,CertM=1,TrustCategory="<Trust_category_created_for_the_LDAP_server_certificate>"

(config-Ldap=1)>useTls=true

(config-Ldap=1)>profileFilter=ERICSSON_FILTER

Note:

The profileFilter attribute configuration is needed for RBAC.

(config-Ldap=1)>EricssonFilter=1

(config-EricssonFilter=1)>roleAliasesBaseDn="dc=example,dc=com"

(config-EricssonFilter=1)>up

(config-Ldap=1)>up

(config-LdapAuthenticationMethod=1)>administrativeState=UNLOCKED

(config-LdapAuthenticationMethod=1)>commit

Activate the local authorization method in the VNF to prevent all LDAP users from having full access to configuration data:
(config-LdapAuthenticationMethod=1)>LocalAuthorizationMethod=1

(config-LocalAuthorizationMethod=1)>administrativeState=UNLOCKED

(config-LocalAuthorizationMethod=1)>commit

For more information, see Unlock Local Authorization Method.
Add the Ericsson schema to the LDAP server, and extend the LDAP server user accounts to use role based access control (RBAC).
- Define the directory entry representing the users Posix account for each user.
- Define the role of the user by setting the ericssonUserAuthorizationScope attribute of the Posix account. The value of the authorization scope must have the format <target_type>:<role>, for example, ericssonUserAuthorizationScope:MrfApplicationOperator.
- To access logs produced by vMRF, give the SystemSecurityAdministrator or SystemTroubleshooter role to the user.
- To have users with access rights only to PM files, alarm and event logs via SFTP, define users with MrfApplicationSftpUser role.
For more information on LDAP server user accounts, see LDAP-Based Authentication and Authorization Interface.

4.2 Recommended Periodic Operations

Even though vMRF has been installed and hardened securely, administrator and user activity over time can introduce security exposures. Also, new vulnerabilities which need to be mitigated are frequently found in the existing products. Therefore it is necessary to maintain the security posture of the product in service on a regular, ongoing basis.

This section describes recommended periodic operations.

Take system backups regularly according to the vMRF Backup and Restore Guideline.
Restrict access to backup files so that unauthorized persons cannot view or modify the included sensitive data. This recommendation also refers to backups stored in an external server.
Apply password policies on the LDAP server to enforce password complexity, aging, and recovery.
Ensure that no unnecessary accounts exist.
Ensure that no unnecessary listening ports are open.
Ensure that no shared user accounts are used.
Ensure that the emergency user password is not known by more people than necessary.
Ensure that user rights are assigned only to real needs.
Monitor the log of access and authorization events in the system by using the following commands:
- journalctl _COMM=sshd – sshd access logs
- journalctl SYSLOG_FACILITY=10 – authentication logs
- journalctl _COMM=com – NBI audit logs

4.3 Handling of Patches

Patches are delivered as new vMRF software packages. A new software package is deployed as a new vMRF VNF, and if needed, the old VNF can be deleted.

5 Privacy

vMRF includes features for troubleshooting and media plane problem solving that have privacy impacts. These features can be used by both Ericsson and operator trusted personnel.

To be able to provide services in the network, vMRF handles sensitive personal data. To restrict access to personal data, vMRF uses RBAC for roles and operations personnel who need access to such information. It is the responsibility of operators to use these security controls appropriately to protect personal data and mitigate any possible privacy impact. For more information on RBAC roles, see O&M Administrator Access Control.

5.1 Notice and Consent

To ensure that personal information is collected and processed in a fair and lawful manner, operators have the following responsibilities regarding personal information privacy:

Locally applicable privacy statements must be made available to users whose data is being collected.
Locally applicable user consent must be in place for processing personal information.

Furthermore, it is assumed that all personal privacy related information is handled by the operator according to all applicable local and international laws and regulations in the countries in which they operate.

5.2 Personal Data Classification

The following table lists the collected data item types by Personal Data Category:

Table 6 Collected Data Item Types
Personal Data Category	Data Item
Basic data	IP address. IP addresses of media plane packets are considered as Personally Identifiable Information (PII) and may be included in log files. To provide services, vMRF processes the IP addresses in RTP and IP packets sent from or received by the UE. These IP addresses are not stored by vMRF, except possibly in troubleshooting logs. In most deployments, the IP addresses visible for vMRF are not UE IP addresses, but internal IP addresses of the operator's border gateway (vBGF), or media gateway (IM-MGW) instances used for connecting the UE to the IMS core network.
Sensitive data (identifiable user activity)	Content of media plane traffic when Media Stream Recording (MSR) is active: voice, text, sound, pictures, or other content of the communication. MSR is used for troubleshooting only by Ericsson personnel only, and only after the operator has explicitly requested Ericsson to analyze the problem and has agreed with Ericsson on the use of MSR. The produced recording files are sent to Ericsson vMRF support for analysis.

Appendix A: List of Certificates in vMRF

Table 7 Certificates in vMRF
Certificate Purpose	Time of Certification	Certificate Expiry Period	Description
Internal communication	Auto-generated at deployment time	50 years after deployment	Certificate for internal communication within VNF
CA LDAP TLS	Managed by operator	Managed by operator	Trusted certificate signer of CAAS server certificate
VNF LDAP TLS	Managed by operator	Managed by operator	Node Credential-type VNF certificate towards the LDAP server. The certificate used for OAM can also be used for this purpose.
CA OAM TLS	Managed by operator	Managed by operator	Trusted CA certificate to validate TLS-based OAM connections
VNF OAM TLS	Managed by operator	Managed by operator	Node Credential-type VNF certificate or certificates for OAM. This certificate can be used for NETCONF, CLI, SNMP, and FTP. Different certificates can be specified as well.
Root CA NeLS TLS	–	2036-07-16 23:59:59 GMT	Root CA to validate NeLS ⁽¹⁾
CA NeLS TLS	–	2023-10-30 23:59:59 GMT	Intermediate CA certificate to validate NeLS ⁽¹⁾
License signing	2016-11-03 00:00:00 GMT	2038-01-18 00:00:00 GMT	Certificate to validate licenses in the license server⁽¹⁾
Customer CA NeLS TLS	Managed by operator	Managed by operator	CA certificate to validate network server certificate
VNF License TLS	Managed by operator	Managed by operator	Certificate to authenticate VNF towards the licensing server

(1) Not manageable.

For more information on certificate management, see Certificate Management.

Copyright	© Ericsson AB 2016–2019. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer	The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademarks	All trademarks mentioned herein are the property of their respective owners. These are shown in the document Trademark Information.