Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.117  Word version:  18.3.0

Top   Top   None   None   Next
1…   4.2…   4.2.3…   4.2.3.4…   4.2.3.5…   4.2.4…   4.3…   4.3.4…   4.4…
1 Scope2 References3 Definitions and abbreviations3.1 Definitions3.2 Abbreviations4 Catalogue of security requirements and related test cases4.1 Introduction4.1.1 Pre-requisites for testing4.1.2 Use of tools in testing4.1.3 Documentation Requirements
...

 

1  Scopep. 8

The present document contains objectives, requirements and test cases that are deemed applicable, possibly after adaptation, to several network product classes.
Several network product classes share very similar if not identical security requirements for some aspects. Therefore, these are collected in this "catalogue" document applicable to many network product classes. In addition to this catalogue, requirements specific to different network product classes will be captured in separate documents.
Up

2  Referencesp. 8

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]  Void
[3]
RFC 3871:  "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure".
[4]
TR 33.926: "Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes".
[5]  Void
[6]  Void
[7]  Void
[8]  Void
[9]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[10]
TS 33.501: v15 "Security architecture and procedures for 5G system".
[11]
RFC 7540:  "Hypertext Transfer Protocol Version 2 (HTTP/2)".
[12]
RFC 6749:  "OAuth2.0 Authorization Framework".
[13]
TS 29.501: "Principles and Guidelines for Services Definition".
[14]  Void
[15]
TS 33.210: "Network Domain Security (NDS); IP network layer security".
[16]
RFC 7515:  "JSON Web Signature (JWS)".
[17]
RFC 7519:  "JSON Web Token (JWT)".
[18]
TS 23.501: "System Architecture for the 5G System".
[19]
TR 33.916: "Security Assurance Methodology (SECAM) for 3GPP network products".
[20]
RFC 7126:  "Recommendations on Filtering of IPv4 Packets Containing IPv4 Options".
[21]
TS 29.500: "Technical Realization of Service Based Architecture".
Up

3  Definitions and abbreviationsp. 9

3.1  Definitionsp. 9

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Automatic assessment tool:
A software that operates with a minimal human intervention and aids the user in evaluation of the security of computer programs, systems and/or networks.
Developer:
A creator of systems, components, or services for use on or with a 3GPP network.
Expert knowledge:
Possesing skills, training and experience in analysing and understanding security threats in a wide variety of situations.
Identifiable person:
one who can be identified, directly or indirectly, in particular by reference to an identification number, name or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
Local access:
Communication through a direct network access interface.
Machine Accounts:
accounts used for authentication and authorization from system to system or between applications on a system and cannot be assigned to a single person or a group of persons.
Network Element:
As defined in TS 23.501.
Network Function:
As defined in TS 23.501.
Network product:
As defined in TR 33.916.
Network product class:
As defined in TR 33.916.
Owner:
The person or enity responsible for creating and maintaining content. The person or enity determines who has access to the content and the content permissions.
Personal data:
any information relating to an identified or identifiable natural person ('data subject').
Remote access:
Communication through an external network access interface.
Screenshot:
A digital image that shows the contents of a display.
Sensitive data:
data used for authentication or may help to identify the user, such as user names, passwords, PINs, cryptographic keys, IMSIs, IMEIs, MSISDNs, or IP addresses of the UE, as well as files of a system that are needed for the functionality such as firmware images, patches, drivers or kernel modules.
System group account:
a predefined system account in the network product, usually with special privileges, which has a predefined user id and hence cannot be tied to a single user (individual) in a normal operating environment.
EXAMPLE: the 'root' account.
Vendor:
A commercial supplier of 3GPP network software or hardware.
Vulnerability:
As defined in TR 33.916.
Up

3.2  Abbreviationsp. 10

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
AAA
Authentication Authorization and Accounting
BOOTP
Bootstrap Protocol
BVT
Basic Vulnerability Testing
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart
CD
Compact Disk
CDP
Customer Data Platform
CIS
Center for Internet Security
COTS
Commercial Off The Shelf
CVE
Common Vulnerabilities and Exposures
DTLS
Datagram Transport Layer Security
DVD
Digital Video Disk
FOSS
Free Open-Source Software
FTP
File Transfer Protocol
GTP-C
GPRS Tunnelling Protocol for Control Plane
GUI
Graphical User Interface
GUID
Globally Unique Identifer
IKE
Internet Key Exchange
IPsec
Internet Protocol Security
JSON
Java Script Object Notation
JWS
JSON Web Signature
LLDP
Local Loop Demarcation Protocol
MOP
Maintenance Operations Protocol
NRF
Network Repository Function
NSI
Network Slice Instance
NSI ID
Network Slice Instance Identifier
NSSAI
Network Slice Selection Assistance Information
PHP
Hypertext Preprocessor
PM
Performance Management
QMS
Quality Management System
RAM
Random Access Memory
RBAC
Role Based Access Control
RCP
Remote Copy Program
RDP
Remote Delete Program
RPH
Reverse Path Filter
RSH
Remote shell
SBA
Service Based Architecture
SBI
Service Based Interfaces
SCAS
Security Assurance Specification
SCP
Service Communication Proxy
SECAM
Security Assurance Methodology
SEPP
Security Edge Protection Proxy
SFTP
Secure File Transfer Protocol
SGID
Special Group Identification
S-NSSAI
Single Network Slice Selection Assistance Information
SSH
Secure Shell
SSI
Server Side Includes
SSO
Single Sign-On
SUID
Set owner User Idenification
SYN
Synchrounous Transmission
TFTP
Trivial File Transfer Protocol
WAS
Web Application Security
WebDAV
Web Distributed Authoring and Versioning
Up

4  Catalogue of security requirements and related test casesp. 11

4.1  Introductionp. 11

4.1.1  Pre-requisites for testingp. 11

The SCAS tests, as described in the present specification, are to be applied to a network product whose software and hardware has been brought into use so that the network product can provide the intended functionality, either in a real network environment or in a simulated environment. This implies that, before any testing is performed, the hardware and software has been installed correctly, the network product is powered on, and communication has been established over all standardized interfaces and O&M interfaces related with the network product's functionality, as described in the vendor's documentation.
Communication over external non standardized Interfaces that may exist and are marked as optional, according to the vendor's documentation, shall also be established during testing unless they are explicitly marked as "not recommended" in the vendor's documentation.
For each of the enabled external communication interfaces there may be various optional capabilities. During testing, all such capabilities shall be enabled unless they are explicitly marked as "not recommended" in the vendor's documentation.
In some cases a testcase might require configuration changes as part of the execution steps or pre-conditions. After such test is executed and prior to any further test execution it needs to be ensured that the state of the Product under Evaluation is restored back in the original state.
SCAS testing is not about security in operations and deployments. So, in particular, SCAS testing is independent of any network operator guidelines or considerations on specific deployment scenarios.
Up

4.1.2  Use of tools in testingp. 12

The following text shall apply to all test cases described in the present document:
The present document takes into account that the landscape of testing tools evolves more rapidly than SCAS specifications. It is therefore allowed that, for each requirement, the actual test carried out may deviate from the stepwise description of the test case in the present document if the following conditions are fulfilled:
  1. The test is carried out by preferably using Commercial-of-the-Shelf (COTS) and Free-Open-Source-Software (FOSS) tools that are available for other testers that may want to repeat the test. In case a tool not in any of these two categories is used then evidence of the quality assurance of the tool needs to be provided. This applies only to tools used to perform the actual test and not supportive tools needed for setting up the testing environment like for example traffic generators/ simulators.
    In cases where a tester is not able to obtain the necessary tools to perform the test, vendor proprietary test tools may be used by the tester as long the test tool is controlled under a suitable quality management system (QMS). The tester ensures that this QMS is in place in order to avail of a vendor's test tool.
    Additionally in cases where the test lab does not have the necessary test environment to perform a test, it shall be possible for the test lab personnel to perform the test in a vendor's test lab. In such cases the tester shall record details of test environment, test set-up used and how the test was performed.
  2. The tester provides evidence, e.g. by referring to the documentation of the tool, that the tool is suitable to verify the requirement, and the scope of testing is equal or larger to the one of the test case described in the present document. The evidence needs to be sufficiently detailed for experts in the field of testing, not for the general public.
  3. The tester provides evidence that the tool has been actually used for testing the network product (e.g. by providing a trace).
Up

4.1.3  Documentation Requirementsp. 12

When a test case makes an assumption on the availability of certain items in the product documentation then this assumption is to be considered part of the requirement even if the requirements text does not mention the documentation.

Up   Top   ToC