C Frequently Asked Questions (FAQ)
The Cloud Native Core products provide a set of 4G and 5G cloud native applications (called Network Functions or NFs) that run on an Cloud Native Environment (CNE). The CNE may be virtualized or may run on bare metal, and it may be configured using the OC CNE installers (to create an OCCNE reference environment) or may be provided by the customer. These FAQs assume that a reference OCCNE environment is being used. When a customer provided CNE is used, then CNE security will be managed by the customer.
The FAQ question are general; the answers might have different responses with respect to the CNE environment and the NF application. For example, CNE authentication/authorization in the OCCNE reference environment is handled by the Oracle Linux PAM module, and can be customized using PAM configuration changes. Authentication and authorization for the 5G NFs is specified by the 5G 3GPP spec, and is typically performed using X.509 mutual authentication, OATH2, and Javascript Web Tokens.
.
Security Zones
| Zone | Purpose | Notes |
|---|---|---|
| Network | Network Access | Network access is provided in bare metal environments using network switches. These switches control ingress and egress flows to a site. In the openstack and OCI environments, different network rules provide similar access controls. |
| Infrastructure | Infrastructure Hosting | All compute and data elements are hosted either directly on bare metal servers or virtualize machines. These infrastructure hosts run Oracle Linux 7 and use standard Linux security mechanisms. |
| DB | Cluster State Persistence | The DB-Tier is typically hosted on a cluster virtual machines and provides a fault tolerant MySQL environment. MySQL has it's own authentication and authorization mechanisms. |
| K8s | Stateless Computing Instances | The Kubernetes (K8s) cluster is hosted either directly on bare metal servers or on a set of virtual machines. K8s has it's own security mechanisms. |
| OAM | 5G NF OAM | The 5G Network Functions have a variety of OAM interfaces for different OAM functions (Example: logging, tracing, monitoring, configuration). All authentication and authorization for the 5G NF OAM zone is mediated by the CNC Console. |
| Signaling | 5G NF Signaling | The 5G NF core network defines a set of standards driven authentication and authorization mechanisms . |
| DB | Cluster State Persistence | The DB-Tier is typically hosted on a cluster virtual machines and provides a fault tolerant MySQL environment. MySQL has it's own authentication and authorization mechanisms. |
| K8s | Stateless Computing Instances | The Kubernetes (K8s) cluster is hosted either directly on bare metal servers or on a set of virtual machines. K8s has it's own security mechanisms. |
Security Principles
Attack Surface Reduction- What are the concrete ways to minimize attack surfaces?
- Minimize system processes.
- Uninstall or don't install softwares that are not required.
- What are the concrete ways to limit need for privilege escalation?
- Restricted Pod Security Policies.
- Don't run as root.
- What are the concrete ways to implement defense in depth principles?
- Redundant controls
- Redundant monitoring
- What are the concrete ways to monitor for security?
- Authentication events
- Performance anomalies