Securing the NSP
Overview
Nokia recommends performing the following steps to achieve station security for the NSP:
-
Install the latest recommended patch cluster for RHEL. For customers using the Nokia provided RHEL OS image, these must be obtained directly from Nokia only. For customer sourced and manually deployed RHEL OS instances, the patches must be obtained from Red Hat.
-
NSP has no ingress or egress requirements to access the public internet and should be isolated with properly configured firewalls.
-
Implement traffic management policies to control access to ports on NSP systems, as detailed in this section
-
Enforce minimum password requirements and password renewal policies on user accounts that access the NSP applications.
-
Configure a warning message in the Launchpad Security Statement.
-
CAS and OAUTH2 authentication modules provide login protection mechanisms to prevent denial of service attacks, lockout users for consecutive failed logins and configure maximum sessions for administrators and users. See NSP Installation and Upgrade Guide for details.
-
When using custom TLS certificates for NSP deployment, ensure that the server private key file is protected when not in use by nsp configurator.
-
Optional: Revoke world permission on compiler executables (see NSP Installation and Upgrade Guide).
See the NSP System Architecture Guide for NSP RHEL OS compliance with CIS Benchmarks. The supported CIS Benchmark best practices are already implemented on NSP RHEL OS images.
TLS communications
Communications of the NSP is secured using TLS. The NSP supports TLS version TLSv1.2.
The NSP supports the use of custom TLS certificates for client communications with NSP applications. Internal communications between NSP components can be secured with the use of a PKI server which can create, sign and distribute certificates. The NSP cluster software package provides a PKI server that can be used to simplify the TLS certificate distribution to NSP components.
A NSP cluster will check the expiry date of TLS certificates every 24h and raise an alarm in the Fault Management application if the certificate is expired or nearing expiry. See the NSP System Administrator Guide for further information.
See the NSP Installation and Upgrade Guide for instructions on the configuration of custom TLS certificates and the provided PKI server application.