Securing the NFM-P

Overview

Nokia recognizes the importance of deploying important software such as the NFM-P in secure environments and, as such, supports the use of security techniques to enhance the security of the NFM-P.

NFM-P communications is secured using TLS 1.2 by default, SNMPv3 and HTTPS.  See the NSP Installation and Upgrade Guide for configuration information.

NFM-P implements a number of safeguards to ensure protection of private data. Additional information can be found in the Security section of the NSP Installation and Upgrade Guide.

Nokia recommends performing the following steps to achieving NFM-P station security:

Operating system installation for NFM-P stations

For customer sourced and manually deployed RHEL OS instances, Nokia supports customers applying RHEL patches provided by Red Hat which include security fixes as well as functional fixes. Nokia also supports customers applying Windows patches provided by Micorsoft. If a patch is found to be incompatible with the NSP, the patch may need to be removed until a solution to the incompatibility is provided by Red Hat or Nokia. See the NSP Release Notice for up-to-date information about the recommended RHEL maintenance update and patch levels.

For customers using the Nokia provided RHEL OS images, only the RHEL OS patch bundles provided by Nokia can be applied.

NFM-P is supported on RHEL installed with the list of required RHEL Packages documented in the NSP Installation and Upgrade Guide. SELinux is supported in both permissive and enforcing mode for most NSP components. Auxiliary databases support SELinux in permissive mode only.

Additional efforts to secure the system could impact NFM-P's operation or future upgrades of the product. Customers should perform some level of basic testing to validate additional platform hardening does not impact NFM-P's operation. The NFM-P Product Group makes no commitment to make NFM-P compatible with a customer's hardening requirements.

Installing the NFM-P components

Nokia recommends performing the following steps when installing the NFM-P components:

Nokia also recommends the configuration (as documented in the NSP NFM-P User Guide) of the following options to secure communication with the NFM-P client UI and the NFM-P client XML API interfaces:

NFM-P network element communication

The following configurations are documented in the NSP NFM-P User Guide, and help secure communication between the network elements and NFM-P server installations:

Deploying NFM-P with firewalls

A firewall can be deployed to protect the NFM-P server from the managed network and to protect the server from the network hosting the NFM-P clients. The diagrams below illustrate this and show the communications services that are required through the firewalls. Installations of NFM-P can make use of the RHEL built in firewall using firewalld. Standalone Firewall products must not be collocated on servers hosting NFM-P components. Only the built-in RHEL firewall used to enable filter rules lists can be collocated with NFM-P components. See NFM-P firewall and NAT rules for more details.

Some NFM-P operations require idle TCP ports to remain open for longer periods of time. Therefore, customers using a firewall that closes idle TCP connections should adjust Operating System TCP keepalives to a value that ensures that the firewall will not close sockets in use by NFM-P.

For some of the network elements described in Network element specific requirements there is a requirement for the NFM-P GUI client to communicate directly with the network element using specialized configuration tools.

Figure 6-2: Firewalls and NFM-P standalone deployments
Firewalls and NFM-P standalone deployments
Figure 6-3: Firewalls and NFM-P redundant deployments
Firewalls and NFM-P redundant deployments