Securing the NSP

Overview

Nokia recommends performing the following steps to achieve station security for the NSP:

• Install the latest recommended patch cluster for RHEL. For customers using the Nokia provided NSP RHEL OS image, only the NSP RHEL OS update can be used for applying OS patches. For customer sourced and manually deployed RHEL OS instances, the patches must be obtained from Red Hat.

• NSP has no ingress or egress requirements to access the public internet and should be isolated with properly configured firewalls.

• Implement traffic management policies to control access to ports on NSP systems, as detailed in this section

• Use SSL certificates with strong hashing algorithms.

• Enforce minimum password requirements and password renewal policies on user accounts that access the NSP applications.

• Configure a warning message in the Launchpad Security Statement.

• OAUTH2 authentication module provides login protection mechanisms to prevent denial of service attacks, lockout users for consecutive failed logins and configure maximum sessions for GUI and OSS users. See NSP Installation and Upgrade Guide for details.

• When using custom TLS certificates for NSP deployment, ensure that the server private key file is protected when not in use by nsp configurator.

• Optional: Revoke world permission on compiler executables (see NSP Installation and Upgrade Guide).

See the NSP System Architecture Guide for NSP RHEL OS compliance with CIS Benchmarks. The supported CIS Benchmark best practices are already implemented on NSP RHEL OS images.

TLS communications

Communications of the NSP is secured using TLS. The NSP supports TLS version TLSv1.2.

The NSP supports the use of custom TLS certificates for client communications with NSP applications. Internal communications between NSP components is secured with internal TLS certificates signed by a local PKI server. The NSP cluster software package provides a PKI server that can be used to simplify the TLS certificate distribution to NSP components.

A NSP cluster will check the expiry date of TLS certificates every 24h and raise an alarm in Network Map and Health dashboard if the certificate is expired or nearing expiry. See the NSP System Administrator Guide for further information.

See the NSP Installation and Upgrade Guide for instructions on the configuration of custom TLS certificates and the provided PKI server application.