Network and mediation

Network separation

Nokia recommends configuring multiple NSP network interfaces to segregate different types of NSP traffic. You can segregate NSP client, mediation, and internal traffic by configuring the NSP to use interfaces in separate networks for each traffic type.

The multi-interface implementation isolates different traffic types to one or more of the following networks:

Using separate networks allows for additional security policies. For example, the NSP PostgreSQL service is an internal service with NSP components as the only legitimate clients; northbound browser or API clients are not applicable to this service. To help secure the PostgreSQL service from unintended access, you could apply a firewall rule to block the PostgreSQL port on the northbound client interface.

To accommodate a deployment environment that hosts only one network, the use of multiple NSP network interfaces is optional. When the NSP uses only one network for all communication, the NSP client traffic shares the same network as the NE management traffic and the communication between NSP components. This type of configuration can pose a considerable security risk.

Firewall configuration

An NSP deployment has no ingress or egress requirement for access to the public Internet; each NSP host must be isolated using a properly configured firewall.

The NSP supports firewall deployment on all NSP host interfaces, however, firewall support among system components may vary. Components such as the NFM-P or WS-NOC that have multiple system elements may have additional firewall requirements. See the NSP Planning Guide and any specific component planning documentation, as required, for firewall port requirements and restrictions.

Note: Firewall deployment between the members of an NSP cluster is not supported.

Mediation

The following is a summary of recommendations for mediation security:

SSH

The NSP supports strong SSH cryptographic algorithms by default, The default algorithms are updated as required to account for changes in the security level of specific algorithms.

SNMP

When SNMP mediation is required, SNMPv3, which supports authentication and encryption, is strongly recommended over SNMPv1/v2.

The SNMP recommendations are:

Lawful Intercept and data privacy

An NSP system that includes classic management can act as an optional remote controller for Lawful Intercept (LI) functions on SNMP devices that have native LI support. LI is a highly secure function that is built into the device hardware; the NSP LI capabilities are limited to LI target specification, and enabling or disabling LI on a target.

As a remote controller, the NSP has no visibility of intercepted traffic; see “Lawful Intercept concepts” in the NSP NFM-P Classic Management User Guide for more information.

gRPC

When gRPC mediation is required, the NSP gRPC client can be configured to use two-way TLS to protect communication between NSP and the NEs; see the NSP System Administrator Guide for configuration information.

The gPRC recommendations are:

NETCONF or CLI

When NETCONF or CLI mediation is required, Telnet or SSH may be used as the transport protocol.

The NETCONF an d CLI recommendations are:

VSR-NRC communication to the network

See the following documentation references for information about VSR-NRC communication to the network.

IP Routing Protocols

See “Unicast routing and MPLS” in the VSR-NRC Security Best Practices and Hardening Guide.

PCEP

See “PCEP over TLS” in the Segment Routing and PCE User Guide.