Versions Compared

Old Version 124

changes.mady.by.user Robert Heinemann

Saved on

compared with

New Version 125

changes.mady.by.user Robert Heinemann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Phase 2 will focus on logs of events from services orchestrated by ONAP

Image Removed

Best Practices and Risk Analysis for an Operator

<TODO>

Best Practices for operators to collect and correlate logs

<TODO>

Tagging








...

References

  1. https://www.enisa.europa.eu/publications/security-in-5g-specifications
  2. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks
  3. VNF Requirements List: 9. Requirement List — onap master documentation
  4. ONAP application1 logging guidelines – Revision 1.0 (4/11/2017
  5. VNFCloud Readiness Requirements for OpenECOMP
  6. What to Log - Developer Wiki - Confluence (onap.org)
  7. Types of EELF Logs - Developer Wiki - Confluence (onap.org)
  8. Logging Enhancements Project — onap master documentation

Attachments

View file
nameONAP Logs Security Managment1.pptx
height250

ONAP Logs Security Management
rouzaut , FEB-20201

View file
nameLogging_ source reference diagrams.pptx
height250

Logging Source Reference Diagrams
Muddasar Ahmed , JUL-2021

View file
name2021-02-22_LoggingRequirementEvents_v9.pptx
height250

Proposed Container Logging Requirements
Amy Zwaricorouzaut, FEB-2021

View file
nameLogging - ATTACK to SECCOM_v3.pptx
height250

Container Logging Requirements GAP Analysis against ATT&CK
Robert Heinemann , Muddasar Ahmed MAY-2021


Misc. Notes

Terms

This is place where we can standardize our language.

  • Security Data: This is raw data that by itself may not be enough to indicate a security event.
  • Security Event: 
  • Analytic

Data Stewardship

  • What is the data life cycle within ONAP?
  • What happens to the data as it goes to log stash?
  • Will it go to AAI?
  • TODO: Draw out a few scenarios
  • If there is no consumer it may be written to archive.
  • Archival data vs live data

...

Terms

This is place where we can standardize our language.

  • Security Data: This is raw data that by itself may not be enough to indicate a security event.
  • Security Event: 
  • Analytic

QUESTIONS (Or Advanced Use Cases)

  1. In terms of security logging, should we handle ONAP components differently than Service Components hosted in ONAP?
    Muddasar: Any transections carried out for a service(5G, virtualization and SDN) should generate Application Logs  by ONAP Containers.  I would think life cycle management of a service (instantiation and changes) may have some information buried in the ONAP logs.  Transections events for service design, service deployment within and outside the ONAP components  thru ONAP APIs should be part of the ONAP logging.  
  2. How do we handle the use case where ONAP is being used to deploy and manage a security infrastructure?
    Muddasar: I think it may be similar to above.  I think ONAP will not be used to do OAM of security infrastructure, with exception that ONAP may play a role in the instantiation of some of security network elements.  Example:  A service design may require deployment of FW/IDS/IPS.  ONAP transection may be limited to requesting VIMs/EMs  to deploy/change network elements and perhaps deploy base configuration.  Logs generated by network elements may flow thru a different path(different virtualized enclaves) to a different collector similar to XNFs.  
  3. What about security events in regards to the closed loop model?  Adversarial AI will be an issue that will need security monitoring in the near future.  Does this mean that orchestration / life cycle data from the DCAE needs to ingested by a SIEM?
    Muddasar:  I believe Data Exposure Service (DES) can provide this facility.  I think question here should be that once logs are created, are there any internal ONAP consumers for that information?  

References

  1. https://www.enisa.europa.eu/publications/security-in-5g-specifications
  2. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks
  3. VNF Requirements List: 9. Requirement List — onap master documentation
  4. ONAP application1 logging guidelines – Revision 1.0 (4/11/2017
  5. VNFCloud Readiness Requirements for OpenECOMP
  6. What to Log - Developer Wiki - Confluence (onap.org)
  7. Types of EELF Logs - Developer Wiki - Confluence (onap.org)
  8. Logging Enhancements Project — onap master documentation

Attachments

...

View file
nameONAP Logs Security Managment1.pptx
height250

ONAP Logs Security Management
rouzaut , FEB-20201

...

View file
nameLogging_ source reference diagrams.pptx
height250

Logging Source Reference Diagrams
Muddasar Ahmed , JUL-2021

...

View file
name2021-02-22_LoggingRequirementEvents_v9.pptx
height250

Proposed Container Logging Requirements
Amy Zwaricorouzaut, FEB-2021

View file
nameLogging - ATTACK to SECCOM_v3.pptx
height250

...

Best Practices and Risk Analysis for an Operator

<TODO>

Best Practices for operators to collect and correlate logs

<TODO>

Tagging

Muddasar put your thoughts here :Adding metadata or label tags close to log source or by the log source is a good practice.  Tags can be added by a local driver for Service and Container ID/name (fqdn) as logs received by logging driver.  As ONAP XNF containers will log to stdout/stderr I/O streams, a host or sidecar based collector should be able to add tags for sending source prior to moving the logs to centralized collection location. 

As part of log generation other information elements can be added by the application.  we should consider what needs to be a requirement:  Event_Type (Access, Operation, Error).  Logging enahncement project in the past listed format and options, see Logging Enhancements Project Proposal.



Image Added