@@ -274,9 +274,9 @@ This list of use cases is an informative resource for manufacturers to simplify
Manufacturer's technical documentation may benefit fromn including or refering to these use cases and to security profiles.
An NMS is a product controlling at least partially connected devices with network access. Despite its central positioning, an NMS can be aggregated out of several components, including but not to limited end-to-end management systems, dedicated configuration management systems, or controllers for software-defined networking as described in chapter 1.2.
An NMS is a product controlling at least partially connected devices with network access. Despite its central positioning, an NMS can be an aggregate of several components, including but not limited to: end-to-end management systems, dedicated configuration management systems, or controllers for software-defined networking as described in chapter 1.2.
An aggregated NMS implements further components for operation that are out of scope of the present standards. One example of this type of aggregate product design would an implementation where the operating system acts as abstraction layer for the system(s) that host the NMS, or special networking interfaces.
An aggregated NMS can implement additional components for functions that are outside the scope of the present standards. One example of this type of aggregate product design would an implementation where the operating system acts as abstraction layer for the system(s) that host the NMS, or special networking interfaces.
### 4.4.1 Distributed deployment
@@ -301,53 +301,66 @@ The affected Service Requesting Users base is small like in:
**Figure 4.4.1.1-1: IoT network with monitoring data collection**
An IoT network is a network of devices, each of which almost always has limited computational capabilities and consumes a low amount of power. The exact purpose of these device varies, but they are all connected to an NMS, and often to each other and to an IoT buisness logic, which may be a RDPS. The main focus of an IoT network is almost always data collection, and the NMS in this use case usually visualises the collected data metrics and provides them to the end-user. The NMS-analysis of the data metrics can be automated, including triggering warnings, alarms, or even taking actions based on discovered abnormal events.
The main focus of an IoT network is often data collection, whereas the NMS usually visualises the collected data metrics to the end-user. The NMS-analysis of the data metrics can be automated including the triggering of warnings, alarms, or even actions based on discovered abnormal events. The IoT device has often limited computational capabilities and consumes a low amount of power.
The NMS controls the configuration of the connected devices, and has a two minimum functions:
The NMS controls the configuration of the connected devices. As a minimum, the NMS maintains
1. Establishes and maintains a trust-based relation between itself and the devices.
1. an inventory of devices that are part of the managed network,
1. establishes and maintains a trust-based relation between itself and the device.
To initialize a trust-based relationship between this type of network managment system and connected devices, both store credentials, usually in the form of pre-installed keys, identity confirming certificates, or unique serial numbers. These credentials are used during initialisation to create the trusted relationship between the NMS, the devices and, if present, with the IoT device business logic. Credential or key initialisation, and key enrollement or establishment limit the NMS's ability to establish a trusted relationship to the intended devices, an ability further limnited as these methods require physical access or close proximity to the IoT device. For example, an IoT devicve user can pair the IoT device and establish a trust-based relationship with the NMS through Bluetooth (tm) mechanisms or with a physical cable connection.
The latter can be used for secured identification, authentication and communication with other applications on the device.
The NMS collects the meta traffic data and management related data from the devices, or forwards those to other systems for data collection and storage.
All transmitted data from the devices to the NMS and vice versa is cryptographically protected with authentication of the endpoints, and with integrity and confidentiality protection.
In dependency of the host system capabilities, the NMS can also be remote accessible.
Once the trust-based relationship has been established, the NMS can provide cryptographically protected configuration and update services to the devices at runtime. Depending on the initial NMS and managed element configurations, the device can either request its configuration from the NMS, or the NMS can push the configuration to the device. The trust-based relation can also provide for secured identification, authentication, and communication with other applications on a device.
The NMS’s and the devices can store pre-installed keys, identity confirming certificates, or unique serial numbers. These credentials serve for the initialisation of the trusted relationship between the NMS, the devices and, if applicable, with the IoT device business logic.
The establishment of a trusted relationship requires key initialisation respectively key enrolment or establishment. That requires physical access or proximity to the IoT device. The user can pair the IoT device with the NMS with Bluetooth mechanisms or with a physical cable connection.
The IoT network NMS collects the meta traffic data and management related data from networked devices, or forwards it to other systems for data collection and storage. All data transmitted from the devices to the NMS and all data transmitted from the NMS to the devices is cryptographically protected with authentication of the endpoints, and with integrity and confidentiality protection. Independent of any of the host system's capabilities, the NMS can also be remotely accessible.
Once the trusted relationship has been established, the NMS can provide cryptographically protected configuration and update services to the devices at runtime. Depending on the initial NMS and managed element configurations, the device can either request its configuration from the NMS, or the NMS can push the configuration to the device.
2. Generates and maintains an inventory of devices that are part of the managed network,
One of the NMS minimum functions is generating, keeping and maintaining a network inventory. New devices extent the inventory and the NMS holds information about the connectivity capabilities for each connected device.
The second primary function of an IoT network NMS is to generate, keep, and maintain a network inventory. This inventory holds information about the connectivity capabilities for each connected device. When new devices are added and a trust-based relationship is established with them, they extend the network and the inventory is amended.
Users of the IoT device business logic or of the managed element interacting with each other, or with the NMS are protected from unauthorised access. Malicious impact on these communication channels, such as interception, interruption, or inducing data packets are detected and form an event that is recorded, and if applicable reported.
Users of the IoT device business logic or of managed elements are protected from unauthorised access when interacting with each other or with the NMS. Malicious impact on these communication channels, such as interception, interruption, or inducing data packets is detected and the system creates an event that is recorded, and if applicable, reported.
The above given example architecture of figure 3 can serve as explanation help during the conformity assessment to meet CRA [\[i.1\]](#_ref_i.1) Annex I part 1.
>NOTE: This use case seems to focus on two security functions of IoT products, but make sno distinctions btween large and small IoT networks (with corresponding botnet risks) or products designed for higher risk environments (e.g. home "convienance" devices such as a set of speakers < home essential devices such as lighting < enterprise and industrial deployments such as warehouse or factory lighting and < hiogh risk infrastructural device/environments such as freezer units at a large scale meat storage facitility.) To me these levels of risk reprsent sub use cases and maybe lesser requirements/mitigations for low risk/impace devices? Additionally the degree of remote sertvice involved in the NMS may also create sub clasess (or potentially it could be modelled as a risk factor?)
#### 4.4.1.2 Home network deployment
**Figure 4.4.1.2-1: Home network deployment**
An access point discovers another device with management functions from the network.
The secrets seeding is done as part of the initialisation of the device. Device factory reset clears the state and re-initilises the discovery function.
In this use case, the network manangement system controls the user's home network of devices and an access point providing connectivity for the user's home to outside networks, usually public. Access points are devices such as a router, switch, modem, or other wireless or wired device controlled and governed by the NMS and physically deployed to the user who requests service's home. An access point also make the upstream connection technology transparent to the user through the NMS.
The NMS in this use case is most often locaslly installed on the access point device but may be running on a different device within the same network, or as a remote service, an RDPS.
The access point devices actrively send metrics to the NMS and can serve multiple devices in the same network. Acces point devices also provide supporting services like DHCP and DNS caching, but beyond such a minimum they can offer more extensive services such as remote connectivity options like VPN server depending on the product.
There can be multiple devices in the same network, and the NMS provides supporting services like DHCP and DNS caching.
Meterics from the access point and other deives within the home network are forwarded to the NMS, where the user can percieve these meterics and control the configuration of each networked device. In many deployments actual configuration control and review of metrics collected by ther NMS is achieved with an additional service or alternate piece of software, most often a browser, but sometimes is other ways, such as through a command-line interface.
### 4.4.2 Multi-user deployment
- The network connects to other single user devices and also a number of distant or local other networks with even more spread user devices.
- The network connects to a broad variety and large number of devices, including single user devices and a number of distant or local other networks themseles connected to other user devices.
- Users and connected networks are usually distant and outside controlled operational environments.
- High number of elements
- Significant size of affected Service Requesting Users base
- Deployment has a high number of elements.
- User base is of significant size, and the number of users and network functions affected by compromise of failure of the NMS is potentially high.
Infrastructure may include multiple sites connected through a vareity of technologies, including but not limited to: public networks, dedicated routing infrastructure like IP-MPLS-tunnel, massive-scale computing and storage systems via data center (cloud systems), or third party service providers, or 5G slicing. An also office network also typically operates for long periods, developing layered history of past versions and functions.
**Figure 4.4.2.1-1: Office network**
With modern remote working expectations, enterprise networks almost always include remote connectivity options, such as VPNs, that enable remote users to connect to the office network and work with the subset of curated services through a shared intranet environment.
User identity verification, authorization, and the maintenance of a user is needed for each such intranet service or environment. This identity pool can be local for the service, shared within the same intranet, or provided as a service outside of the network context. In office environments, larger indentity pools provide redundancy, but also complicate the administration of credentials, and reduce response time when credentials are rotated, such as when they are leaked and missused.
Whyile it is possible to maintain the identities of all of available intranet services by hand, this is often impractical even with a moderate pool of users. A contemporary enterprise NMS deployment will instead rely on an Identity Provider (IdP) for most or all of its services. IdP's may be part of an NMS or seperate, decoupled from the NMS. Likewise IdP's can be implemented locally or as a remote service, including as an RDPS. In all varieties the nature of the IdP deplyed to the netowrk is relevant to this document as it is a major risk factor, especially if the NMS product does not support a relevant integration methods or IdP technique.
>NOTE: Again this use case seems to focus on one function (IdP) rather then on the operational environment and users. It is also not strcutured like the above use cases and finally, migh tbenefit from being broken down into higher and lower risk (smaller/larger or low security data/high security data) use cases.
#### 4.4.2.2 Telecom network
@@ -355,7 +368,13 @@ There can be multiple devices in the same network, and the NMS provides supporti
**Figure 4.4.2.2-1: Telecom network**
- Large enterprise network
A telecom network resembles an enterprise network, with the obvious added complexity throughout.
The telecom NMS will handle a greater load, including more users, devices, and identities. Identity providers (IdPs) are often used to create segmentation and redundancy, and network uses its routers and switches as base sations serving thousands of users simultaneously.
Telecom networks are modlled by division into northbound and southbound abstraction levels or descriptors, where southbound describes traffic from the NMS and hardware controlled by the network. Northbound traffice comes from lower layers of the network such as routers and switches and from the applications and users. Services supporting and the telecom network, both internal and third party, are described has being eastbound or westbound, depending on the objectives of the modelled architecture. In the above figure, SIEM is an example service that is adjacent to the NMS, and is often used in modern deployments.
In telecom deployments of NMS it is common to provide an in-house Public Key Infrastructure (PKI), that declares it's own certificate authority (CA) or authorities deployed to the managed machines within the network. The number of these managed machines, number of CA's and how the CA's are used is dependent on design of the network Alternatively, even at telecom scale, and NMS can even provide its own certifactes and form an independent and segregated trust ring.
