Image content

Enhancing security in open source telecom infrastructure projects

ONAP, Nephio and O-RAN SC, operating under the LFN umbrella, are actively advancing their security frameworks to enable robust end-to-end protection across the lifecycle of network operations - spanning building, deploying, and run-time phases. A comprehensive approach to security is critical in addressing the evolving threats in network environments. I'd like to highlight and expand a little on some of the initiatives and investigation points currently ongoing and the wider industry initiatives which are have been helpful in my view.


Open-Source Resolutions and Research Points

OpenSSF (Open Source Security Foundation) [1], hosted by the LF, is a collaboration, industry-wide initiative dedicated to enhancing the security of open-source software
ecosystems. OpenSSF achieves this by establishing open standards, providing security best practices, and developing innovative tools and frameworks to detect and mitigate vulnerabilities effectively.

One of the foundation’s primary objectives is to secure the software supply chain, a critical component in ensuring the integrity and trustworthiness of software applications. Additionally, the best practices badge program serves as an excellent starting point for organizations and projects aiming to adopt robust security measures. This program helps establish a baseline for security practices, ensuring consistency and resilience across the open-source community.

Another key focus of OpenSSF is the Best Practices Badging initiative, which aims to recognize and promote open-source projects that adhere to established security best practices. By meeting the defined criteria for badging, projects can undergo evaluation and achieve certification, showcasing their commitment to security excellence.

The ONAP has embraced this badging process to strengthen its security posture. Notably, several ONAP components, including CPS and Policy Framework, achieved OpenSSF Gold Badging in 2024. This accomplishment highlights ONAP’s dedication to following industry- leading security standards, reinforcing its position as a trusted platform for automation in complex network environments.

IaC (Infrastructure as Code) Scanning

ONAP, Nephio, and the broader LFN community are exploring IaC Scanning to enhance the security of their CI/CD pipelines. One of key tools in this ePort is Checkov [2], an open- source solution designed to identify misconfiguration and security vulnerabilities across various IaC frameworks, including Terraform, Kubernetes, and others.

Checkov performs comprehensive scans of IaC files, detecting potential security risks, compliance violations, and deviations from best practices. By analyzing configurations before deployment, it empowers the CI/CD process to address vulnerabilities early in the development lifecycle, significantly reducing risk and improving infrastructure security.

This proactive approach ensures that ONAP, Nephio, and LFN systems not only meet stringent security and compliance requirements but also align with best practices for secure, scalable, and reliable network infrastructure deployment.

KeyCloak Adoption for ONAP Security

KeyCloak [3] is a robust, open-source Identity and Access Management (IAM) solution that provides a comprehensive suite of features, including authentication, authorization, identity federation, and support for modern protocols such as OAuth 2.0, OIDC, and SAML 2.0. It also enables seamless single sign-on (SSO) for applications and services. ONAP leverages Keycloak for managing its user identity and access.

Despite its strengths, ONAP recognized the following areas that KeyCloak could improve:

  1. Performance and Scalability: Optimizing KeyCloak for handling high workloads and large-scale deployments is critical for enterprise environments.
  2. Microservices Integration: Improving support for microservices architectures with smoother integration into service mesh solutions like Istio and Linkerd would make it more versatile for modern cloud-native applications.
  3. Usability Enhancements: Streamlining the user interface and user experience to simplify configuration and management for administrators.
  4. Fine-Grained Authorization: Providing more detailed and flexible authorization capabilities, especially in complex multi-tenant environments, to meet diverse use cases.

By addressing these challenges, Keycloak has the potential to further solidify its position as a leading open-source IAM solution for diverse applications and ecosystems.

SPIFFE/SPIRE

SpiFFe [4] (Secure Production Identity Framework for Everyone) is an open-source framework designed to deliver secure, dynamic identities to workloads in distributed systems like microservices, cloud environment, and Kubernetes clusters. By authenticating and authorizing workloads, SPIFFE facilitates secure inter-service communication without relying on traditional mechanisms like hardcoded credentials or IP addresses, thus enhancing both security and flexibility in dynamic infrastructures.

Nephio is actively prototyping workload security by leveraging SPIFFE specifications and the SPIRE server to secure communications across its management cluster and multiple workload clusters. This approach aligns seamlessly with Nephio’s vision of building a secure, scalable, and resilient infrastructure for cloud-native applications. By incorporating SPIFFE into its architecture, Nephio ensures robust workload identity and secure inter-service communication across dynamic and distributed environments.

Similarly, ONAP is exploring the integration of SPIFFE into its existing Service Mesh-based inter-component communication framework. This enhancement aims to provide stronger identity management and secure communication in multi-clustered environments, a critical requirement for modern, distributed network automation platforms. By adopting SPIFFE, ONAP can further bolster the security and scalability of its platform, ensuring it meets the evolving demands of next-generation network deployments.

SPIRE [5] serves as a production-ready implementation of the SPIFFE APIs. It plays a critical role in managing the issuance and lifecycle of SPIFFE IDs, ensuring secure and reliable identity management for workloads. Nephio leverages SPIRE servers and agents to provide SPIFFE-based workload identities, enhancing security and identity verification across its infrastructure. ONAP is exploring the integration of SPIRE servers and agents to manage and implement these identities effectively. This approach aims to strengthen the security posture and streamline identity lifecycle management within the ONAP ecosystem.

Secure CI/CD

ONAP, as part of the Linux Foundation Networking (LFN) ecosystem, follows the LFN’s comprehensive secure CI/CD framework, establishing robust security practices throughout every phase of the software lifecycle—from initial build to final deployment. This adherence to secure CI/CD processes is a cornerstone of ONAP’s commitment to delivering reliable, scalable, and secure network automation solutions.

Key Aspects of ONAP’s Secure CI/CD Framework:

  • Secure Build Processes: ONAP ensures that all components are built in a controlled environment, with rigorous validation of dependencies and libraries to eliminate vulnerabilities. The use of automated dependency scanning tools helps maintain a clean and secure codebase
  • Automated Testing: The integration of advanced testing mechanisms ensures that vulnerabilities are detected and mitigated early in the development lifecycle. ONAP employs unit testing, integration testing, and end-to-end testing, ensuring that all components operate securely and as intended
  • Continuous Security Monitoring: ONAP’s CI/CD pipelines are equipped with continuous monitoring tools that identify configuration issues, potential threats, and deviations from best practices in real time. This proactive approach reduces the risk of security incidents post-deployment
  • Safe Deployment Mechanisms: By leveraging containerized deployments with tools like Kubernetes, ONAP ensures that components are securely orchestrated and isolated. Enhanced Helm Charts provide additional layers of configuration security, compliance, and flexibility
  • Compliance with Industry Standards: ONAP aligns with leading security and compliance frameworks, such as NIST and ISO 27001, to meet the stringent requirements of telecom operators and enterprises
  • Supply Chain Security: ONAP employs tools like OpenSSF Best Practices to secure its software supply chain, addressing risks associated with third-party dependencies and ensuring the integrity of delivered components

This comprehensive approach enables ONAP to maintain a robust infrastructure that not only meets but often exceeds industry security and compliance requirements (achieved two OpenSSF Gold Badging status). By leveraging these secure CI/CD practices, ONAP reinforces its position as a trusted source of platform components for end-to-end network automation, supporting the dynamic needs of modern telecommunications and enterprise environments.

References

  1. OpenSSF(OpenSourceSecurityFoundation)SourceReferencehttps://openssf.org/
  2. CheckovSourceReferencehttps://www.checkov.io/
  3. KeyCloak Source Reference https://www.keycloak.org/
  4. SpiFFe Source Reference https://spiffe.io/
  5. SPIRE Source Reference https://spire.io/docs/latest/spire-about/spire-concepts/

About the author:

Byung-Woo Jun, serving as Ericsson Principal Engineer, ONAP TSC Chair, ONAP Architecture Committee Chair, and ONAP Release Manager, is leading the ONAP community, where provides end-to-end network automation use cases and functionalities for the telecom industry.