SlideShare a Scribd company logo

Making NFV-Based Business Services Secure

Download as PPTX, PDF
ADVA
ADVA

Ulrich Kohn analyzes security risks associated with the vCPE use case with a special focus on the virtualization layer and the virtual infrastructure manager. He describes attack vectors and explains technical controls provided with OpenStack to counter the emerging risk.

Technology
1 of 15
Ulrich Kohn, CISSP Technical Marketing Director Making NFV-Based Business Services Secure
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Protection Is Becoming a Challenge Multiple reasons why security is a key concern • Attackers: from script kiddies to organized crime and intelligence services • Disruptive technologies: control/data plane separation; virtualization; open versus proprietary • Increased sophistication: advanced persistent threats (APT), bootkit-based threats
© 2016 ADVA Optical Networking. All rights reserved. Confidential.3 Heavy Reading Network Security Survey Source: Heavy Reading’s May 2015 Survey on Network Security
© 2016 ADVA Optical Networking. All rights reserved. Confidential.4 NFV: Opportunity or Threat to Network Security? Managed security services is a $20 to $30bn market – KEEP THE BALANCE • Immediate activation of security safeguards • Patch management • Security analytics • PaaS and security offload, pooling of security expertise • Application isolation, micro- segmentation, central control Opportunities • Larger attack surface, high- value targets • Higher system complexity • Shared resources, common hypervisor • From proprietary to open protocols • Out-of-country processing (compliance) Challenges
© 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Some Attack Vectors Virtualised Network Functions (VNFs) Management and orchestration VNF VNF VNF VNF VNF NFV Infrastructure (NFVI) Virtual Compute Virtual Storage Virtual Network Virtualisation Layer Hardware Resources Compute Storage Network Disgruntled employee Hypervisor and controller attacks Customer portal, public APIs e.g. DDoS Backdoor to hypervisor, control software Rogue VNF, noisy neighbor, malicious code Social engineering Spoofing, sniffing, MITM Compromise remote debugging/test interfaces Increased complexity, human error Rootkit
© 2016 ADVA Optical Networking. All rights reserved. Confidential.6 OpenStack Security Controls • Keystone authentication and token-based authorization • TLS for accessing APIs • SSH for VM management / system-level communication; SSH key injection with VM creation • Multi-tenant capability • Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant based: address filter, firewall, NAT • Availability zones • Sanitization of released storage space Network Horizon Dashboard ImagesObject Storage Volume Service Compute Service Keystone Identity Service Virtual Infrastructure Manager (VIM) NeutronGlanceSwiftCinderNova API, Authentication, Network, Images, Volums, Objects
© 2016 ADVA Optical Networking. All rights reserved. Confidential.7 vCPE Use Case – Edge NFV Enterprise Metro Network Carrier Ethernet Communication Service Provider vRouter FSP 150 ProVM with integrated server Core IP-MPLS Servers e.g. video vFirewall vIDS Challenges with OpenStack in a distributed compute environment • Internal OpenStack interfaces connect over public networks e.g. messaging bus, control-agent interfaces • Present implementations frequently do not provide comprehensive security controls* • OpenStack provides security controls but it was not designed for massive distribution *Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015
© 2016 ADVA Optical Networking. All rights reserved. Confidential.8 A BT Perspective: Securing Openstack Over the Internet Source: “How NFV is different from Cloud: Using Openstack for Distributed NFV”, Peter Willis, BT; SDN and OF World Congress, Düsseldorf, Oct 2015.
© 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Risk Mitigation in Edge NFV Virtual Compute Network VNF VNF VNF VNF virtualphysical Risk mitigation with OpenStack security controls Security appliances such as IDS/IPS, firewalls but also service assurance functions Security additions to DPDK e.g. experimental Crypto API (Release 2.2), keep alive signaling, new performance management functions Encryption per virtual connections and/or bulk encryption, Trusted platform module supporting secure boot, authentication (802.1x), system integrity (attestation)… There is no silver bullet to prevent any attack
© 2016 ADVA Optical Networking. All rights reserved. Confidential.10 Additional Security Controls with Hybrid Edge NFV devices • Hybrid demarcation device with integrated server and HW acceleration • HW: Assurance at network interface but also at intermediate chaining • HW: L2 encrypted network interfaces • HW: ACL, secure synchronization, mirroring • Tamper-resistant design • HW-based server monitoring and VNF performance assurance SRV NID VM1 OVS eth0 eth1 eth2 eth1 eth2 A3 N1 NS AS dhcp client SR-IOV creates the need for HW-based security assurance
© 2016 ADVA Optical Networking. All rights reserved. Confidential.11 protected by ICV protected by ICV protected by ICV encrypted protected by ICV L2 Encryption Perfect Fit for Edge NFV MACsec with VLAN bypass Standard MACSec Format Unencrypted Frame Double VLAN bypass MACSec Format DA SA S-TAG C-TAG Etype Payload FCS DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS DA SA S-TAG C-TAG SecTAG Etype Payload ICV FCS Single VLAN bypass MACsec Format DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS encrypted encrypted +32 Bytes protected by ICV
© 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Additional Security Controls With Pure-Play Edge NFV devices • Server-based demarcation device • Security-hardened virtual switch featuring high isolation between tenants at L2/L3 • CE 2.0 compliant performance assurance with virtual switch • OpenStack in a box minimizes number of internal interfaces over public network • Environmentally hardened, dual power- supply SRV VM1 Connector eth0 eth1 eth2 A3 N1 dhcp client Traffic segregation and performance assurance is key with pure-play server solutions
© 2016 ADVA Optical Networking. All rights reserved. Confidential.13 Security Work of Selected Standard Bodies and Industry Alliances • ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV- SEC 001, October 2014 + SEC 00x releases in 2015 • OpenStack Foundation: “OpenStack Security Guide“; best practices and implementation guide for securing an OpenStack implementation • ONF: “Principles and Practices for Securing Software-Defined Networks”, January 2015, ONF TR-511 • ONOS: Security response process, security emergency team • OPNFV security-related projects such as Moon, Barbican Standard bodies and industry alliances focus on security
© 2016 ADVA Optical Networking. All rights reserved. Confidential.14 Securing Edge NFV Devices • OpenStack in distributed compute environments calls for additional security controls • Defense in depth for mitigating attack surface in NFV-centric networks • Pure-player software and hybrid edge NFV devices for different levels of security assurance ADVA Optical Networking - your expert in edge NFV
Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

Recommended

Mitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsMitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE Solutions
ADVA
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™
ADVA
 
Secure Connectivity on Every Network Layer
Secure Connectivity on Every Network LayerSecure Connectivity on Every Network Layer
Secure Connectivity on Every Network Layer
ADVA
 
Introducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro SeriesIntroducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro Series
ADVA
 
5G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 20165G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 2016
Daniel Sproats
 
Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™
ADVA
 
Network Functions Virtualization – Our Strategy
Network Functions Virtualization – Our StrategyNetwork Functions Virtualization – Our Strategy
Network Functions Virtualization – Our Strategy
ADVA
 
Assuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network EdgeAssuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network Edge
ADVA
 

Recommended

Mitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsMitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE Solutions
ADVA
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™
ADVA
 
Secure Connectivity on Every Network Layer
Secure Connectivity on Every Network LayerSecure Connectivity on Every Network Layer
Secure Connectivity on Every Network Layer
ADVA
 
Introducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro SeriesIntroducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro Series
ADVA
 
5G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 20165G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 2016
Daniel Sproats
 
Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™
ADVA
 
Network Functions Virtualization – Our Strategy
Network Functions Virtualization – Our StrategyNetwork Functions Virtualization – Our Strategy
Network Functions Virtualization – Our Strategy
ADVA
 
Assuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network EdgeAssuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network Edge
ADVA
 
Verizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPEVerizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPE
ADVA
 
How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks
ADVA
 
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFVFSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
ADVA
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
ADVA
 
Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
ADVA
 
Drawing Customers North - September, 2016
Drawing Customers North - September, 2016Drawing Customers North - September, 2016
Drawing Customers North - September, 2016
ADVA
 
Cloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or DifferentiatorCloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or Differentiator
ADVA
 
FSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDNFSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDN
ADVA
 
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
ADVA
 
Scalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud EvolutionScalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud Evolution
ADVA
 
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data CentersDrawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
ADVA
 
Transforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical TransportTransforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical Transport
ADVA
 
Leveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive RevenueLeveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive Revenue
ADVA
 
ADVA launches world’s first commercial optical transport solution with post-q...
ADVA launches world’s first commercial optical transport solution with post-q...ADVA launches world’s first commercial optical transport solution with post-q...
ADVA launches world’s first commercial optical transport solution with post-q...
ADVA
 
Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...
Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...
Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...
ADVA
 
A new benchmark for timing success - OSA 5412 and 5422 access grandmasters
A new benchmark for timing success - OSA 5412 and 5422 access grandmasters A new benchmark for timing success - OSA 5412 and 5422 access grandmasters
A new benchmark for timing success - OSA 5412 and 5422 access grandmasters
ADVA
 
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber AssuranceADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA
 
Creating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions VirtualizationCreating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions Virtualization
ADVA
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
ADVA
 
Performance Assurance for Cloud Applications
Performance Assurance for Cloud ApplicationsPerformance Assurance for Cloud Applications
Performance Assurance for Cloud Applications
Daniel Sproats
 
Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
ADVA
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
 

More Related Content

What's hot

NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
ADVA
 

What's hot (20)

Verizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPEVerizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPE
 
How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks
 
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFVFSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
 
Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
 
Drawing Customers North - September, 2016
Drawing Customers North - September, 2016Drawing Customers North - September, 2016
Drawing Customers North - September, 2016
 
Cloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or DifferentiatorCloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or Differentiator
 
FSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDNFSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDN
 
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
 
Scalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud EvolutionScalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud Evolution
 
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data CentersDrawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
 
Transforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical TransportTransforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical Transport
 
Leveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive RevenueLeveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive Revenue
 
ADVA launches world’s first commercial optical transport solution with post-q...
ADVA launches world’s first commercial optical transport solution with post-q...ADVA launches world’s first commercial optical transport solution with post-q...
ADVA launches world’s first commercial optical transport solution with post-q...
 
Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...
Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...
Deliver the ultimate network edge protection with the ADVA FSP 150-XG118Pro (...
 
A new benchmark for timing success - OSA 5412 and 5422 access grandmasters
A new benchmark for timing success - OSA 5412 and 5422 access grandmasters A new benchmark for timing success - OSA 5412 and 5422 access grandmasters
A new benchmark for timing success - OSA 5412 and 5422 access grandmasters
 
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber AssuranceADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
 
Creating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions VirtualizationCreating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions Virtualization
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
 
Performance Assurance for Cloud Applications
Performance Assurance for Cloud ApplicationsPerformance Assurance for Cloud Applications
Performance Assurance for Cloud Applications
 

Similar to Making NFV-Based Business Services Secure

Achieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackAchieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStack
Eric Zhaohui Ji
 
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsSecuring NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Trinath Somanchi
 
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
OPNFV
 

Similar to Making NFV-Based Business Services Secure (20)

Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
ADVA Optical Networking Acquires Overture
ADVA Optical Networking Acquires Overture ADVA Optical Networking Acquires Overture
ADVA Optical Networking Acquires Overture
 
Achieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackAchieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStack
 
Putting the M in MANO: Major new Ensemble release delivers NFV management and...
Putting the M in MANO: Major new Ensemble release delivers NFV management and...Putting the M in MANO: Major new Ensemble release delivers NFV management and...
Putting the M in MANO: Major new Ensemble release delivers NFV management and...
 
DNA Intelligent WAN Campus Day
DNA Intelligent WAN Campus DayDNA Intelligent WAN Campus Day
DNA Intelligent WAN Campus Day
 
Summit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - Cavium
Summit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - CaviumSummit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - Cavium
Summit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - Cavium
 
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsSecuring NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
 
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
 
Presentación Laboratorio NFV de Telefónica de Antonio Elizondo
Presentación Laboratorio NFV de Telefónica de Antonio ElizondoPresentación Laboratorio NFV de Telefónica de Antonio Elizondo
Presentación Laboratorio NFV de Telefónica de Antonio Elizondo
 
Scalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the FutureScalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the Future
 
Security & Virtualization in the Data Center
Security & Virtualization in the Data CenterSecurity & Virtualization in the Data Center
Security & Virtualization in the Data Center
 
Deploying Virtualized Services Over Legacy Networks
Deploying Virtualized Services Over Legacy NetworksDeploying Virtualized Services Over Legacy Networks
Deploying Virtualized Services Over Legacy Networks
 
Deploying Virtualized Services Over Legacy Networks
Deploying Virtualized Services Over Legacy NetworksDeploying Virtualized Services Over Legacy Networks
Deploying Virtualized Services Over Legacy Networks
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
NTT i3 at OpenStack Summit - May 20th, 2015
NTT i3 at OpenStack Summit - May 20th, 2015NTT i3 at OpenStack Summit - May 20th, 2015
NTT i3 at OpenStack Summit - May 20th, 2015
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture Design
 
Network Function Virtualization (NFV) BoF
Network Function Virtualization (NFV) BoFNetwork Function Virtualization (NFV) BoF
Network Function Virtualization (NFV) BoF
 
VPN
VPNVPN
VPN
 

More from ADVA

ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ADVA
 
Open optical edge connecting mobile access networks
Open optical edge connecting mobile access networksOpen optical edge connecting mobile access networks
Open optical edge connecting mobile access networks
ADVA
 

More from ADVA (20)

Industrial optically pumped cesium beam clock
Industrial optically pumped cesium beam clockIndustrial optically pumped cesium beam clock
Industrial optically pumped cesium beam clock
 
The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...
The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...
The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...
 
Industry's longest holdover with the OSA 3350 SePRC™ optical cesium clock
Industry's longest holdover with the OSA 3350 SePRC™ optical cesium clockIndustry's longest holdover with the OSA 3350 SePRC™ optical cesium clock
Industry's longest holdover with the OSA 3350 SePRC™ optical cesium clock
 
Addressing PNT threats in critical defense infrastructure
Addressing PNT threats in critical defense infrastructureAddressing PNT threats in critical defense infrastructure
Addressing PNT threats in critical defense infrastructure
 
Precise and assured timing for enterprise networks
Precise and assured timing for enterprise networksPrecise and assured timing for enterprise networks
Precise and assured timing for enterprise networks
 
Introducing Ensemble Cloudlet for on-premises cloud demand
Introducing Ensemble Cloudlet for on-premises cloud demandIntroducing Ensemble Cloudlet for on-premises cloud demand
Introducing Ensemble Cloudlet for on-premises cloud demand
 
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
 
Sync on TAP - Syncing infrastructure with software
Sync on TAP - Syncing infrastructure with softwareSync on TAP - Syncing infrastructure with software
Sync on TAP - Syncing infrastructure with software
 
Meet stringent latency demands with time-sensitive networking
Meet stringent latency demands with time-sensitive networkingMeet stringent latency demands with time-sensitive networking
Meet stringent latency demands with time-sensitive networking
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryption
 
Quantum threat: How to protect your optical network
Quantum threat: How to protect your optical networkQuantum threat: How to protect your optical network
Quantum threat: How to protect your optical network
 
Optical networks and the ecodesign tradeoff between climate change mitigation...
Optical networks and the ecodesign tradeoff between climate change mitigation...Optical networks and the ecodesign tradeoff between climate change mitigation...
Optical networks and the ecodesign tradeoff between climate change mitigation...
 
Trends in next-generation data center interconnects (DCI)
Trends in next-generation data center interconnects (DCI)Trends in next-generation data center interconnects (DCI)
Trends in next-generation data center interconnects (DCI)
 
Open optical edge connecting mobile access networks
Open optical edge connecting mobile access networksOpen optical edge connecting mobile access networks
Open optical edge connecting mobile access networks
 
Introducing Adva Network Security – a trusted German anchor
Introducing Adva Network Security – a trusted German anchorIntroducing Adva Network Security – a trusted German anchor
Introducing Adva Network Security – a trusted German anchor
 
Meet the industry's first pluggable 10G demarcation device
Meet the industry's first pluggable 10G demarcation deviceMeet the industry's first pluggable 10G demarcation device
Meet the industry's first pluggable 10G demarcation device
 
Introducing ADVA AccessWave25™
Introducing ADVA AccessWave25™Introducing ADVA AccessWave25™
Introducing ADVA AccessWave25™
 
10G edge technology for outdoor environments
10G edge technology for outdoor environments10G edge technology for outdoor environments
10G edge technology for outdoor environments
 
The quantum age - secure transport networks
The quantum age - secure transport networksThe quantum age - secure transport networks
The quantum age - secure transport networks
 
From leased lines to optical spectrum services
From leased lines to optical spectrum servicesFrom leased lines to optical spectrum services
From leased lines to optical spectrum services
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Making NFV-Based Business Services Secure

  • 1. Ulrich Kohn, CISSP Technical Marketing Director Making NFV-Based Business Services Secure
  • 2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Protection Is Becoming a Challenge Multiple reasons why security is a key concern • Attackers: from script kiddies to organized crime and intelligence services • Disruptive technologies: control/data plane separation; virtualization; open versus proprietary • Increased sophistication: advanced persistent threats (APT), bootkit-based threats
  • 3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3 Heavy Reading Network Security Survey Source: Heavy Reading’s May 2015 Survey on Network Security
  • 4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.4 NFV: Opportunity or Threat to Network Security? Managed security services is a $20 to $30bn market – KEEP THE BALANCE • Immediate activation of security safeguards • Patch management • Security analytics • PaaS and security offload, pooling of security expertise • Application isolation, micro- segmentation, central control Opportunities • Larger attack surface, high- value targets • Higher system complexity • Shared resources, common hypervisor • From proprietary to open protocols • Out-of-country processing (compliance) Challenges
  • 5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Some Attack Vectors Virtualised Network Functions (VNFs) Management and orchestration VNF VNF VNF VNF VNF NFV Infrastructure (NFVI) Virtual Compute Virtual Storage Virtual Network Virtualisation Layer Hardware Resources Compute Storage Network Disgruntled employee Hypervisor and controller attacks Customer portal, public APIs e.g. DDoS Backdoor to hypervisor, control software Rogue VNF, noisy neighbor, malicious code Social engineering Spoofing, sniffing, MITM Compromise remote debugging/test interfaces Increased complexity, human error Rootkit
  • 6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.6 OpenStack Security Controls • Keystone authentication and token-based authorization • TLS for accessing APIs • SSH for VM management / system-level communication; SSH key injection with VM creation • Multi-tenant capability • Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant based: address filter, firewall, NAT • Availability zones • Sanitization of released storage space Network Horizon Dashboard ImagesObject Storage Volume Service Compute Service Keystone Identity Service Virtual Infrastructure Manager (VIM) NeutronGlanceSwiftCinderNova API, Authentication, Network, Images, Volums, Objects
  • 7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.7 vCPE Use Case – Edge NFV Enterprise Metro Network Carrier Ethernet Communication Service Provider vRouter FSP 150 ProVM with integrated server Core IP-MPLS Servers e.g. video vFirewall vIDS Challenges with OpenStack in a distributed compute environment • Internal OpenStack interfaces connect over public networks e.g. messaging bus, control-agent interfaces • Present implementations frequently do not provide comprehensive security controls* • OpenStack provides security controls but it was not designed for massive distribution *Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015
  • 8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.8 A BT Perspective: Securing Openstack Over the Internet Source: “How NFV is different from Cloud: Using Openstack for Distributed NFV”, Peter Willis, BT; SDN and OF World Congress, Düsseldorf, Oct 2015.
  • 9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Risk Mitigation in Edge NFV Virtual Compute Network VNF VNF VNF VNF virtualphysical Risk mitigation with OpenStack security controls Security appliances such as IDS/IPS, firewalls but also service assurance functions Security additions to DPDK e.g. experimental Crypto API (Release 2.2), keep alive signaling, new performance management functions Encryption per virtual connections and/or bulk encryption, Trusted platform module supporting secure boot, authentication (802.1x), system integrity (attestation)… There is no silver bullet to prevent any attack
  • 10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.10 Additional Security Controls with Hybrid Edge NFV devices • Hybrid demarcation device with integrated server and HW acceleration • HW: Assurance at network interface but also at intermediate chaining • HW: L2 encrypted network interfaces • HW: ACL, secure synchronization, mirroring • Tamper-resistant design • HW-based server monitoring and VNF performance assurance SRV NID VM1 OVS eth0 eth1 eth2 eth1 eth2 A3 N1 NS AS dhcp client SR-IOV creates the need for HW-based security assurance
  • 11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.11 protected by ICV protected by ICV protected by ICV encrypted protected by ICV L2 Encryption Perfect Fit for Edge NFV MACsec with VLAN bypass Standard MACSec Format Unencrypted Frame Double VLAN bypass MACSec Format DA SA S-TAG C-TAG Etype Payload FCS DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS DA SA S-TAG C-TAG SecTAG Etype Payload ICV FCS Single VLAN bypass MACsec Format DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS encrypted encrypted +32 Bytes protected by ICV
  • 12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Additional Security Controls With Pure-Play Edge NFV devices • Server-based demarcation device • Security-hardened virtual switch featuring high isolation between tenants at L2/L3 • CE 2.0 compliant performance assurance with virtual switch • OpenStack in a box minimizes number of internal interfaces over public network • Environmentally hardened, dual power- supply SRV VM1 Connector eth0 eth1 eth2 A3 N1 dhcp client Traffic segregation and performance assurance is key with pure-play server solutions
  • 13. © 2016 ADVA Optical Networking. All rights reserved. Confidential.13 Security Work of Selected Standard Bodies and Industry Alliances • ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV- SEC 001, October 2014 + SEC 00x releases in 2015 • OpenStack Foundation: “OpenStack Security Guide“; best practices and implementation guide for securing an OpenStack implementation • ONF: “Principles and Practices for Securing Software-Defined Networks”, January 2015, ONF TR-511 • ONOS: Security response process, security emergency team • OPNFV security-related projects such as Moon, Barbican Standard bodies and industry alliances focus on security
  • 14. © 2016 ADVA Optical Networking. All rights reserved. Confidential.14 Securing Edge NFV Devices • OpenStack in distributed compute environments calls for additional security controls • Defense in depth for mitigating attack surface in NFV-centric networks • Pure-player software and hybrid edge NFV devices for different levels of security assurance ADVA Optical Networking - your expert in edge NFV
  • 15. Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.