More Related Content Similar to Making NFV-Based Business Services Secure (20) Making NFV-Based Business Services Secure2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2
Protection Is Becoming a Challenge
Multiple reasons why security is a key concern
• Attackers: from script kiddies
to organized crime and
intelligence services
• Disruptive technologies:
control/data plane separation;
virtualization; open versus
proprietary
• Increased sophistication:
advanced persistent threats
(APT), bootkit-based threats
3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3
Heavy Reading Network Security Survey
Source: Heavy Reading’s May 2015 Survey on Network Security
4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.4
NFV: Opportunity or Threat to Network Security?
Managed security services is a $20 to $30bn market – KEEP THE BALANCE
• Immediate activation of
security safeguards
• Patch management
• Security analytics
• PaaS and security offload,
pooling of security expertise
• Application isolation, micro-
segmentation, central
control
Opportunities
• Larger attack surface, high-
value targets
• Higher system complexity
• Shared resources, common
hypervisor
• From proprietary to open
protocols
• Out-of-country processing
(compliance)
Challenges
5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.5
Some Attack Vectors
Virtualised Network Functions
(VNFs)
Management
and
orchestration
VNF VNF VNF VNF VNF
NFV Infrastructure (NFVI)
Virtual
Compute
Virtual
Storage
Virtual
Network
Virtualisation Layer
Hardware Resources
Compute Storage Network
Disgruntled
employee
Hypervisor and
controller
attacks
Customer portal,
public APIs
e.g. DDoS
Backdoor to hypervisor,
control software
Rogue VNF,
noisy neighbor,
malicious code
Social
engineering
Spoofing,
sniffing, MITM
Compromise remote
debugging/test
interfaces
Increased complexity,
human error
Rootkit
6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.6
OpenStack Security Controls
• Keystone authentication and token-based authorization
• TLS for accessing APIs
• SSH for VM management / system-level communication; SSH key injection with VM creation
• Multi-tenant capability
• Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant
based: address filter, firewall, NAT
• Availability zones
• Sanitization of released storage space
Network
Horizon
Dashboard
ImagesObject
Storage
Volume
Service
Compute
Service
Keystone
Identity
Service
Virtual Infrastructure
Manager (VIM)
NeutronGlanceSwiftCinderNova
API, Authentication, Network, Images, Volums, Objects
7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.7
vCPE Use Case – Edge NFV
Enterprise
Metro Network
Carrier Ethernet
Communication Service Provider
vRouter
FSP 150 ProVM with integrated server
Core
IP-MPLS
Servers
e.g. video
vFirewall
vIDS
Challenges with OpenStack in a distributed compute environment
• Internal OpenStack interfaces connect over public networks e.g. messaging bus,
control-agent interfaces
• Present implementations frequently do not provide comprehensive security controls*
• OpenStack provides security controls but it was not designed for massive distribution
*Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015
8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.8
A BT Perspective:
Securing Openstack Over the Internet
Source: “How NFV is different
from Cloud: Using Openstack for
Distributed NFV”, Peter Willis,
BT; SDN and OF World Congress,
Düsseldorf, Oct 2015.
9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.9
Risk Mitigation in Edge NFV
Virtual
Compute
Network
VNF VNF
VNF VNF
virtualphysical
Risk mitigation with OpenStack security controls
Security appliances such as IDS/IPS, firewalls but
also service assurance functions
Security additions to DPDK e.g. experimental Crypto
API (Release 2.2), keep alive signaling, new
performance management functions
Encryption per virtual connections and/or bulk encryption,
Trusted platform module supporting secure boot,
authentication (802.1x), system integrity (attestation)…
There is no silver bullet to prevent any attack
10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.10
Additional Security Controls with Hybrid Edge
NFV devices
• Hybrid demarcation device with
integrated server and HW acceleration
• HW: Assurance at network interface but
also at intermediate chaining
• HW: L2 encrypted network interfaces
• HW: ACL, secure synchronization, mirroring
• Tamper-resistant design
• HW-based server monitoring and VNF
performance assurance
SRV
NID
VM1
OVS
eth0 eth1 eth2
eth1 eth2
A3 N1
NS AS
dhcp
client
SR-IOV creates the need for HW-based
security assurance
11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.11
protected by ICV
protected by ICV
protected by ICV
encrypted
protected by ICV
L2 Encryption Perfect Fit for Edge NFV
MACsec with VLAN bypass
Standard MACSec
Format
Unencrypted Frame
Double VLAN bypass
MACSec Format
DA SA S-TAG C-TAG Etype Payload FCS
DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS
DA SA S-TAG C-TAG SecTAG Etype Payload ICV FCS
Single VLAN bypass
MACsec Format DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS
encrypted
encrypted
+32 Bytes
protected by ICV
12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.12
Additional Security Controls With Pure-Play Edge
NFV devices
• Server-based demarcation device
• Security-hardened virtual switch featuring
high isolation between tenants at L2/L3
• CE 2.0 compliant performance assurance
with virtual switch
• OpenStack in a box minimizes number of
internal interfaces over public network
• Environmentally hardened, dual power-
supply
SRV
VM1
Connector
eth0 eth1 eth2
A3 N1
dhcp
client
Traffic segregation and performance
assurance is key with pure-play server
solutions
13. © 2016 ADVA Optical Networking. All rights reserved. Confidential.13
Security Work of Selected Standard Bodies and
Industry Alliances
• ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV-
SEC 001, October 2014 + SEC 00x releases in 2015
• OpenStack Foundation: “OpenStack Security Guide“; best practices
and implementation guide for securing an OpenStack
implementation
• ONF: “Principles and Practices for Securing Software-Defined
Networks”, January 2015, ONF TR-511
• ONOS: Security response process, security emergency team
• OPNFV security-related projects such as Moon, Barbican
Standard bodies and industry alliances focus on security
14. © 2016 ADVA Optical Networking. All rights reserved. Confidential.14
Securing Edge NFV Devices
• OpenStack in distributed compute
environments calls for additional security
controls
• Defense in depth for mitigating attack
surface in NFV-centric networks
• Pure-player software and hybrid edge
NFV devices for different levels of security
assurance
ADVA Optical Networking - your expert in edge NFV
15. Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this
presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or
implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental,
consequential and special damages,
alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.