Making NFV-Based Business Services Secure

Ulrich Kohn, CISSPTechnical Marketing Director

Making NFV-Based Business Services Secure

© 2016 ADVA Optical Networking. All rights reserved. Confidential.2

Protection Is Becoming a Challenge

Multiple reasons why security is a key concern

• Attackers: from script kiddies to organized crime and intelligence services• Disruptive technologies:

control/data plane separation; virtualization; open versus proprietary• Increased sophistication:

advanced persistent threats (APT), bootkit-based threats


Heavy Reading Network Security Survey

Source: Heavy Reading’s May 2015 Survey on Network Security


NFV: Opportunity or Threat to Network Security?

Managed security services is a $20 to $30bn market – KEEP THE BALANCE

• Immediate activation of security safeguards

• Patch management• Security analytics• PaaS and security offload,

pooling of security expertise• Application isolation, micro-

segmentation, central control

Opportunities• Larger attack surface, high-

value targets• Higher system complexity• Shared resources, common

hypervisor• From proprietary to open

protocols• Out-of-country processing

(compliance)

Challenges


Some Attack Vectors

Virtualised Network Functions (VNFs)

Management and

orchestration

VNF VNF VNF VNF VNF

NFV Infrastructure (NFVI)

Virtual Compute

Virtual Storage

Virtual Network

Virtualisation Layer

Hardware Resources

Compute Storage NetworkDisgruntled employee

Hypervisor and controllerattacks

Customer portal, public APIse.g. DDoS

Backdoor to hypervisor, control software

Rogue VNF, noisy neighbor, malicious code

Social engineering

Spoofing, sniffing, MITM

Compromise remote debugging/test

interfaces

Increased complexity, human error

Rootkit


OpenStack Security Controls

• Keystone authentication and token-based authorization• TLS for accessing APIs• SSH for VM management / system-level communication; SSH key injection with VM creation• Multi-tenant capability• Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant

based: address filter, firewall, NAT• Availability zones• Sanitization of released storage space

Network

Horizon

Dashboard

ImagesObjectStorage

VolumeService

ComputeService

Keystone

IdentityService

Virtual Infrastructure Manager (VIM)

NeutronGlanceSwiftCinderNovaAPI, Authentication, Network, Images, Volums, Objects


vCPE Use Case – Edge NFV

Enterprise

Metro NetworkCarrier Ethernet

Communication Service Provider

vRouter

FSP 150 ProVM with integrated server

Core IP-MPLS

Servers e.g. video

vFirewallvIDS

Challenges with OpenStack in a distributed compute environment

• Internal OpenStack interfaces connect over public networks e.g. messaging bus, control-agent interfaces

• Present implementations frequently do not provide comprehensive security controls* • OpenStack provides security controls but it was not designed for massive distribution

*Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015


A BT Perspective:Securing Openstack Over the Internet

Source: “How NFV is different from Cloud: Using Openstack for Distributed NFV”, Peter Willis, BT; SDN and OF World Congress, Düsseldorf, Oct 2015.


Risk Mitigation in Edge NFV

Virtual Compute

Network

VNF VNF

VNF VNF

virtu

alph

ysica

l

Risk mitigation with OpenStack security controls

Security appliances such as IDS/IPS, firewalls but also service assurance functions

Security additions to DPDK e.g. experimental Crypto API (Release 2.2), keep alive signaling, new performance management functionsEncryption per virtual connections and/or bulk encryption,

Trusted platform module supporting secure boot, authentication (802.1x), system integrity (attestation)…

There is no silver bullet to prevent any attack


Additional Security Controls with Hybrid Edge NFV devices

• Hybrid demarcation device with integrated server and HW acceleration• HW: Assurance at network interface but

also at intermediate chaining• HW: L2 encrypted network interfaces• HW: ACL, secure synchronization, mirroring• Tamper-resistant design• HW-based server monitoring and VNF

performance assurance

SRV

NID

VM1

OVS

eth0 eth1 eth2

eth1 eth2

A3 N1

NS AS

dhcpclient

EVC EVC

EVC

SR-IOV creates the need for HW-based security assurance


protected by ICV

protected by ICV

protected by ICV

encrypted

protected by ICV

L2 Encryption Perfect Fit for Edge NFV MACsec with VLAN bypass

Standard MACSec Format

Unencrypted Frame

Double VLAN bypass MACSec Format

DA SA S-TAG C-TAG Etype Payload FCS

DA SA SecTAG S-TAG C-TAG Etype Payload ICV FCS

DA SA S-TAG C-TAG SecTAG Etype Payload ICV FCS

Single VLAN bypass MACsec Format DA SA S-TAG SecTAG C-TAG Etype Payload ICV FCS

encrypted

encrypted

+32 Bytes

protected by ICV


Additional Security Controls With Pure-Play Edge NFV devices

• Server-based demarcation device • Security-hardened virtual switch featuring

high isolation between tenants at L2/L3• CE 2.0 compliant performance assurance

with virtual switch• OpenStack in a box minimizes number of

internal interfaces over public network• Environmentally hardened, dual power-

supply

SRV

VM1

Connector

eth0 eth1 eth2

A3 N1

dhcpclient

Traffic segregation and performance assurance is key with pure-play server

solutions


Security Work of Selected Standard Bodies and Industry Alliances• ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV-

SEC 001, October 2014 + SEC 00x releases in 2015• OpenStack Foundation: “OpenStack Security Guide“; best practices

and implementation guide for securing an OpenStack implementation

• ONF: “Principles and Practices for Securing Software-Defined Networks”, January 2015, ONF TR-511

• ONOS: Security response process, security emergency team• OPNFV security-related projects such as Moon, Barbican

Standard bodies and industry alliances focus on security

https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/Principles_and_Practices_for_Securing_Software-Defined_Networks_applied_to_OFv1.3.4_V1.0.pdf


Securing Edge NFV Devices

• OpenStack in distributed compute environments calls for additional security controls

• Defense in depth for mitigating attack surface in NFV-centric networks

• Pure-player software and hybrid edge NFV devices for different levels of security assurance

ADVA Optical Networking - your expert in edge NFV

Thank You

IMPORTANT NOTICEThe content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.

http://www.linkedin.com/company/adva-optical-networking

http://twitter.com/ADVAOpticalNews

http://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wall

http://www.youtube.com/user/ADVAOptical

http://advaopticalnews.tumblr.com/

http://www.slideshare.net/ADVAOpticalNetworking

Technology

Making NFV-Based Business Services Secure