security challenges and guidance for protecting nfv on ... · huawei technologies co., ltd....
TRANSCRIPT
HUAWEI TECHNOLOGIES CO., LTD.
Security Challenges and Guidance for Protecting NFV on Cloud IaaS
Prof. Dr. Theo DimitrakosHead of (Network) Virtualization& Cloud Security Research
Cyber Security & Privacy Protection Laboratory
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 2
Head of (Network) Virtualization and Cloud Security Cyber Security & Privacy Protection Laboratory
• Huawei ESCC/ERC : technical lead for NfV, Virtualization and Cloud Security at ESCC based in Munich • BT Cloud Computing : Chief Researcher at BT HQ globally responsible for Cloud Security Innovation. Produced cloud
security capabilities for hypervisor and host protection, intrusion prevention, big-data protection, etc., on BT Cloud Compute product line. Key contributor to BT’s Cloud of Clouds Strategy.
• BT Security : Chief Security Research Professional: Co-authored BT Security Standards and Security Innovation Strategy. Managed innovation collaboration with major security vendors. Produced over 40 patents for BT. Contributed to security innovation in areas like the Public Service Network and Global Banking and Financial Services.
• Cybersecurity Research Centre – University of Kent: Professor of Computer Science and member of the Interdisciplinary Research Centre in Cyber Security at the University of Kent recognized as an Academic Centre of Excellence in Cyber Security Research by UK EPSRC and GCHQ. Research in Cloud,Cybersecurity Incident Management and on Blockchain technology.
• EBTIC: Chief Research Fellow at the Research Centre of Etisalat, BT, Khalifa at UAE (Abu Dhabi) leading innovation in Big Data Security and Cloud Security Automation
• Published over 25 EU/World patents (awarded or published & pending award) , 6 books, 3 journal editions, 80 international publications in ACM, IEEE, IFIP conferences.
Lead Security Technology Expert
• ENISA: Expert member (2009-16) of WGs on Cloud Security and Resilience and on Virtualization Security. Coauthored ENISA advisory reports to European Commission, UK and EU member state governments
• CSA: Contributor to Cloud/Virtualization security guidance and standards and invited speaker in CSA congress since 2010• IFIP: Member of the Security Technical Committee and previous Chair of WG on Trust Management ; silver core medal
award• EU Innovation Project collaborations: Technical lead the largest and EU research collaborations involving over 400
research
Collaborative Security Innovation Leader
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 3
NFV IntroductionBy virtualizing hardware resources into data centers, the cloud platform builds a centralized resource pool and flexibly allocates resources from the resource pool.
More details please visit: http://portal.etsi.org/NFV/NFV_White_Paper.pdf
• Cost economization• Increased speed of Time to Market,
service fast deployment• Geography or customer sets based
service is possible. Services can be scaled up/down rapidly as required
• Enable a wide variety of eco-systemsand encourage openness
NFV could potentially offer benefitsNFV could potentially offer benefits
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 4
Security Services architecture
Platform Security architecture
Design Presentation Approach & Cookbook
HW Product Lines (CloudCore, IT, SPO)
HW Security CC Design team
Operators(Orange, BT, Telefonica,
DT, Telecom Italia)
StandardsETSICSAIETF
Security Vendor Ecosystem
Overview: activities, outputs, stakeholders
NFV Security Architecture
Government& Regulators
ENISA, NCSC (CESG)
ANSI, BSI
VNFs
VNFi
VNSF & NFV
platfo
rm Security
Req
uiremen
ts
Security con
trol im
plem
entatio
n (techn
ology)
MANO
DC
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 5
Security Challenges
• Customer Requirements• Compliance Requirements• NFV Technology Security
Challenges
Security Controls
• Specialize to NFV/NFVI security controls from• ISO 2017 (2001/2)• CSA CCM • CC• NFV Sec (ETSI)
Architectural Patterns
• Map Security Controls to• Security subsystems• NFV / NFVI Architecture
layers• Decompose Security Controls to
• Security functions per layer • Cross-layer dependences
Design Patterns
• Refine Security Control Architecture to• Security solution design • Security procedures • Cross-layer dependences
Product Improvement
• Innovation Roadmap• Features Identification,
Specification, Design, Validation
Approach: SCORE Architecture(Security Controls Orientated REference Architecture )
possible danger that might exploit a vulnerability to breach security and therefore cause possible harm
a weakness that allows to reduce a system's information assurance
A management, operational, and technical safeguard or countermeasures prescribed to avoid, detect, counteract, or mitigate security risks that stem from threats or vulnerabilities or other security challenges
technological, operational, policy or business shortcoming, unresolved technical issue, design, implementation or operational complexity that may possibly give rise to a vulnerability
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 6
Threats & Security
Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 7
Generic Cloud/Nf
VSecurity Threats
Human Factor
Contractual Threats
Legal and Jurisdictiona
l threats
Physical Infrastructure
Software Infrastructur
e
Shared infrastructur
eAudit,
Incident Mgmt
Forensic restrictions
Data Threats
VM & VNF Issues
Management Interface / API
Loss of Governanc
e
Contractual Threats•Cost-overrun attack•Deceptive billing•Contract Captivity•Bankruptcy (data loss)
Legal and Jurisdictional threats•Indirect legal coercion•Secret search•Direct jurisdictional exposure (e.g. data location and data breach)
•Indirect jurisdictional exposure (e.g. Legal inconsistencies Governments)
Physical Infrastructure• DoS• Unauthorized data interception or modification by HW/NW• Hardware Failure• Connectivity Failure
Software Infrastructure• Security vulnerabilities in open-source •Security vulnerabilities in third-party software•Software tampering
Shared Infrastructure•Direct breach•Side channel attack•Denial of resources (inc. partial degradation)•Availability / cost of shared resources (e.g. Under provisioning; Collateral denial)•Resource abuse due to invalid tena isolation of telecom tenants•Availability of 3rd party (sec.) services •Collateral damage to reputation•Jurisdictional collateral damage
Diminished audit, detection, and incident response•Complex accountability attribution among multiple suppliers during security incident tracking•Insufficient sharing of incident information •Confidentiality / privacy violation due to uncontrolled incident sharing
Data threats•Data segregation•Data Loss or Leakage•Data provenance•Data remanence•Data sharding•Data tampering•Privacy breach
VM & VNF Issues•Network Address dependency•Network Topology Inconsistency•Incorrect Security VNF placement •VM Sprawl•Intra-host Traffic Monitoring •Intra-host Traffic Manipulation •Silo Approach to security policy
Management Interface / API•Web/API vulnerabilities•Account compromise•Privileged User Access•Unauthorized access,•Unauthorized data/packet•Inspection / Modification• SDN controller compromise
Loss of GovernanceCompliance RiskSupply Chain FailuresHypervisor based attacks
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 8
NFV Security
Challenges
Hypervisor
Elastic NW
Dynamic NW
Multi-Domain Policy
Integrity
Service insertion
Inspection (State)
Scalability
Multi-cloud
Security
Security Reporting
Hypervisor Dependencies• A few hypervisor vendors dominate marketplace• Security vulnerabilities in Hypervisor code• Diligent patching• Underlying architecture: resource contesting, packets flow within the network fabric; various types of encryption; DPI functionality, etc
Elastic network boundaries• Same network fabric for multiple functions • Placement of physical controls less applicable• Unclear boundaries• VLANs are not necessarily secure• Physical segregation may still be required
Dynamic workloads: • NFV enables agile and dynamic capabilities & dynamic NW topology• Traditional security models are static & unable to adapt & evolve dynamically• Security services into NFV rely on overlay models that cross vendor boundaries
Multi-Domain Security Policy Management• Multiple administrators with vertically & horizontally overlapping administrative domains (operator, VSO, customer,..) • Policy / authority conflict management •Responsibility and liability distributed among many overlapping trust and administrative realms
Integrity of VNF & policy• End-to-end integrity and accountability of policies and VNF configurations in hybrid multi-cloud and multi-operator environments • More challenging with Virtualized inter-cloud network functions
Security service insertion & on-boarding• Elastic, transparent networks (fabric intelligently routes packets)• Logically and physically inline deployment of security controls is insufficient for NfV• Security services in NfV may be layered into the hypervisor• Complex insertion procedures for security services that are not already layered into the hypervisor
(Stateful) Inspection enablement:•Stateful inspection is preferred today •Security controls cannot deal with the asymmetries created by multiple, redundant NW paths in NfV
•Asymmetric flows challenge stateful devices that need to see every packet to provide access controls
Scalability of available resources•Dedicating cores to workloads and network resources enables resource consolidation.
•Pervasive security controls (DPI,NGFW,Crypto,etc) need significant compute resources.
Multi-Cloud (3rd party) security: •Consistent enforcement security functions in hybrid multi-clouds
• On-board and orchestrate both Huawei & 3rd
party services•Co-existing security enforcement mechanisms (hypervisor plug-in, VMOS, network proxy, gateway)
Security Incident Reporting & Secure Information Sharing: • How to assure end-to-end integrity of incident information & traceability of security incident• How to preserve security function isolation & confidential sharing that still allows security analytics• EU cybersecurity directive: Security incident reporting structure & specification
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 9
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
(Stateful) Inspection enablement:
•Stateful inspection is preferred today
•Security controls cannot deal with the asymmetries created by multiple, redundant NW paths in NfV
•Asymmetric flows challenge stateful devices that need to see every packet to provide access controls
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 10
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
Integrity of VNF & policy• End-to-end integrity and accountability of
• VMs & System• VNFs• VNF configurations • Policies in hybrid multi-cloud and multi-operator environments
•More challenging with Virtualized inter-cloud network functions
Sensitive processes must be fully isolated from rest of systemOur solution: Hardware isolated execution (IsolEx)• Leverage cutting-edge technologies (Intel SGX, AMD SEV)• Get early understanding of future ones (ARM Bowmore)
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 11
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
Dynamic workloads: • NFV enables agile and dynamic capabilities & dynamic NW topology• Traditional security models are static & unable to adapt & evolve dynamically• Security services into NFV rely on overlay models that cross vendor boundaries
Multi-Domain Security Policy Management• Multiple administrators with vertically & horizontally overlapping administrative domains• Policy / authority conflict management •Responsibility and liability distributed among many overlapping trust and administrative realms
p p
Solution: Policy driven security orchestration architecture, The whole network security policy planning, security needs dynamically changed with services.
Case: FW policy automatically update with services update.
State : Complete the Demo of security policies automatically dispatched and updated
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 12
Security Challenges
for NFV/SDN Cloud
Deployments
hypervisor compatibility
System availability
Data vs. Control
SDN architecture
Venerable SDN codes
Policy consistenc
y
NFV/IaaSawareness
Hypervisor Compatibility for VNSFs & Appliances• Virtual appliances such as firewalls and intrusion prevention systems use optimized custom drivers and kernels: inefficient or vulnerable on general IaaS• Some IaaS systems provide custom hypervisor APIs for traffic steering: modifications vNSF/As expand their attack vectors
Elastic network boundaries• Performance of security virtual appliances does not match physical even if optimized• Elasticity and dynamic scalability compensates for lack of unit performance but • complicates security management and introduces conflicts & threats
Data/Management Network Separation:Some cloud architectures allow sharing the data network with a management or control network. This shared architecture may lead to • a compromise of the SDN or the Infrastructure-as-a-service (IaaS) control nodes. • Intruders bypassing NFV security devices (e.g. jumping or exploitign SDN controller)
Centralization in SDN Archtiecture• Centralized SDN architectures need to accommodate elastic, distributed, multi-tenant cloud of the cloud environments • Increased reliance on agility and resilience of NFV and Security orchestration –> complex security policy management & network topology changes
Security service insertion & on-boarding• SDN includes application, controllers, switches and management systems that can be exploited to intercept, manipulate or access traffic• Introducing VNFs may increase the attack surface • Security breach of SDN-enabled applications may allow bypassing isolation mechanisms:• Cross-boundary attacks: • Compromise the overall network • Unauthorized actions on other tenant’s networks
Policy consistency & policy attacks•Some SDN controllers lack mechanisms to check for consistent policies
•Malicious user may construct multiple policies that transform malicious flows (otherwise blocked by NFV devices) into “normal” traffic.
NfV/IaaS awareness for SDN• Tenant resources such as network traffic is isolated by IaaS NV & NFVs• Independent SDN controllers that manage traffic on virtual switches but lack IaaS awareness or integration with IaaS NV & NFV orchestration may break isolation by failing to map tenant traffic accordingly
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 13
Security Benefits and opportunities
Cost-efficiency
Flexibility
Responsiveness
Software-defined /
Agile
• Virtualization of high-end security functions • Intelligent management of traffic destined to specific VNFs (leveraging SDN)
•On-demand deployment and scalability•Dynamic, real-time response to threats (in conjunction with SDN to rearrange service chains and optimize performance and efficacy of VNFs
•real-time, global network view (topology, routes, and traffic statistics)•better response to DDoS attacks •better detection of network anomaly
•NFV • quickly provision, place and configure different types of virtual security appliances
•SDN (controller) •intercept, steer, mirror desired traffic for security inspection
• A security service provider can quickly provision a large number of security function instances to cope with usage peaks, attacks, etc• End-to-end visibility and control • Programmatic management of security resources
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 14
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
Specialize to NFV/NFVI security controls fromISO 2017 (2001/2)CSA CCM CCNFV Sec (ETSI)
Create a specialized security control taxonomy
Maintain traceability to threats, challenges and customer, standards and compliance requirements
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 15
VNF layer
VNSF & Sec. LifecycleVNF security functions
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
Map Security Controls to
Security subsystems
NFV / NFVI Architecture layers
Decompose Security Controls to
Security functions per layer
Cross-layer dependences
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 16
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
Refine Security Control Architecture toSecurity solution design Security procedures Cross-layer dependences
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 17
Security Challenges
Security Controls
Architectural Patterns
Design Patterns
Product Improvement
Innovation RoadmapFeature improvement classification
Impact Timeliness
Features Enhancement / Development Specification Design Validation
Conformance assessmentMetrics Procedure
VNSF & NFV
platfo
rm Security
Req
uiremen
ts
Security con
trol im
plem
entatio
n (techn
ology)
VNFs
NFVi
MANO
DC
Overview NFV Orch.SecurityNFV Sec‐Arch Trusted Computing
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 18
Use-cases: Example
3rd party cloud NW/Sec services
ISVs / Apps
C-SOC
Public Cloud
Operator’s DC
Internet
Customer Users
Customer DC
(Hyper)Cloud ManagementCloud/NFV Management
Security Service Management
Operator’s example: BT GS Cloud of Clouds Vision
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 19
Standards: Example
•Telefonica & Huawei – informative – H1 2017
SEC007 – Remote Attestation technologies
•VNF certificates provisioning and lifecycle•Huawei – informative – H1 2017
SEC005 – Certificate Management
•Architecture/requirements for providing a secure execution environment – hardware reqs & hypervisor hardening
•Intel – normative – Sept 2016 – completed!
SEC012 – System architecture for execution of sensitive NFV components (spec)
•Security orchestration specification – including detailed (network) monitoring architecture•AT&T, Intel, Nokia – normative – Feb 2017 – completed!
SEC013 – Security Management and Monitoring specification
•Threat & requirements list definition for defined MANO interfaces•NEC – normative – 2017
SEC014 – Security Specification for MANO Components and Interfaces
•Architecture for LI in NFV•BT (& US gov) – normative – mid 2017
SEC011 – Security Report on NFV LI Architecture
• There is still an opportunity for to get involved into the architecture definition:• SEC WG has acknowledged that
SEC013 requires revisiting• Coordinated strategy is required
across teams in SEC WG
Opportunity
Overview NFV Orch.SecurityNFV Sec‐Arch Trusted Computing
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 20
Standards: Example
•Telefonica & Huawei – informative – H1 2017
SEC007 – Remote Attestation technologies
•VNF certificates provisioning and lifecycle•Huawei – informative – H1 2017
SEC005 – Certificate Management
•Architecture/requirements for providing a secure execution environment – hardware reqs & hypervisor hardening
•Intel – normative – Sept 2016 – completed!
SEC012 – System architecture for execution of sensitive NFV components (spec)
•Security orchestration specification – including detailed (network) monitoring architecture•AT&T, Intel, Nokia – normative – Feb 2017 – completed!
SEC013 – Security Management and Monitoring specification
•Threat & requirements list definition for defined MANO interfaces•NEC – normative – 2017
SEC014 – Security Specification for MANO Components and Interfaces
•Architecture for LI in NFV•BT (& US gov) – normative – mid 2017
SEC011 – Security Report on NFV LI Architecture
• SEC013- Security Management and Monitoring• Originally a network monitoring doc
(AT&T+INTEL)
• Intel working on PoC for monitoring part• Early results showed during F2F meetings• High interest in this from operators and LI
delegates
• Nokia proposed Security Orchestration architecture• SEC013 becomes high impact – normative!• Opportunity to get involved in revising this
architecture!
Opportunity
Overview NFV Orch.SecurityNFV Sec‐Arch Trusted Computing
THANK YOUwww.huawei.com
Copyright©2014 Huawei Technologies Co., Ltd. All Rights Reserved.The information in this document may contain predictive statements including, without limitation, statements regarding thefuture financial and operating results, future product portfolio, new technology, etc. There are a number of factors thatcould cause actual results and developments to differ materially from those expressed or implied in the predictivestatements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor anacceptance. Huawei may change the information at any time without notice.