security challenges and guidance for protecting nfv on ... · huawei technologies co., ltd....

HUAWEI TECHNOLOGIES CO., LTD.

Security Challenges and Guidance for Protecting NFV on Cloud IaaS

Prof. Dr. Theo DimitrakosHead of (Network) Virtualization& Cloud Security Research

Cyber Security & Privacy Protection Laboratory

[email protected]

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 2

Head of (Network) Virtualization and Cloud Security Cyber Security & Privacy Protection Laboratory

• Huawei ESCC/ERC : technical lead for NfV, Virtualization and Cloud Security at ESCC based in Munich • BT Cloud Computing : Chief Researcher at BT HQ globally responsible for Cloud Security Innovation. Produced cloud

security capabilities for hypervisor and host protection, intrusion prevention, big-data protection, etc., on BT Cloud Compute product line. Key contributor to BT’s Cloud of Clouds Strategy.

• BT Security : Chief Security Research Professional: Co-authored BT Security Standards and Security Innovation Strategy. Managed innovation collaboration with major security vendors. Produced over 40 patents for BT. Contributed to security innovation in areas like the Public Service Network and Global Banking and Financial Services.

• Cybersecurity Research Centre – University of Kent: Professor of Computer Science and member of the Interdisciplinary Research Centre in Cyber Security at the University of Kent recognized as an Academic Centre of Excellence in Cyber Security Research by UK EPSRC and GCHQ. Research in Cloud,Cybersecurity Incident Management and on Blockchain technology.

• EBTIC: Chief Research Fellow at the Research Centre of Etisalat, BT, Khalifa at UAE (Abu Dhabi) leading innovation in Big Data Security and Cloud Security Automation

• Published over 25 EU/World patents (awarded or published & pending award) , 6 books, 3 journal editions, 80 international publications in ACM, IEEE, IFIP conferences.

Lead Security Technology Expert

• ENISA: Expert member (2009-16) of WGs on Cloud Security and Resilience and on Virtualization Security. Coauthored ENISA advisory reports to European Commission, UK and EU member state governments

• CSA: Contributor to Cloud/Virtualization security guidance and standards and invited speaker in CSA congress since 2010• IFIP: Member of the Security Technical Committee and previous Chair of WG on Trust Management ; silver core medal

award• EU Innovation Project collaborations: Technical lead the largest and EU research collaborations involving over 400

research

Collaborative Security Innovation Leader


NFV IntroductionBy virtualizing hardware resources into data centers, the cloud platform builds a centralized resource pool and flexibly allocates resources from the resource pool.

More details please visit: http://portal.etsi.org/NFV/NFV_White_Paper.pdf

• Cost economization• Increased speed of Time to Market，

service fast deployment• Geography or customer sets based

service is possible. Services can be scaled up/down rapidly as required

• Enable a wide variety of eco-systemsand encourage openness

NFV could potentially offer benefitsNFV could potentially offer benefits


Security Services architecture

Platform Security architecture

Design Presentation Approach & Cookbook

HW Product Lines (CloudCore, IT, SPO)

HW Security CC Design team

Operators(Orange, BT, Telefonica,

DT, Telecom Italia)

StandardsETSICSAIETF

Security Vendor Ecosystem

Overview: activities, outputs, stakeholders

NFV Security Architecture

Government& Regulators

ENISA, NCSC (CESG)

ANSI, BSI

VNFs

VNFi

VNSF & NFV

platfo

rm Security

Req

uiremen

ts

Security con

trol im

plem

entatio

n (techn

ology)

MANO

DC


Security Challenges

• Customer Requirements• Compliance Requirements• NFV Technology Security

Challenges

Security Controls

• Specialize to NFV/NFVI security controls from• ISO 2017 (2001/2)• CSA CCM • CC• NFV Sec (ETSI)

Architectural Patterns

• Map Security Controls to• Security subsystems• NFV / NFVI Architecture

layers• Decompose Security Controls to

• Security functions per layer • Cross-layer dependences

Design Patterns

• Refine Security Control Architecture to• Security solution design • Security procedures • Cross-layer dependences

Product Improvement

• Innovation Roadmap• Features Identification,

Specification, Design, Validation

Approach: SCORE Architecture(Security Controls Orientated REference Architecture )

possible danger that might exploit a vulnerability to breach security and therefore cause possible harm

a weakness that allows to reduce a system's information assurance

A management, operational, and technical safeguard or countermeasures prescribed to avoid, detect, counteract, or mitigate security risks that stem from threats or vulnerabilities or other security challenges

technological, operational, policy or business shortcoming, unresolved technical issue, design, implementation or operational complexity that may possibly give rise to a vulnerability


Threats & Security

Challenges

Security Controls


Design Patterns

Product Improvement


Generic Cloud/Nf

VSecurity Threats

Human Factor

Contractual Threats

Legal and Jurisdictiona

l threats

Physical Infrastructure

Software Infrastructur

e

Shared infrastructur

eAudit,

Incident Mgmt

Forensic restrictions

Data Threats

VM & VNF Issues

Management Interface / API

Loss of Governanc

e

Contractual Threats•Cost-overrun attack•Deceptive billing•Contract Captivity•Bankruptcy (data loss)

Legal and Jurisdictional threats•Indirect legal coercion•Secret search•Direct jurisdictional exposure (e.g. data location and data breach)

•Indirect jurisdictional exposure (e.g. Legal inconsistencies Governments)

Physical Infrastructure• DoS• Unauthorized data interception or modification by HW/NW• Hardware Failure• Connectivity Failure

Software Infrastructure• Security vulnerabilities in open-source •Security vulnerabilities in third-party software•Software tampering

Shared Infrastructure•Direct breach•Side channel attack•Denial of resources (inc. partial degradation)•Availability / cost of shared resources (e.g. Under provisioning; Collateral denial)•Resource abuse due to invalid tena isolation of telecom tenants•Availability of 3rd party (sec.) services •Collateral damage to reputation•Jurisdictional collateral damage

Diminished audit, detection, and incident response•Complex accountability attribution among multiple suppliers during security incident tracking•Insufficient sharing of incident information •Confidentiality / privacy violation due to uncontrolled incident sharing

Data threats•Data segregation•Data Loss or Leakage•Data provenance•Data remanence•Data sharding•Data tampering•Privacy breach

VM & VNF Issues•Network Address dependency•Network Topology Inconsistency•Incorrect Security VNF placement •VM Sprawl•Intra-host Traffic Monitoring •Intra-host Traffic Manipulation •Silo Approach to security policy

Management Interface / API•Web/API vulnerabilities•Account compromise•Privileged User Access•Unauthorized access,•Unauthorized data/packet•Inspection / Modification• SDN controller compromise

Loss of GovernanceCompliance RiskSupply Chain FailuresHypervisor based attacks


NFV Security

Challenges

Hypervisor

Elastic NW

Dynamic NW

Multi-Domain Policy

Integrity

Service insertion

Inspection (State)

Scalability

Multi-cloud

Security

Security Reporting

Hypervisor Dependencies• A few hypervisor vendors dominate marketplace• Security vulnerabilities in Hypervisor code• Diligent patching• Underlying architecture: resource contesting, packets flow within the network fabric; various types of encryption; DPI functionality, etc

Elastic network boundaries• Same network fabric for multiple functions • Placement of physical controls less applicable• Unclear boundaries• VLANs are not necessarily secure• Physical segregation may still be required

Dynamic workloads: • NFV enables agile and dynamic capabilities & dynamic NW topology• Traditional security models are static & unable to adapt & evolve dynamically• Security services into NFV rely on overlay models that cross vendor boundaries

Multi-Domain Security Policy Management• Multiple administrators with vertically & horizontally overlapping administrative domains (operator, VSO, customer,..) • Policy / authority conflict management •Responsibility and liability distributed among many overlapping trust and administrative realms

Integrity of VNF & policy• End-to-end integrity and accountability of policies and VNF configurations in hybrid multi-cloud and multi-operator environments • More challenging with Virtualized inter-cloud network functions

Security service insertion & on-boarding• Elastic, transparent networks (fabric intelligently routes packets)• Logically and physically inline deployment of security controls is insufficient for NfV• Security services in NfV may be layered into the hypervisor• Complex insertion procedures for security services that are not already layered into the hypervisor

(Stateful) Inspection enablement:•Stateful inspection is preferred today •Security controls cannot deal with the asymmetries created by multiple, redundant NW paths in NfV

•Asymmetric flows challenge stateful devices that need to see every packet to provide access controls

Scalability of available resources•Dedicating cores to workloads and network resources enables resource consolidation.

•Pervasive security controls (DPI,NGFW,Crypto,etc) need significant compute resources.

Multi-Cloud (3rd party) security: •Consistent enforcement security functions in hybrid multi-clouds

• On-board and orchestrate both Huawei & 3rd

party services•Co-existing security enforcement mechanisms (hypervisor plug-in, VMOS, network proxy, gateway)

Security Incident Reporting & Secure Information Sharing: • How to assure end-to-end integrity of incident information & traceability of security incident• How to preserve security function isolation & confidential sharing that still allows security analytics• EU cybersecurity directive: Security incident reporting structure & specification


Security Challenges

Security Controls


Design Patterns

Product Improvement

(Stateful) Inspection enablement:

•Stateful inspection is preferred today

•Security controls cannot deal with the asymmetries created by multiple, redundant NW paths in NfV

•Asymmetric flows challenge stateful devices that need to see every packet to provide access controls


Security Challenges

Security Controls


Design Patterns

Product Improvement

Integrity of VNF & policy• End-to-end integrity and accountability of

• VMs & System• VNFs• VNF configurations • Policies in hybrid multi-cloud and multi-operator environments

•More challenging with Virtualized inter-cloud network functions

Sensitive processes must be fully isolated from rest of systemOur solution: Hardware isolated execution (IsolEx)• Leverage cutting-edge technologies (Intel SGX, AMD SEV)• Get early understanding of future ones (ARM Bowmore)


Security Challenges

Security Controls


Design Patterns

Product Improvement

Dynamic workloads: • NFV enables agile and dynamic capabilities & dynamic NW topology• Traditional security models are static & unable to adapt & evolve dynamically• Security services into NFV rely on overlay models that cross vendor boundaries

Multi-Domain Security Policy Management• Multiple administrators with vertically & horizontally overlapping administrative domains• Policy / authority conflict management •Responsibility and liability distributed among many overlapping trust and administrative realms

p p

Solution: Policy driven security orchestration architecture, The whole network security policy planning, security needs dynamically changed with services.

Case: FW policy automatically update with services update.

State : Complete the Demo of security policies automatically dispatched and updated


Security Challenges

for NFV/SDN Cloud

Deployments

hypervisor compatibility

System availability

Data vs. Control

SDN architecture

Venerable SDN codes

Policy consistenc

y

NFV/IaaSawareness

Hypervisor Compatibility for VNSFs & Appliances• Virtual appliances such as firewalls and intrusion prevention systems use optimized custom drivers and kernels: inefficient or vulnerable on general IaaS• Some IaaS systems provide custom hypervisor APIs for traffic steering: modifications vNSF/As expand their attack vectors

Elastic network boundaries• Performance of security virtual appliances does not match physical even if optimized• Elasticity and dynamic scalability compensates for lack of unit performance but • complicates security management and introduces conflicts & threats

Data/Management Network Separation:Some cloud architectures allow sharing the data network with a management or control network. This shared architecture may lead to • a compromise of the SDN or the Infrastructure-as-a-service (IaaS) control nodes. • Intruders bypassing NFV security devices (e.g. jumping or exploitign SDN controller)

Centralization in SDN Archtiecture• Centralized SDN architectures need to accommodate elastic, distributed, multi-tenant cloud of the cloud environments • Increased reliance on agility and resilience of NFV and Security orchestration –> complex security policy management & network topology changes

Security service insertion & on-boarding• SDN includes application, controllers, switches and management systems that can be exploited to intercept, manipulate or access traffic• Introducing VNFs may increase the attack surface • Security breach of SDN-enabled applications may allow bypassing isolation mechanisms:• Cross-boundary attacks: • Compromise the overall network • Unauthorized actions on other tenant’s networks

Policy consistency & policy attacks•Some SDN controllers lack mechanisms to check for consistent policies

•Malicious user may construct multiple policies that transform malicious flows (otherwise blocked by NFV devices) into “normal” traffic.

NfV/IaaS awareness for SDN• Tenant resources such as network traffic is isolated by IaaS NV & NFVs• Independent SDN controllers that manage traffic on virtual switches but lack IaaS awareness or integration with IaaS NV & NFV orchestration may break isolation by failing to map tenant traffic accordingly


Security Benefits and opportunities

Cost-efficiency

Flexibility

Responsiveness

Software-defined /

Agile

• Virtualization of high-end security functions • Intelligent management of traffic destined to specific VNFs (leveraging SDN)

•On-demand deployment and scalability•Dynamic, real-time response to threats (in conjunction with SDN to rearrange service chains and optimize performance and efficacy of VNFs

•real-time, global network view (topology, routes, and traffic statistics)•better response to DDoS attacks •better detection of network anomaly

•NFV • quickly provision, place and configure different types of virtual security appliances

•SDN (controller) •intercept, steer, mirror desired traffic for security inspection

• A security service provider can quickly provision a large number of security function instances to cope with usage peaks, attacks, etc• End-to-end visibility and control • Programmatic management of security resources


Security Challenges

Security Controls


Design Patterns

Product Improvement

Specialize to NFV/NFVI security controls fromISO 2017 (2001/2)CSA CCM CCNFV Sec (ETSI)

Create a specialized security control taxonomy

Maintain traceability to threats, challenges and customer, standards and compliance requirements


VNF layer

VNSF & Sec. LifecycleVNF security functions

Security Challenges

Security Controls


Design Patterns

Product Improvement

Map Security Controls to

Security subsystems

NFV / NFVI Architecture layers

Decompose Security Controls to

Security functions per layer

Cross-layer dependences


Security Challenges

Security Controls


Design Patterns

Product Improvement

Refine Security Control Architecture toSecurity solution design Security procedures Cross-layer dependences


Security Challenges

Security Controls


Design Patterns

Product Improvement

Innovation RoadmapFeature improvement classification

Impact Timeliness

Features Enhancement / Development Specification Design Validation

Conformance assessmentMetrics Procedure

VNSF & NFV

platfo

rm Security

Req

uiremen

ts

Security con

trol im

plem

entatio

n (techn

ology)

VNFs

NFVi

MANO

DC

Overview NFV Orch.SecurityNFV Sec‐Arch Trusted Computing


Use-cases: Example

3rd party cloud NW/Sec services

ISVs / Apps

C-SOC

Public Cloud

Operator’s DC

Internet

Customer Users

Customer DC

(Hyper)Cloud ManagementCloud/NFV Management

Security Service Management

Operator’s example: BT GS Cloud of Clouds Vision


Standards: Example

•Telefonica & Huawei – informative – H1 2017

SEC007 – Remote Attestation technologies

•VNF certificates provisioning and lifecycle•Huawei – informative – H1 2017

SEC005 – Certificate Management

•Architecture/requirements for providing a secure execution environment – hardware reqs & hypervisor hardening

•Intel – normative – Sept 2016 – completed!

SEC012 – System architecture for execution of sensitive NFV components (spec)

•Security orchestration specification – including detailed (network) monitoring architecture•AT&T, Intel, Nokia – normative – Feb 2017 – completed!

SEC013 – Security Management and Monitoring specification

•Threat & requirements list definition for defined MANO interfaces•NEC – normative – 2017

SEC014 – Security Specification for MANO Components and Interfaces

•Architecture for LI in NFV•BT (& US gov) – normative – mid 2017

SEC011 – Security Report on NFV LI Architecture

• There is still an opportunity for to get involved into the architecture definition:• SEC WG has acknowledged that

SEC013 requires revisiting• Coordinated strategy is required

across teams in SEC WG

Opportunity



Standards: Example

•Telefonica & Huawei – informative – H1 2017

SEC007 – Remote Attestation technologies

•VNF certificates provisioning and lifecycle•Huawei – informative – H1 2017

SEC005 – Certificate Management

•Architecture/requirements for providing a secure execution environment – hardware reqs & hypervisor hardening

•Intel – normative – Sept 2016 – completed!

SEC012 – System architecture for execution of sensitive NFV components (spec)

•Security orchestration specification – including detailed (network) monitoring architecture•AT&T, Intel, Nokia – normative – Feb 2017 – completed!

SEC013 – Security Management and Monitoring specification

•Threat & requirements list definition for defined MANO interfaces•NEC – normative – 2017

SEC014 – Security Specification for MANO Components and Interfaces

•Architecture for LI in NFV•BT (& US gov) – normative – mid 2017

SEC011 – Security Report on NFV LI Architecture

• SEC013- Security Management and Monitoring• Originally a network monitoring doc

(AT&T+INTEL)

• Intel working on PoC for monitoring part• Early results showed during F2F meetings• High interest in this from operators and LI

delegates

• Nokia proposed Security Orchestration architecture• SEC013 becomes high impact – normative!• Opportunity to get involved in revising this

architecture!

Opportunity


THANK YOUwww.huawei.com

Copyright©2014 Huawei Technologies Co., Ltd. All Rights Reserved.The information in this document may contain predictive statements including, without limitation, statements regarding thefuture financial and operating results, future product portfolio, new technology, etc. There are a number of factors thatcould cause actual results and developments to differ materially from those expressed or implied in the predictivestatements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor anacceptance. Huawei may change the information at any time without notice.

security challenges and guidance for protecting nfv on ... · huawei technologies co., ltd....

Documents