We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKeshawn Sidbury
Modified about 1 year ago
Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014
All Rights Reserved © Alcatel-Lucent 2014 2 Outline ETSI NFV SEC EG history, objectives, and a charter Current state of deliverables New factors Lawful intercept Proof-of-concept (VNF router and DDOS) Items in the work
All Rights Reserved © Alcatel-Lucent 2014 3 ETSI NFV Security Expert Group Was created with the objective to advise all working groups rather than have its individual work item (but that has changed!) Started with three experts at the onset of the NFV; no communications beyond e-mail exchange Presently grown to the steady 14 active participants from 8 companies (200 on the list, 25 at F2F meetings); holding regular bi-weekly meetings; receiving a steady stream of contributions
All Rights Reserved © Alcatel-Lucent 2014 4 Deliverables Security consideration sections for documents in INF, SWA, and MANO Three work items are in progress Problem statement (Rapporteur: Bob Briscoe, BT) chartered in April 2013 (now approved by EG) aims to identify new areas of concern specific to NFV Prepare standardization plan OpenStack security (Rapporteur: Hui-Lan Lu, ALU) chartered in February 2014 aims to identify security features, best practices, and gaps in OpenStack software Security and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer, Citrix) Chartered in February 2014 (now approved by EG) aims to provide guidance in NFV-specific areas Two unofficial work items under development ( Certificate management and Access Monitoring)
All Rights Reserved © Alcatel-Lucent 2014 5 Charter summaries DGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem Statement Define NFV sufficiently to understand its security impact Provide a reference list of deployment scenarios Identify new security vulnerabilities resulting from NFV Identify candidate NFV working groups responsible for addressing each vulnerability DGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing security features in management software relevant to NFV Catalogue security features in management software relevant to NFV: modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms. Recommend options that are appropriate for NFV deployment DGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and Trust Guidance Define areas of consideration where security and trust technologies, practices and processes have different requirements than non-NFV systems and operations. Supply guidance for the environment that supports and interfaces with NFV systems and operations.
All Rights Reserved © Alcatel-Lucent 2014 6 Problems identified in the Security Problem Statement Topology Validation and Enforcement Availability of Management Support Infrastructure Secured Boot Secure Crash Performance Isolation User/Tenant Authentication, Authorization, and Accounting Authenticated Time Service Private Keys within Cloned Images Back-doors via Virtualized Test and Monitoring Functions Multi-Administrator Isolation Security monitoring across multiple administrative domains (i.e., lawful interception) Stable draft is publicly available at http://docbox.etsi.org/ISG/NFV/Open/ http://docbox.etsi.org/ISG/NFV/Open/
All Rights Reserved © Alcatel-Lucent 2014 7 OpenStack Security Motivation Safe application of OpenStack in NFV Gaps identification Export control of cryptographic software Compliance with procurement processes Follow-up on alerts from US-CERT and other similar organizations Determination of the relevant elements for security analytics Functional aspects Identity and access management Communication security Stored data security Firewalling, zoning, and topology hiding Availability Logging and monitoring
All Rights Reserved © Alcatel-Lucent 2014 8 Lawful Intercept (new!) The primary source: COM 96/C329/01 on Lawful Interception adopted on the 17th January 1995 by the EU Council of Ministers. Further requirements: EU Privacy Directive (EC 2002/58/EC).EC 2002/58/EC NFV-specific problems: Hypervisor introspection makes undetectability of “virtual” taps impossible Ditto for data retention One solution: Physical zoning
All Rights Reserved © Alcatel-Lucent 2014 9 Key Lawful Intercept Requirements Undetectability Target and correspondents cannot detect interception Unauthorized personnel cannot detect interception Accountability Only communication pertaining to the target is intercepted Intercepted communication is available only to authorized personnel LI measures are accessible only to authorized personnel Consistency of interception can be checked Activation, change, and de-activation are fully logged Logs are tamper-proof and accessible only to authorized personnel Confidentiality It is possible to encrypt all sensitive information (at rest and in motion) Decipherability Intercepted communication, if encrypted, is delivered in decrypted form or with available encryption keys
All Rights Reserved © Alcatel-Lucent 2014 10 Security Proof-of-Concept: VNF Router Performance with DDoS Functionality (AT&T, Brocade, Intel, Telefonica) Overall PoC Project Completion Status: In progress, to be completed by end of June 2014 Key Milestone: Report with detailed performance characterization of the following aspects Additional latency due to DDoS detection block as a function of throughput DDoS attack detection time as a function of throughput and number of legitimate flows in the system Additional latency due to DDoS mitigation action block (QoS action such as re-mark) as a function of throughput
All Rights Reserved © Alcatel-Lucent 2014 11 In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and Spirent) Correlated analytics for the information in the form of subscriber’s IP address, IMSI, end user device, application, location, and bandwidth consumed by the application. Help operators keep track of the network use, subscriber dynamics. Detect anomalies: malware or DDOS attacks
All Rights Reserved © Alcatel-Lucent 2014 12 Certificate Management in the NFV Environment Proposal (Huawei) Provide guidance for NFV certificate deployment. Describe specific use cases, the threats and the requirements for NFV scenario Specify the trust validation mechanism applied for VM (Virtual Machine) and Virtualized Network Function (VNF).
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 2 Network Security Basics.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI All rights reserved.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Update on ETSI Security work Charles Brookson OCG Security Chairman DOCUMENT #:GSC13-PLEN-57 FOR:Information SOURCE:Charles Brookson AGENDA ITEM:6.3
Security Controls – What Works Southside Virginia Community College: Security Awareness.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Draft-tarapore-mbone- multicast-cdni-05 Percy S. Tarapore, AT&T Robert Sayko, AT&T Greg Shepherd, Cisco Toerless Eckert, Cisco Ram Krishnan, Brocade.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Draft-tarapore-mbone- multicast-cdni-06 Percy S. Tarapore, AT&T Robert Sayko, AT&T Greg Shepherd, Cisco Toerless Eckert, Cisco Ram Krishnan, Brocade.
© All rights reserved Presented by Charles Brookson OBE CEng FIET FRSA Cybersecurity.
> > > Solution Architecture Blueprint and Review Preparation Template IN-PROCESS.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
General Key Management Guidance. Key Management Policy Governs the lifecycle for the keying material Hope to minimize additional required documentation.
Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.
1 HIPAA COMPLIANCE WITH DELL. 2 SECURITY Administrative Procedures: To ensure security plans, policies, procedures, training, and contractual agreements.
Grid Operations Centre LCG SLAs and Site Audits Trevor Daniels, John Gordon GDB 8 Mar 2004.
Cloud Computing Cloud Security– an overview Keke Chen.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES Establish secure topologies. Secure.
Introduction to Network Defense INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Kevin Watson and Ammar Ammar IT Asset Visibility.
The NIST Special Publications for Security Management By: Waylon Coulter.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Big Data Security Issues in Cloud Management. BDWG Big Data Working Group Researchers 1: Data analytics for security 2: Privacy preserving 3: Big data-scale.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch February 4, 2010.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
IOT5_ GISFI # 05, June 20 – 22, 2011, Hyderabad, India 1 Internet of Things Work Group Coordination Plan WG Chair.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Security Vulnerabilities in A Virtual Environment Seminar of Virtual Machine course Mojtaba Asadollahpour Instructor: Hadi Salimi 6 January 2010.
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
Information Security Policies and Standards Bryan McLaughlin Information Security Officer Creighton University
SEC835 Database and Web application security Information Security Architecture.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
CSC8320. Outline Content from the book Recent Work Future Work.
© 2017 SlidePlayer.com Inc. All rights reserved.