We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKeshawn Sidbury
Modified about 1 year ago
Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014
All Rights Reserved © Alcatel-Lucent Outline ETSI NFV SEC EG history, objectives, and a charter Current state of deliverables New factors Lawful intercept Proof-of-concept (VNF router and DDOS) Items in the work
All Rights Reserved © Alcatel-Lucent ETSI NFV Security Expert Group Was created with the objective to advise all working groups rather than have its individual work item (but that has changed!) Started with three experts at the onset of the NFV; no communications beyond exchange Presently grown to the steady 14 active participants from 8 companies (200 on the list, 25 at F2F meetings); holding regular bi-weekly meetings; receiving a steady stream of contributions
All Rights Reserved © Alcatel-Lucent Deliverables Security consideration sections for documents in INF, SWA, and MANO Three work items are in progress Problem statement (Rapporteur: Bob Briscoe, BT) chartered in April 2013 (now approved by EG) aims to identify new areas of concern specific to NFV Prepare standardization plan OpenStack security (Rapporteur: Hui-Lan Lu, ALU) chartered in February 2014 aims to identify security features, best practices, and gaps in OpenStack software Security and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer, Citrix) Chartered in February 2014 (now approved by EG) aims to provide guidance in NFV-specific areas Two unofficial work items under development ( Certificate management and Access Monitoring)
All Rights Reserved © Alcatel-Lucent Charter summaries DGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem Statement Define NFV sufficiently to understand its security impact Provide a reference list of deployment scenarios Identify new security vulnerabilities resulting from NFV Identify candidate NFV working groups responsible for addressing each vulnerability DGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing security features in management software relevant to NFV Catalogue security features in management software relevant to NFV: modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms. Recommend options that are appropriate for NFV deployment DGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and Trust Guidance Define areas of consideration where security and trust technologies, practices and processes have different requirements than non-NFV systems and operations. Supply guidance for the environment that supports and interfaces with NFV systems and operations.
All Rights Reserved © Alcatel-Lucent Problems identified in the Security Problem Statement Topology Validation and Enforcement Availability of Management Support Infrastructure Secured Boot Secure Crash Performance Isolation User/Tenant Authentication, Authorization, and Accounting Authenticated Time Service Private Keys within Cloned Images Back-doors via Virtualized Test and Monitoring Functions Multi-Administrator Isolation Security monitoring across multiple administrative domains (i.e., lawful interception) Stable draft is publicly available at
All Rights Reserved © Alcatel-Lucent OpenStack Security Motivation Safe application of OpenStack in NFV Gaps identification Export control of cryptographic software Compliance with procurement processes Follow-up on alerts from US-CERT and other similar organizations Determination of the relevant elements for security analytics Functional aspects Identity and access management Communication security Stored data security Firewalling, zoning, and topology hiding Availability Logging and monitoring
All Rights Reserved © Alcatel-Lucent Lawful Intercept (new!) The primary source: COM 96/C329/01 on Lawful Interception adopted on the 17th January 1995 by the EU Council of Ministers. Further requirements: EU Privacy Directive (EC 2002/58/EC).EC 2002/58/EC NFV-specific problems: Hypervisor introspection makes undetectability of “virtual” taps impossible Ditto for data retention One solution: Physical zoning
All Rights Reserved © Alcatel-Lucent Key Lawful Intercept Requirements Undetectability Target and correspondents cannot detect interception Unauthorized personnel cannot detect interception Accountability Only communication pertaining to the target is intercepted Intercepted communication is available only to authorized personnel LI measures are accessible only to authorized personnel Consistency of interception can be checked Activation, change, and de-activation are fully logged Logs are tamper-proof and accessible only to authorized personnel Confidentiality It is possible to encrypt all sensitive information (at rest and in motion) Decipherability Intercepted communication, if encrypted, is delivered in decrypted form or with available encryption keys
All Rights Reserved © Alcatel-Lucent Security Proof-of-Concept: VNF Router Performance with DDoS Functionality (AT&T, Brocade, Intel, Telefonica) Overall PoC Project Completion Status: In progress, to be completed by end of June 2014 Key Milestone: Report with detailed performance characterization of the following aspects Additional latency due to DDoS detection block as a function of throughput DDoS attack detection time as a function of throughput and number of legitimate flows in the system Additional latency due to DDoS mitigation action block (QoS action such as re-mark) as a function of throughput
All Rights Reserved © Alcatel-Lucent In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and Spirent) Correlated analytics for the information in the form of subscriber’s IP address, IMSI, end user device, application, location, and bandwidth consumed by the application. Help operators keep track of the network use, subscriber dynamics. Detect anomalies: malware or DDOS attacks
All Rights Reserved © Alcatel-Lucent Certificate Management in the NFV Environment Proposal (Huawei) Provide guidance for NFV certificate deployment. Describe specific use cases, the threats and the requirements for NFV scenario Specify the trust validation mechanism applied for VM (Virtual Machine) and Virtualized Network Function (VNF).
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Federal Information System Controls Audit Manual (FISCAM)
Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.
Overview of ETSIs Technical Groups - The ETSI Approach David Boswarthick Technical Officer TC M2M © ETSI All rights reserved.
GSC: Standardization Advancing Global Communications Telecommunication Security Herbert Bertine Chairman, ITU-T SG 17 SOURCE:ITU-T TITLE:ITU-T Security.
Cloud Security: Infrastructure, Data Security, and Access Control Adapted from slides by Keke Chen.
Federal Aviation Administration NAS Enterprise Information System Security (NEISS) Vic Patel, FAA ICAP, ACP WG-I May 28 th – 30 th 1.
Telecommunication Security Herbert Bertine Chairman, ITU-T Study Group 17 SOURCE:ITU-T TITLE:Telecommunication Security AGENDA ITEM: CONTACT: [Insert Document.
1 Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule Information Security Program University of Minnesota (Adapted from the Federal Trade.
Manage an IT Project. Aim This presentation is prepared to support and give a general overview of the ‘How to Manage and IT Project’ Guide and should.
Chapter 11 E-Commerce Security. Electronic CommercePrentice Hall © Learning Objectives 1.Document the trends in computer and network security attacks.
The Legal Framework for Creating Trust in Cyberspace: Security and Privacy Skopje March 2006 James X. Dempsey Center for Democracy & Technology Global.
E-Procurement for Improving Governance Session 5: Integrity Protection of eProcurement systems A World Bank live e-learning event addressing the design.
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
Competence is the demonstrated ability to apply knowledge and/or skills and, where relevant, personal attributes. A certification scheme contains.
International Telecommunication Union ITU-T Network Security Initiatives Mike Harrop Rapporteur SG17 Q4 ETSI Security Workshop January 2007.
Forum on Next Generation Network Standardization Colombo, Sri Lanka, 7-10 April 2009 Forum on Next Generation Network Standardization Colombo, Sri Lanka,
Security Threats and Protection Mechanisms. Learning Objectives Internet security issues (intellectual property rights, client, communication channels,
Dealing with Web Application Security, Regulation Style Andrew Weidenhamer 11/10/2010.
Eurostat EDAMIS AND VALIDATION SERVICES USER GROUP 2013 Summary and conclusions DRAFT August Götzfried and Håkan Linden Unit B5.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn,
Risk Analysis and Security Management Under HIPAA: What's Practical, Systematic, and Cost-Effective Richard D. Marks Davis Wright Tremaine LLP Washington,
Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI All rights reserved.
Security Beyond the Firewall Protecting Information in the Enterprise.
Technical Module: Common ICT (Information, Communication & Technology) Common Services and Harmonized Business Practices ToT September 2010 unite.
16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.
NIEM and Content Policy briefing David Webber - Public Sector NIEM Team, April 2013 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.
Common types of online attacks Dr.Talal Alkharobi.
© 2016 SlidePlayer.com Inc. All rights reserved.