Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014.

Similar presentations

Presentation on theme: "Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014."— Presentation transcript:

1 Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014

2 All Rights Reserved © Alcatel-Lucent Outline  ETSI NFV SEC EG history, objectives, and a charter  Current state of deliverables  New factors Lawful intercept Proof-of-concept (VNF router and DDOS)  Items in the work

3 All Rights Reserved © Alcatel-Lucent ETSI NFV Security Expert Group  Was created with the objective to advise all working groups rather than have its individual work item (but that has changed!)  Started with three experts at the onset of the NFV; no communications beyond exchange  Presently grown to the steady 14 active participants from 8 companies (200 on the list, 25 at F2F meetings); holding regular bi-weekly meetings; receiving a steady stream of contributions

4 All Rights Reserved © Alcatel-Lucent Deliverables  Security consideration sections for documents in INF, SWA, and MANO  Three work items are in progress Problem statement (Rapporteur: Bob Briscoe, BT)  chartered in April 2013 (now approved by EG)  aims to identify new areas of concern specific to NFV Prepare standardization plan OpenStack security (Rapporteur: Hui-Lan Lu, ALU)  chartered in February 2014  aims to identify security features, best practices, and gaps in OpenStack software Security and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer, Citrix)  Chartered in February 2014 (now approved by EG)  aims to provide guidance in NFV-specific areas  Two unofficial work items under development ( Certificate management and Access Monitoring)

5 All Rights Reserved © Alcatel-Lucent Charter summaries  DGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem Statement Define NFV sufficiently to understand its security impact Provide a reference list of deployment scenarios Identify new security vulnerabilities resulting from NFV Identify candidate NFV working groups responsible for addressing each vulnerability  DGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing security features in management software relevant to NFV Catalogue security features in management software relevant to NFV: modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms. Recommend options that are appropriate for NFV deployment  DGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and Trust Guidance Define areas of consideration where security and trust technologies, practices and processes have different requirements than non-NFV systems and operations. Supply guidance for the environment that supports and interfaces with NFV systems and operations.

6 All Rights Reserved © Alcatel-Lucent Problems identified in the Security Problem Statement  Topology Validation and Enforcement  Availability of Management Support Infrastructure  Secured Boot  Secure Crash  Performance Isolation  User/Tenant Authentication, Authorization, and Accounting  Authenticated Time Service  Private Keys within Cloned Images  Back-doors via Virtualized Test and Monitoring Functions  Multi-Administrator Isolation  Security monitoring across multiple administrative domains (i.e., lawful interception) Stable draft is publicly available at

7 All Rights Reserved © Alcatel-Lucent OpenStack Security  Motivation Safe application of OpenStack in NFV Gaps identification Export control of cryptographic software Compliance with procurement processes Follow-up on alerts from US-CERT and other similar organizations Determination of the relevant elements for security analytics  Functional aspects Identity and access management Communication security Stored data security Firewalling, zoning, and topology hiding Availability Logging and monitoring

8 All Rights Reserved © Alcatel-Lucent Lawful Intercept (new!)  The primary source: COM 96/C329/01 on Lawful Interception adopted on the 17th January 1995 by the EU Council of Ministers.  Further requirements: EU Privacy Directive (EC 2002/58/EC).EC 2002/58/EC  NFV-specific problems: Hypervisor introspection makes undetectability of “virtual” taps impossible Ditto for data retention  One solution: Physical zoning

9 All Rights Reserved © Alcatel-Lucent Key Lawful Intercept Requirements Undetectability  Target and correspondents cannot detect interception  Unauthorized personnel cannot detect interception Accountability  Only communication pertaining to the target is intercepted  Intercepted communication is available only to authorized personnel  LI measures are accessible only to authorized personnel  Consistency of interception can be checked  Activation, change, and de-activation are fully logged  Logs are tamper-proof and accessible only to authorized personnel Confidentiality  It is possible to encrypt all sensitive information (at rest and in motion) Decipherability  Intercepted communication, if encrypted, is delivered in decrypted form or with available encryption keys

10 All Rights Reserved © Alcatel-Lucent Security Proof-of-Concept: VNF Router Performance with DDoS Functionality (AT&T, Brocade, Intel, Telefonica)  Overall PoC Project Completion Status: In progress, to be completed by end of June 2014  Key Milestone: Report with detailed performance characterization of the following aspects Additional latency due to DDoS detection block as a function of throughput DDoS attack detection time as a function of throughput and number of legitimate flows in the system Additional latency due to DDoS mitigation action block (QoS action such as re-mark) as a function of throughput

11 All Rights Reserved © Alcatel-Lucent In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and Spirent) Correlated analytics for the information in the form of subscriber’s IP address, IMSI, end user device, application, location, and bandwidth consumed by the application. Help operators keep track of the network use, subscriber dynamics. Detect anomalies: malware or DDOS attacks

12 All Rights Reserved © Alcatel-Lucent Certificate Management in the NFV Environment Proposal (Huawei)  Provide guidance for NFV certificate deployment.  Describe specific use cases, the threats and the requirements for NFV scenario  Specify the trust validation mechanism applied for VM (Virtual Machine) and Virtualized Network Function (VNF).

Download ppt "Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014."

Similar presentations

Ads by Google