Presentation on theme: "Developments in the ETSI NFV Security Expert Group"— Presentation transcript:
1Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group ConvenerJuly 23, 2014
2Outline ETSI NFV SEC EG history, objectives, and a charter Current state of deliverablesNew factorsLawful interceptProof-of-concept (VNF router and DDOS)Items in the work
3ETSI NFV Security Expert Group Was created with the objective to advise all working groups rather than have its individual work item (but that has changed!)Startedwith three experts at the onset of the NFV;no communications beyond exchangePresentlygrown to the steady 14 active participants from 8 companies (200 on the list, 25 at F2F meetings);holding regular bi-weekly meetings;receiving a steady stream of contributions
4DeliverablesSecurity consideration sections for documents in INF, SWA, and MANOThree work items are in progressProblem statement (Rapporteur: Bob Briscoe, BT)chartered in April (now approved by EG)aims toidentify new areas of concern specific to NFVPrepare standardization plan OpenStack security (Rapporteur: Hui-Lan Lu, ALU)chartered in February 2014aims to identify security features, best practices, and gaps in OpenStack softwareSecurity and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer, Citrix)Chartered in February 2014 (now approved by EG)aims to provide guidance in NFV-specific areasTwo unofficial work items under development (Certificate management and Access Monitoring)
5Charter summariesDGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem StatementDefine NFV sufficiently to understand its security impactProvide a reference list of deployment scenariosIdentify new security vulnerabilities resulting from NFVIdentify candidate NFV working groups responsible for addressing each vulnerabilityDGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing security features in management software relevant to NFVCatalogue security features in management software relevant to NFV: modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms.Recommend options that are appropriate for NFV deploymentDGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and Trust GuidanceDefine areas of consideration where security and trust technologies, practices and processes have different requirements than non-NFV systems and operations.Supply guidance for the environment that supports and interfaces with NFV systems and operations.
6Problems identified in the Security Problem Statement Topology Validation and EnforcementAvailability of Management Support InfrastructureSecured BootSecure CrashPerformance IsolationUser/Tenant Authentication, Authorization, and AccountingAuthenticated Time ServicePrivate Keys within Cloned ImagesBack-doors via Virtualized Test and Monitoring FunctionsMulti-Administrator IsolationSecurity monitoring across multiple administrative domains (i.e., lawful interception)Stable draft is publicly available at
7OpenStack Security Motivation Functional aspects Safe application of OpenStack in NFVGaps identificationExport control of cryptographic softwareCompliance with procurement processesFollow-up on alerts from US-CERT and other similar organizationsDetermination of the relevant elements for security analyticsFunctional aspectsIdentity and access managementCommunication securityStored data securityFirewalling, zoning, and topology hidingAvailabilityLogging and monitoring
8Lawful Intercept (new!) The primary source: COM 96/C329/01 on Lawful Interception adopted on the 17th January 1995 by the EU Council of Ministers.Further requirements: EU Privacy Directive (EC 2002/58/EC).NFV-specific problems:Hypervisor introspection makes undetectability of “virtual” taps impossibleDitto for data retentionOne solution: Physical zoning
9Key Lawful Intercept Requirements UndetectabilityTarget and correspondents cannot detect interceptionUnauthorized personnel cannot detect interceptionAccountabilityOnly communication pertaining to the target is interceptedIntercepted communication is available only to authorized personnelLI measures are accessible only to authorized personnelConsistency of interception can be checkedActivation, change, and de-activation are fully loggedLogs are tamper-proof and accessible only to authorized personnelConfidentialityIt is possible to encrypt all sensitive information (at rest and in motion)DecipherabilityIntercepted communication, if encrypted, is delivered in decrypted form or with available encryption keys
10Security Proof-of-Concept: VNF Router Performance with DDoS Functionality (AT&T, Brocade, Intel, Telefonica)Overall PoC Project Completion Status: In progress, to be completed by end of June 2014Key Milestone: Report with detailed performance characterization of the following aspectsAdditional latency due to DDoS detection block as a function of throughputDDoS attack detection time as a function of throughput and number of legitimate flows in the systemAdditional latency due to DDoS mitigation action block (QoS action such as re-mark) as a function of throughput
11In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and Spirent) Help operators keep track of the network use, subscriber dynamics.Detect anomalies: malware or DDOS attacksCorrelated analytics for the information in the form of subscriber’s IP address, IMSI, end user device, application, location, and bandwidth consumed by the application.
12Certificate Management in the NFV Environment Proposal (Huawei) Provide guidance for NFV certificate deployment.Describe specific use cases, the threats and the requirements for NFV scenarioSpecify the trust validation mechanism applied for VM (Virtual Machine) and Virtualized Network Function (VNF).