NFV Update Vienna, February 2018

Slides:



Advertisements
Similar presentations
ETSI NFV Management and Orchestration - An Overview
Advertisements

Government and Cloud The current thinking on the technical architecture for the UK government’s proposed G-Cloud and App Store Kate Craig-Wood CEO, Memset.
T-NOVA: Developing a platform for NFaaS T-NOVA Consortium Presenter: Kourtis Akis - NCSR Demokritos, Greece.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
M.A.Doman Model for enabling the delivery of computing as a SERVICE.
A Survey on Interfaces to Network Security
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Extreme Networks Confidential and Proprietary. © 2010 Extreme Networks Inc. All rights reserved.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Pre-Release Information Aug 17, 2009 Trend Micro Web Gateway Security InterScan Web Security Virtual Appliance v5 Advanced Reporting and Management v1.
Security in the Clouds 1 Professor Sadie Creese London Hopper 2010 May 2010.
Operating Systems Security
Security Vulnerabilities in A Virtual Environment
1 ALCATEL-LUCENT — PROPRIETARY AND CONFIDENTIAL COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. NFV transforms the way service providers architect.
1 Adopting and Embracing Open Source for NFV Guy Shemesh Senior Director for Cloud Solutions, CloudBand October 2015.
Nov 22/26 Tech Forum 2015 Roberto Trinconi Cloud the New Path to the Business Leadership.
Computer Security By Duncan Hall.
IS3220 Information Technology Infrastructure Security
Towards Secure and Dependable Software-Defined Networks Fernando M. V. Ramos LaSIGE/FCUL, University of Lisbon
© 2016 TM Forum | 1 NFV – A Fresh Approach to Business Data Services Catalyst Overview.
SDN/NFV DDoS Requirements "The Mobile Use Case – 5G" Bipin Mistry, VP Product Management © 2015 Corero
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Early Adopter of NFV? Mitigate Risk! UKNOF 34 - Manchester Anthony Magee, 21 st April 2016 Global Business Development.
When RINA Meets NFV Diego R. López Telefónica
SDN & NFV Driving Additional Value into Managed Services.
Check Point vSEC STORY [Protected] Non-confidential content.
Creating New Revenue by Exposing Network Services Using TM Forum APIs
Dell EMC NFV Validated Systems: vCPE & SD-WAN.
Semester :- fourth– sem (4th) Branch :- Computer’s Roll-no :-
Botnets A collection of compromised machines
Chapter 6: Securing the Cloud
Security Virtualization
The All In One Hosted Solution
By: Raza Usmani SaaS, PaaS & TaaS By: Raza Usmani
Platform as a Service (PaaS)
Digital Transformation for Modern Service Providers
Dell EMC Service Provider
Security of In-Vehicle Software
IOT Critical Impact on DC Design
Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES NAMED AFTER MUHAMMAD AL-KHWARIZMI THE SMART HOME IS A BASIC OF SMART CITIES: SECURITY AND METHODS OF.
ARC: Definitions and requirements for SO/APP-C/VF-C discussion Chris Donley Date , 2017.
Hot Topics:Mobility in the Cloud
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Outline What does the OS protect? Authentication for operating systems
17 Dec 2015 Bryan Sullivan, AT&T
THE NEXT STEP IN RESILIENT, HIGH-CAPACITY NETWORK CONNECTIVITY
Speaker’s Name, SAP Month 00, 2017
Outline What does the OS protect? Authentication for operating systems
Botnets A collection of compromised machines
Dirk Weiler, ETSI Board Chairman
Virtualization & Security real solutions
ONAP Amsterdam Architecture
Cloud Testing Shilpi Chugh.
© 2016 Global Market Insights, Inc. USA. All Rights Reserved Network Function Virtualization Market to reach $70bn by 2024: Global Market.
Chapter 2. Malware Analysis in VMs
Network Function Virtualization: Challenges and
Dependability Evaluation and Benchmarking of
ETSI Multi-access Edge Computing:
Management and Orchestration in Complex and Dynamic Environment
NSX Data Center for Security
Software Interoperability.... Same game, same rules?
2/24/2019 7:49 PM BRK2198 Four new Azure management experiences to run your business critical applications Dushyant Gill | Jan Kalis.
DATS International Portfolio.
Sai Krishna Deepak Maram, CS 6410
Shielding applications from an untrusted cloud with Haven
Security in Cloud Computing
6. Application Software Security
NFV and SD-WAN Multi vendor deployment
Presentation transcript:

NFV Update Vienna, February 2018 GMCQ – Vodafone National Security Obligations and Chair ETSI TCLI © ETSI 2017 All rights reserved

NFV ETSI ISG NFV established in 2012 White Papers Goals http://www.etsi.org/technologies-clusters/technologies/nfv White Papers Goals Reduced operator CAPEX and OPEX through reduced equipment costs and reduced power consumption Ensure interworking with existing architectures and physical implementations Reduced time-to-market to deploy new network services Improved return on investment from new services Greater flexibility to scale up, scale down or evolve services Openness to the virtual appliance market and pure software entrants Opportunities to trial and deploy new innovative services at lower risk © ETSI 2011. All rights reserved

LI Cross-Standards Body Landscape HW NFVI 3GPP/TC LI Realm NFV ISG IMS (X-CSCF, MGCF, MGW, etc.) (Virtual) Infrastructure Holistic (Standards) View View NFV Stack Sec Ctrl LI RoT LI Cross-Standards Body Landscape MANO VNFs Across all views, a complete and correct LI solution contains a full vertical coupling across red boxes

Key Reading NFV SEC 011 Report on NFV LI Architecture Details the LI changes and potential solutions NFV SEC 012 Security Management and Monitoring for NFV Details requirements needed for support of LI and other critical components. Many of these cannot fully be met by current technology. NFV SEC 013 Security monitoring service, architecture and functionality Share many common requirements will LI. Difficult to make LI invisible to security monitoring. •NFV SEC 016 Secure time sources in a virtual environment © ETSI 2011. All rights reserved

The Basic Issue: Why Aren’t Compute Devices Trustworthy? Protected Mode (rings) protects OS from apps … App App Malicious App X X X Info Attack Bad Code Bad Code OK Privileged Code Privileged Code attack … and apps from each other … These flaws may be operational, not technical! … UNTIL a malicious app OR admin exploits a flaw to gain full privileges and then tampers with the OS or other apps Rings worked well before the internet Platform owner and app developers were aligned Code was not downloaded from unknown sources Need additional protection from unknown sources which are not aligned with the platform owner on program behavior Apps not protected from privileged code attacks

Protection from what? VM attacks NFVI Network Function Virtualisation Infrastructure VIM Eg Open Stack Cloud Stack NFV Management and Orchestration MANO Sometimes Called Cloud Management System (CMS) Telco Service Layer Eg vCPE, vEPC, SIP VMs: Malicious (less likely) Ill-behaved (fairly likely, and probably unintentional) Compromised (very likely)

NFV Management and Orchestration Protection from what? Host attacks NFVI Network Function Virtualisation Infrastructure VIM Eg Open Stack Cloud Stack NFV Management and Orchestration MANO Sometimes Called Cloud Management System (CMS) Telco Service Layer Eg vCPE, vEPC, SIP From the host: most concerning, most difficult to manage.

Back to Basics Summary Entire core network implemented in a common cloud data centre blade architecture. May be operator owned hardware Could use Amazon or Google Cloud resources. Virtualised Network Elements share common resources which can be reallocated dynamically depending on network load. Multi Vendor With or Without SDN Virtualised Network Elements can move between data centre blade computing resources dynamically. Additional virtualised network elements can be created, paused or terminated depending on network load conditions. © ETSI 2011All rights reserved

What does this mean for LI ? More difficult to locate or identify target traffic On-Switch / Function “easiest approach” Off-platform DPI extremely difficult Can’t attach physical crocodile clips to virtual connections. Inter VM encryption as standard. On-platform DPI Security problems and limited compute resources May require proprietary implementation. Hybrid DPI (On & Off mix) Traditional LI security wrap doesn’t work in virtualised network Hypervisor has access to all New LI attack and detectability threats All of network is in one virtual location Dark fibre VPN egress not viable © ETSI 2011. All rights reserved

NFV Security Considerations Input Security is baked in ? What can be done ? Specifics NFV Impact The transition of traditional hardware based services to software based “virtualised functions”. Increased flexibility, less expensive. Not yet. No vendor is currently mature in their NFV offer, and ETSI standards are still being finalised. Potentially, NFV greatly increases the impact of any event. Older equipment may not be more secure – but harder to exploit. IT and Telco security are not the same thing. Location. Where is the NFV instance ? Can we maintain LI capability at that location (legally) ? Are we sure it is in the UK and not in China ? Confidentiality / Integrity. They hypervisor manager can compromise the system. Can you stand over the record generated in an NFV instance one year ago (that existed for 15 seconds) ? Availability. Increased susceptibility to a common mode failure. Ask the right questions of your vendors (see guidance notes) Delay the use of NFV where sensitive functions are required (e.g. LI) Regulators should ensure they really understand the issues, now. Insert Confidentiality Level in slide footer

NFV

Telling the time… Virtual Functions can’t tell the time. LI relies on accurate time for correlation and evidential integrity. Time of What? and Where? Large VNFs may be spread over multiple hosts and locations. New solutions required NFV 016 Report on location, timestamping of VNFs © ETSI 2011. All rights reserved

Regulation, or lack of… Can your national law handle a service provided by multiple vertical and horizontal operators? E.G. Hardware, Hosting, Platform, Infrastructure, Access Service, Communications Service? Can national law force a “service” to be nationally localised? Cross border LI/CD?. Who is responsible for correlation? Who is responsible for data retention? Retention of what? • Do LI / CD security rules cover virtualisation of services and combination with untrusted service functions? © ETSI 2011. All rights reserved

Contact Details: gerald.mcquaid@Vodafone.com Do ask questions! Contact Details: gerald.mcquaid@Vodafone.com Thank you © ETSI 2017. All rights reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.