Presentation is loading. Please wait.

Presentation is loading. Please wait.

NFV Update Vienna, February 2018

Published byHendra Lesmono Modified over 5 years ago

Similar presentations

Presentation on theme: "NFV Update Vienna, February 2018"— Presentation transcript:

1 NFV Update Vienna, February 2018
GMCQ – Vodafone National Security Obligations and Chair ETSI TCLI © ETSI 2017 All rights reserved

2 NFV ETSI ISG NFV established in 2012 White Papers Goals
White Papers Goals Reduced operator CAPEX and OPEX through reduced equipment costs and reduced power consumption Ensure interworking with existing architectures and physical implementations Reduced time-to-market to deploy new network services Improved return on investment from new services Greater flexibility to scale up, scale down or evolve services Openness to the virtual appliance market and pure software entrants Opportunities to trial and deploy new innovative services at lower risk © ETSI All rights reserved

3 LI Cross-Standards Body Landscape
HW NFVI 3GPP/TC LI Realm NFV ISG IMS (X-CSCF, MGCF, MGW, etc.) (Virtual) Infrastructure Holistic (Standards) View View NFV Stack Sec Ctrl LI RoT LI Cross-Standards Body Landscape MANO VNFs Across all views, a complete and correct LI solution contains a full vertical coupling across red boxes

4 Key Reading NFV SEC 011 Report on NFV LI Architecture
Details the LI changes and potential solutions NFV SEC 012 Security Management and Monitoring for NFV Details requirements needed for support of LI and other critical components. Many of these cannot fully be met by current technology. NFV SEC 013 Security monitoring service, architecture and functionality Share many common requirements will LI. Difficult to make LI invisible to security monitoring. •NFV SEC 016 Secure time sources in a virtual environment © ETSI All rights reserved

5 The Basic Issue: Why Aren’t Compute Devices Trustworthy?
Protected Mode (rings) protects OS from apps … App App Malicious App X X X Info Attack Bad Code Bad Code OK Privileged Code Privileged Code attack … and apps from each other … These flaws may be operational, not technical! … UNTIL a malicious app OR admin exploits a flaw to gain full privileges and then tampers with the OS or other apps Rings worked well before the internet Platform owner and app developers were aligned Code was not downloaded from unknown sources Need additional protection from unknown sources which are not aligned with the platform owner on program behavior Apps not protected from privileged code attacks

6 Protection from what? VM attacks
NFVI Network Function Virtualisation Infrastructure VIM Eg Open Stack Cloud Stack NFV Management and Orchestration MANO Sometimes Called Cloud Management System (CMS) Telco Service Layer Eg vCPE, vEPC, SIP VMs: Malicious (less likely) Ill-behaved (fairly likely, and probably unintentional) Compromised (very likely)

7 NFV Management and Orchestration
Protection from what? Host attacks NFVI Network Function Virtualisation Infrastructure VIM Eg Open Stack Cloud Stack NFV Management and Orchestration MANO Sometimes Called Cloud Management System (CMS) Telco Service Layer Eg vCPE, vEPC, SIP From the host: most concerning, most difficult to manage.

8 Back to Basics Summary Entire core network implemented in a common cloud data centre blade architecture. May be operator owned hardware Could use Amazon or Google Cloud resources. Virtualised Network Elements share common resources which can be reallocated dynamically depending on network load. Multi Vendor With or Without SDN Virtualised Network Elements can move between data centre blade computing resources dynamically. Additional virtualised network elements can be created, paused or terminated depending on network load conditions. © ETSI 2011All rights reserved

9 What does this mean for LI ?
More difficult to locate or identify target traffic On-Switch / Function “easiest approach” Off-platform DPI extremely difficult Can’t attach physical crocodile clips to virtual connections. Inter VM encryption as standard. On-platform DPI Security problems and limited compute resources May require proprietary implementation. Hybrid DPI (On & Off mix) Traditional LI security wrap doesn’t work in virtualised network Hypervisor has access to all New LI attack and detectability threats All of network is in one virtual location Dark fibre VPN egress not viable © ETSI All rights reserved

10 NFV Security Considerations
Input Security is baked in ? What can be done ? Specifics NFV Impact The transition of traditional hardware based services to software based “virtualised functions”. Increased flexibility, less expensive. Not yet. No vendor is currently mature in their NFV offer, and ETSI standards are still being finalised. Potentially, NFV greatly increases the impact of any event. Older equipment may not be more secure – but harder to exploit. IT and Telco security are not the same thing. Location. Where is the NFV instance ? Can we maintain LI capability at that location (legally) ? Are we sure it is in the UK and not in China ? Confidentiality / Integrity. They hypervisor manager can compromise the system. Can you stand over the record generated in an NFV instance one year ago (that existed for 15 seconds) ? Availability. Increased susceptibility to a common mode failure. Ask the right questions of your vendors (see guidance notes) Delay the use of NFV where sensitive functions are required (e.g. LI) Regulators should ensure they really understand the issues, now. Insert Confidentiality Level in slide footer

11 NFV

12 Telling the time… Virtual Functions can’t tell the time.
LI relies on accurate time for correlation and evidential integrity. Time of What? and Where? Large VNFs may be spread over multiple hosts and locations. New solutions required NFV 016 Report on location, timestamping of VNFs © ETSI All rights reserved

13 Regulation, or lack of… Can your national law handle a service provided by multiple vertical and horizontal operators? E.G. Hardware, Hosting, Platform, Infrastructure, Access Service, Communications Service? Can national law force a “service” to be nationally localised? Cross border LI/CD?. Who is responsible for correlation? Who is responsible for data retention? Retention of what? • Do LI / CD security rules cover virtualisation of services and combination with untrusted service functions? © ETSI All rights reserved

14 Contact Details: gerald.mcquaid@Vodafone.com
Do ask questions! Contact Details: Thank you © ETSI All rights reserved

Download ppt "NFV Update Vienna, February 2018"

Similar presentations

ETSI NFV Management and Orchestration - An Overview

ETSI NFV Management and Orchestration - An Overview
Government and Cloud The current thinking on the technical architecture for the UK government’s proposed G-Cloud and App Store Kate Craig-Wood CEO, Memset.

Government and Cloud The current thinking on the technical architecture for the UK government’s proposed G-Cloud and App Store Kate Craig-Wood CEO, Memset.
T-NOVA: Developing a platform for NFaaS T-NOVA Consortium Presenter: Kourtis Akis - NCSR Demokritos, Greece.

T-NOVA: Developing a platform for NFaaS T-NOVA Consortium Presenter: Kourtis Akis - NCSR Demokritos, Greece.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Extreme Networks Confidential and Proprietary. © 2010 Extreme Networks Inc. All rights reserved.

Extreme Networks Confidential and Proprietary. © 2010 Extreme Networks Inc. All rights reserved.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Pre-Release Information Aug 17, 2009 Trend Micro Web Gateway Security InterScan Web Security Virtual Appliance v5 Advanced Reporting and Management v1.

Pre-Release Information Aug 17, 2009 Trend Micro Web Gateway Security InterScan Web Security Virtual Appliance v5 Advanced Reporting and Management v1.
Security in the Clouds 1 Professor Sadie Creese London Hopper 2010 May 2010.

Security in the Clouds 1 Professor Sadie Creese London Hopper 2010 May 2010.
Operating Systems Security

Operating Systems Security
Security Vulnerabilities in A Virtual Environment

Security Vulnerabilities in A Virtual Environment
1 ALCATEL-LUCENT — PROPRIETARY AND CONFIDENTIAL COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. NFV transforms the way service providers architect.

1 ALCATEL-LUCENT — PROPRIETARY AND CONFIDENTIAL COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. NFV transforms the way service providers architect.
1 Adopting and Embracing Open Source for NFV Guy Shemesh Senior Director for Cloud Solutions, CloudBand October 2015.

1 Adopting and Embracing Open Source for NFV Guy Shemesh Senior Director for Cloud Solutions, CloudBand October 2015.
Nov 22/26 Tech Forum 2015 Roberto Trinconi Cloud the New Path to the Business Leadership.

Nov 22/26 Tech Forum 2015 Roberto Trinconi Cloud the New Path to the Business Leadership.
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
IS3220 Information Technology Infrastructure Security

IS3220 Information Technology Infrastructure Security
Towards Secure and Dependable Software-Defined Networks Fernando M. V. Ramos LaSIGE/FCUL, University of Lisbon

Towards Secure and Dependable Software-Defined Networks Fernando M. V. Ramos LaSIGE/FCUL, University of Lisbon

Similar presentations

Ads by Google