Developments in the ETSI NFV Security
Expert Group
Igor Faynberg, ETSI NFV SEC Expert Group Convener
July 23, 2014
Outline
 ETSI NFV SEC EG history, objectives, and a charter
 Current state of deliverables
 New factors
• Lawful intercept
• Proof-of-concept (VNF router and DDOS)
 Items in the work
2
All Rights Reserved © Alcatel-Lucent 2014
ETSI NFV Security Expert Group
 Was created with the objective to advise all working
groups rather than have its individual work item (but that
has changed!)
 Started
• with three experts at the onset of the NFV;
• no communications beyond e-mail exchange
 Presently
• grown to the steady 14 active participants from 8 companies (200 on
the list, 25 at F2F meetings);
• holding regular bi-weekly meetings;
• receiving a steady stream of contributions
3
All Rights Reserved © Alcatel-Lucent 2014
Deliverables
 Security consideration sections for documents in INF, SWA, and MANO
 Three work items are in progress
• Problem statement (Rapporteur: Bob Briscoe, BT)
 chartered in April 2013 (now approved by EG)
 aims to
 identify new areas of concern specific to NFV
 Prepare standardization plan
• OpenStack security (Rapporteur: Hui-Lan Lu, ALU)
 chartered in February 2014
 aims to identify security features, best practices, and gaps in OpenStack software
• Security and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer,
Citrix)
 Chartered in February 2014 (now approved by EG)
 aims to provide guidance in NFV-specific areas
 Two unofficial work items under development (Certificate management and Access
Monitoring)
4
All Rights Reserved © Alcatel-Lucent 2014
Charter summaries
 DGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem
Statement
•
•
•
•
Define NFV sufficiently to understand its security impact
Provide a reference list of deployment scenarios
Identify new security vulnerabilities resulting from NFV
Identify candidate NFV working groups responsible for addressing each vulnerability
 DGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing
security features in management software relevant to NFV
• Catalogue security features in management software relevant to NFV: modules that provide
security services (such as authentication, authorization, confidentiality, integrity protection,
logging, and auditing) with the full graphs of their respective dependencies down to the modules
that implement cryptographic protocols and algorithms.
• Recommend options that are appropriate for NFV deployment
 DGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and
Trust Guidance
• Define areas of consideration where security and trust technologies, practices and processes have
different requirements than non-NFV systems and operations.
• Supply guidance for the environment that supports and interfaces with NFV systems and
operations.
5
All Rights Reserved © Alcatel-Lucent 2014
Problems identified in the Security Problem Statement
 Topology Validation and Enforcement
 Availability of Management Support Infrastructure
 Secured Boot
Stable draft is publicly available at
http://docbox.etsi.org/ISG/NFV/Open/
 Secure Crash
 Performance Isolation
 User/Tenant Authentication, Authorization, and Accounting
 Authenticated Time Service
 Private Keys within Cloned Images
 Back-doors via Virtualized Test and Monitoring Functions
 Multi-Administrator Isolation
 Security monitoring across multiple administrative domains (i.e., lawful
interception)
6
All Rights Reserved © Alcatel-Lucent 2014
OpenStack Security
 Motivation
•
•
•
•
•
•
Safe application of OpenStack in NFV
Gaps identification
Export control of cryptographic software
Compliance with procurement processes
Follow-up on alerts from US-CERT and other similar organizations
Determination of the relevant elements for security analytics
 Functional aspects
•
•
•
•
•
•
7
Identity and access management
Communication security
Stored data security
Firewalling, zoning, and topology hiding
Availability
Logging and monitoring
All Rights Reserved © Alcatel-Lucent 2014
Lawful Intercept (new!)
 The primary source: COM 96/C329/01 on Lawful Interception adopted
on the 17th January 1995 by the EU Council of Ministers.
 Further requirements: EU Privacy Directive (EC 2002/58/EC).
 NFV-specific problems:
• Hypervisor introspection makes undetectability of “virtual” taps impossible
• Ditto for data retention
 One solution: Physical zoning
8
All Rights Reserved © Alcatel-Lucent 2014
Key Lawful Intercept Requirements
Undetectability
 Target and correspondents cannot detect interception
 Unauthorized personnel cannot detect interception
Accountability
 Only communication pertaining to the target is intercepted
 Intercepted communication is available only to authorized personnel
 LI measures are accessible only to authorized personnel
 Consistency of interception can be checked
 Activation, change, and de-activation are fully logged
 Logs are tamper-proof and accessible only to authorized personnel
Confidentiality
 It is possible to encrypt all sensitive information (at rest and in motion)
Decipherability
 Intercepted communication, if encrypted, is delivered in decrypted form or with
available encryption keys
9
All Rights Reserved © Alcatel-Lucent 2014
Security Proof-of-Concept: VNF Router Performance with
DDoS Functionality (AT&T, Brocade, Intel, Telefonica)
 Overall PoC Project Completion Status: In progress, to be completed
by end of June 2014
 Key Milestone: Report with detailed performance characterization of
the following aspects
• Additional latency due to DDoS detection block as a function of throughput
• DDoS attack detection time as a function of throughput and number of
legitimate flows in the system
• Additional latency due to DDoS mitigation action block (QoS action such as
re-mark) as a function of throughput
10
All Rights Reserved © Alcatel-Lucent 2014
In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and
Spirent)
•Help operators keep track of
the network use, subscriber
dynamics.
•Detect anomalies: malware or
DDOS attacks
11
Correlated analytics for the information in the form of subscriber’s IP address,
IMSI, end user device, application, location, and bandwidth consumed by the
application.
All Rights Reserved © Alcatel-Lucent 2014
Certificate Management in the NFV Environment Proposal
(Huawei)
 Provide guidance for NFV certificate deployment.
 Describe specific use cases, the threats and the requirements for NFV
scenario
 Specify the trust validation mechanism applied for VM (Virtual
Machine) and Virtualized Network Function (VNF).
12
All Rights Reserved © Alcatel-Lucent 2014