SlideShare a Scribd company logo

IEEE NFV-SDN 2017 - On the establishment of trust in the cloud-based ETSI NFV framework

Marco De Benedictis
Marco De Benedictis

Presentation at the IEEE Security Workshop in NFV/SDN, held in conjunction with the IEEE NFV-SDN 2017 conference in Berlin (Germany), 6-8 November 2017

Engineering
1 of 18
Download to read offline
On the establishment of trust in the cloud-based ETSI NFV framework IEEE NFV-SDN 2017 – SN workshop November 6th 2017, Berlin
Authors  Marco De Benedictis PhD Student  Antonio Lioy Full Professor  Politecnico di Torino university in Italy TORSEC “Computer and Network Security Group” 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 2
Outline 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 3 ETSI standardisation on NFV security and trust An architectural proposal for assessing trust in a NFV cloud environment SHIELD project: leveraging big-data analytics for flexible security and trust in NFV Open issues and next steps Questions & Answers
 Modern ICT infrastructures are evolving because of cloud computing flexible networking heterogenous end-users  High degree of virtualisation increases the attack surface Introduction 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 4 Software Defined NetworkingHW Host OS hypervisor VM VM Network Function Virtualisation
NFV Trust of Virtual Network Functions (VNFs) Privacy of multi-tenant cloud ISP infrastructure Security as a Service The focus on NFV security and trust 06/11/2017 5
 ETSI Industry Specification Group founded in November 2012  Defining the requirements and architecture for the NFV  Over 60 publications up to this point  2-year phases NFV Release 3 under way (2017-2018)  NFV SEC Working Group focuses on security in NFV analyse threats to security in virtualized environments identify and specify best practices in security in NFV investigate security enhancements for NFV NFV standardisation activities 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 6
 Trust in a Virtual Network Function (VNF) derives from VNF package integrity and provenance data Hypervisor software integrity state VNF Components software integrity state  Image integrity check via digital signatures  Platform integrity verification? Trusted Computing as enabling technology ETSI standardisation on trust in NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 7 Cloud, NFV Are you ok? Can I trust you?
 Definition of Trustworthy Boot encompasses technologies and methods for validation and assurance of boot integrity Measured Boot Secure Boot Intel TBOOT  Trust Manager to extend the NFV MANO administrative domain centralised implementation of trust determination logic interface between different administrative domains and operators repository of trust around VNF packages and vendors ETSI standardisation on trust in NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 8
Trust assessment of the NFV infrastructure  Definition of an architecture to assess the trustworthiness of a NFV Infrastructure (NFVI) node, based on Trusted Computing  Remote Attestation workflow to attest the platform integrity against a whitelist of known- good values  Trusted Platform Module (TPM) device to authenticate an hardware platform and collect its measurements (e.g. BIOS, OS, hypervisor, applications) via Measured Boot 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework NFVI node Remote Attestation Server Platform measures TPM Whitelist database RA request 9
 NFV environments leverage cloud management systems physical resources shared among different tenants multi-tenancy raises privacy issues  Privacy may be addressed by VNF image encryption to ensure that VNF images cannot be accessed by non authorized users secure (and trusted) onboarding of a VNF via digital signature/encryption of VNF packages or images + Trusted Computing to ensure that the underlying NFV Infrastructure has not been manipulated Security of VNFs in the multi-tenant cloud NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 10
 Frameworks for attestation of cloud environments exist Intel OpenAttestation (now deprecated) Intel Open Cloud Integrity Technology  Based on Trusted Computing Intel Trusted Execution Technology (TXT)  Focus on integrity verification of compute nodes recent developments aim to extend trust to virtual instances  Available solutions are not (yet) tailored for NFV lifecycle management Cloud attestation solutions for NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 11
 Cloud attestation framework (Open CIT) as reference trust architecture  Integrity verification of NFVI  Trust Agent: collects measurements from the NFV infrastructure nodes  Attestation Server: initiates the RA workflow  Attestation Reporting Hub: exposes attestation results to third-parties  Secure and trusted onboarding of VNFs  Key Management Service: generates cryptographic keys  Trust Director: workflow manager 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework Extension of the NFV reference architecture 12
The SHIELD project 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 13
The SHIELD concept 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 14 Big Data Analytics Trusted Computing Network Function Virtualisation
The SHIELD architecture 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 15
 Prototype based on OpenAttestation framework  Attestation of a NFVI host based on CentOS 7 Whitelist of packages from distro repositories  Attestation of Docker-based vNSFs  Integrity Measurement Architecture (IMA) run-time attestation based on a security policy  measure all executed binaries and scripts  measure all open files (read-only) can detect misbehaviour in running NFVI nodes/vNSFs NFVI, vNSF attestation prototype 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 16
 Extension of Chain of Trust to VNFs based on different virtualisation techniques  Application of novel data protection techniques to secure communication between nodes of a NFV environment e.g. 802.1AE (MACsec) protocol for data link confidentiality and integrity  Integration of a cloud attestation technology with a reference NFV framework Open issues and next steps 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 17
Thank you marco.debenedictis@polito.it marcoxdebenedictis mrcdb

Recommended

Towards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationTowards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationAchim Friedland
 
When Cloud-Native Java meets Containers, Kubernetes and Istio
When Cloud-Native Java meets Containers, Kubernetes and IstioWhen Cloud-Native Java meets Containers, Kubernetes and Istio
When Cloud-Native Java meets Containers, Kubernetes and IstioYK Chang
 
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)PROIDEA
 
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...IJNSA Journal
 
Istio
IstioIstio
IstioDiego Pacheco
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Building Trustworthy Containers
Building Trustworthy ContainersBuilding Trustworthy Containers
Building Trustworthy ContainersSysdig
 
Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)Peace Asukwo
 

Recommended

Towards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationTowards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationAchim Friedland
 
When Cloud-Native Java meets Containers, Kubernetes and Istio
When Cloud-Native Java meets Containers, Kubernetes and IstioWhen Cloud-Native Java meets Containers, Kubernetes and Istio
When Cloud-Native Java meets Containers, Kubernetes and IstioYK Chang
 
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)PROIDEA
 
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...IJNSA Journal
 
Istio
IstioIstio
IstioDiego Pacheco
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Building Trustworthy Containers
Building Trustworthy ContainersBuilding Trustworthy Containers
Building Trustworthy ContainersSysdig
 
Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)Peace Asukwo
 
Cyan CenturyLink D-NFV PoC
Cyan CenturyLink D-NFV PoCCyan CenturyLink D-NFV PoC
Cyan CenturyLink D-NFV PoCJim Fritch
 
HPE Helion OpenStack Carrier Grade 2.0 Technical White Paper
HPE Helion OpenStack Carrier Grade 2.0 Technical White PaperHPE Helion OpenStack Carrier Grade 2.0 Technical White Paper
HPE Helion OpenStack Carrier Grade 2.0 Technical White PaperAmitabh Dey (OpenStack Evangelist+HP Helion MVP)
 
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...Indonesia Network Operators Group
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit kimw001
 
NFV and OpenStack
NFV and OpenStackNFV and OpenStack
NFV and OpenStackMarie-Paule Odini
 
Asterisk as a Virtual Network Function Part 1
Asterisk as a Virtual Network Function Part 1Asterisk as a Virtual Network Function Part 1
Asterisk as a Virtual Network Function Part 1Leif Madsen
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignCisco Canada
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware
 
How will virtual networks, controlled by software, impact OSS systems?
How will virtual networks, controlled by software, impact OSS systems?How will virtual networks, controlled by software, impact OSS systems?
How will virtual networks, controlled by software, impact OSS systems?Comarch
 
Demystifying Network Function Virtualization (NFV) Service Assurance
Demystifying Network Function Virtualization (NFV) Service AssuranceDemystifying Network Function Virtualization (NFV) Service Assurance
Demystifying Network Function Virtualization (NFV) Service AssuranceZenoss
 
Openstack meetup NFV
Openstack meetup NFV Openstack meetup NFV
Openstack meetup NFV Marie-Paule Odini
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAAmmar Hasayen
 
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)SDNRG ITB
 
Network Function Virtualization : Overview
Network Function Virtualization : OverviewNetwork Function Virtualization : Overview
Network Function Virtualization : Overviewsidneel
 
Mitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsMitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsADVA
 
Unified VSS white paper
Unified VSS white paperUnified VSS white paper
Unified VSS white paperMonique DiCarlo
 
Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5PRAGMA PROGETTI
 
vCPE 2.0 – the business case for an open vCPE framework
vCPE 2.0 – the business case for an open vCPE frameworkvCPE 2.0 – the business case for an open vCPE framework
vCPE 2.0 – the business case for an open vCPE frameworkCloudify Community
 
XIFI: how we did federate different FI infrastructures
XIFI: how we did federate different FI infrastructuresXIFI: how we did federate different FI infrastructures
XIFI: how we did federate different FI infrastructuresFederico Michele Facca
 
NFV Open Source projects
NFV Open Source projectsNFV Open Source projects
NFV Open Source projectsMarie-Paule Odini
 
Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1T.D. Shashikala
 
Circuit Breakers for Engineering Students
Circuit Breakers for Engineering StudentsCircuit Breakers for Engineering Students
Circuit Breakers for Engineering Studentskannan348865
 

More Related Content

Similar to IEEE NFV-SDN 2017 - On the establishment of trust in the cloud-based ETSI NFV framework

Cyan CenturyLink D-NFV PoC
Cyan CenturyLink D-NFV PoCCyan CenturyLink D-NFV PoC
Cyan CenturyLink D-NFV PoCJim Fritch
 
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...Indonesia Network Operators Group
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit kimw001
 
Asterisk as a Virtual Network Function Part 1
Asterisk as a Virtual Network Function Part 1Asterisk as a Virtual Network Function Part 1
Asterisk as a Virtual Network Function Part 1Leif Madsen
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignCisco Canada
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware
 
How will virtual networks, controlled by software, impact OSS systems?
How will virtual networks, controlled by software, impact OSS systems?How will virtual networks, controlled by software, impact OSS systems?
How will virtual networks, controlled by software, impact OSS systems?Comarch
 
Demystifying Network Function Virtualization (NFV) Service Assurance
Demystifying Network Function Virtualization (NFV) Service AssuranceDemystifying Network Function Virtualization (NFV) Service Assurance
Demystifying Network Function Virtualization (NFV) Service AssuranceZenoss
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAAmmar Hasayen
 
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)SDNRG ITB
 
Network Function Virtualization : Overview
Network Function Virtualization : OverviewNetwork Function Virtualization : Overview
Network Function Virtualization : Overviewsidneel
 
Mitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsMitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsADVA
 
Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5PRAGMA PROGETTI
 
vCPE 2.0 – the business case for an open vCPE framework
vCPE 2.0 – the business case for an open vCPE frameworkvCPE 2.0 – the business case for an open vCPE framework
vCPE 2.0 – the business case for an open vCPE frameworkCloudify Community
 
XIFI: how we did federate different FI infrastructures
XIFI: how we did federate different FI infrastructuresXIFI: how we did federate different FI infrastructures
XIFI: how we did federate different FI infrastructuresFederico Michele Facca
 

Similar to IEEE NFV-SDN 2017 - On the establishment of trust in the cloud-based ETSI NFV framework (20)

Cyan CenturyLink D-NFV PoC
Cyan CenturyLink D-NFV PoCCyan CenturyLink D-NFV PoC
Cyan CenturyLink D-NFV PoC
 
HPE Helion OpenStack Carrier Grade 2.0 Technical White Paper
HPE Helion OpenStack Carrier Grade 2.0 Technical White PaperHPE Helion OpenStack Carrier Grade 2.0 Technical White Paper
HPE Helion OpenStack Carrier Grade 2.0 Technical White Paper
 
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
NFV and OpenStack
NFV and OpenStackNFV and OpenStack
NFV and OpenStack
 
Asterisk as a Virtual Network Function Part 1
Asterisk as a Virtual Network Function Part 1Asterisk as a Virtual Network Function Part 1
Asterisk as a Virtual Network Function Part 1
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture Design
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats New
 
How will virtual networks, controlled by software, impact OSS systems?
How will virtual networks, controlled by software, impact OSS systems?How will virtual networks, controlled by software, impact OSS systems?
How will virtual networks, controlled by software, impact OSS systems?
 
Demystifying Network Function Virtualization (NFV) Service Assurance
Demystifying Network Function Virtualization (NFV) Service AssuranceDemystifying Network Function Virtualization (NFV) Service Assurance
Demystifying Network Function Virtualization (NFV) Service Assurance
 
Openstack meetup NFV
Openstack meetup NFV Openstack meetup NFV
Openstack meetup NFV
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
 
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
Network Function Virtualization - Telkomsel Perspective (SDN NFV Day ITB 2016)
 
Network Function Virtualization : Overview
Network Function Virtualization : OverviewNetwork Function Virtualization : Overview
Network Function Virtualization : Overview
 
Mitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE SolutionsMitigating Security Risk in Practical vCPE Solutions
Mitigating Security Risk in Practical vCPE Solutions
 
Unified VSS white paper
Unified VSS white paperUnified VSS white paper
Unified VSS white paper
 
Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5
 
vCPE 2.0 – the business case for an open vCPE framework
vCPE 2.0 – the business case for an open vCPE frameworkvCPE 2.0 – the business case for an open vCPE framework
vCPE 2.0 – the business case for an open vCPE framework
 
XIFI: how we did federate different FI infrastructures
XIFI: how we did federate different FI infrastructuresXIFI: how we did federate different FI infrastructures
XIFI: how we did federate different FI infrastructures
 
NFV Open Source projects
NFV Open Source projectsNFV Open Source projects
NFV Open Source projects
 

Recently uploaded

Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1T.D. Shashikala
 
Circuit Breakers for Engineering Students
Circuit Breakers for Engineering StudentsCircuit Breakers for Engineering Students
Circuit Breakers for Engineering Studentskannan348865
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..MaherOthman7
 
Artificial Intelligence in due diligence
Artificial Intelligence in due diligenceArtificial Intelligence in due diligence
Artificial Intelligence in due diligencemahaffeycheryld
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Ramkumar k
 
Artificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdfArtificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdfKira Dess
 
Software Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdfSoftware Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdfssuser5c9d4b1
 
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdflitvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdfAlexander Litvinenko
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsMathias Magdowski
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfJNTUA
 
Autodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxAutodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxMustafa Ahmed
 
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and ToolsMaximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Toolssoginsider
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualBalamuruganV28
 
What is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, FunctionsWhat is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, FunctionsVIEW
 
Working Principle of Echo Sounder and Doppler Effect.pdf
Working Principle of Echo Sounder and Doppler Effect.pdfWorking Principle of Echo Sounder and Doppler Effect.pdf
Working Principle of Echo Sounder and Doppler Effect.pdfSkNahidulIslamShrabo
 
21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological universityMohd Saifudeen
 
The Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxThe Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxMANASINANDKISHORDEOR
 
NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...
NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...
NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...Amil baba
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxCHAIRMAN M
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdfKamal Acharya
 

Recently uploaded (20)

Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1
 
Circuit Breakers for Engineering Students
Circuit Breakers for Engineering StudentsCircuit Breakers for Engineering Students
Circuit Breakers for Engineering Students
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..
 
Artificial Intelligence in due diligence
Artificial Intelligence in due diligenceArtificial Intelligence in due diligence
Artificial Intelligence in due diligence
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)
 
Artificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdfArtificial intelligence presentation2-171219131633.pdf
Artificial intelligence presentation2-171219131633.pdf
 
Software Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdfSoftware Engineering Practical File Front Pages.pdf
Software Engineering Practical File Front Pages.pdf
 
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdflitvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 
Autodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxAutodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptx
 
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and ToolsMaximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
Maximizing Incident Investigation Efficacy in Oil & Gas: Techniques and Tools
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
 
What is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, FunctionsWhat is Coordinate Measuring Machine? CMM Types, Features, Functions
What is Coordinate Measuring Machine? CMM Types, Features, Functions
 
Working Principle of Echo Sounder and Doppler Effect.pdf
Working Principle of Echo Sounder and Doppler Effect.pdfWorking Principle of Echo Sounder and Doppler Effect.pdf
Working Principle of Echo Sounder and Doppler Effect.pdf
 
21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university21scheme vtu syllabus of visveraya technological university
21scheme vtu syllabus of visveraya technological university
 
The Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptxThe Entity-Relationship Model(ER Diagram).pptx
The Entity-Relationship Model(ER Diagram).pptx
 
NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...
NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...
NO1 Best Powerful Vashikaran Specialist Baba Vashikaran Specialist For Love V...
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
 

IEEE NFV-SDN 2017 - On the establishment of trust in the cloud-based ETSI NFV framework

  • 1. On the establishment of trust in the cloud-based ETSI NFV framework IEEE NFV-SDN 2017 – SN workshop November 6th 2017, Berlin
  • 2. Authors  Marco De Benedictis PhD Student  Antonio Lioy Full Professor  Politecnico di Torino university in Italy TORSEC “Computer and Network Security Group” 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 2
  • 3. Outline 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 3 ETSI standardisation on NFV security and trust An architectural proposal for assessing trust in a NFV cloud environment SHIELD project: leveraging big-data analytics for flexible security and trust in NFV Open issues and next steps Questions & Answers
  • 4.  Modern ICT infrastructures are evolving because of cloud computing flexible networking heterogenous end-users  High degree of virtualisation increases the attack surface Introduction 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 4 Software Defined NetworkingHW Host OS hypervisor VM VM Network Function Virtualisation
  • 5. NFV Trust of Virtual Network Functions (VNFs) Privacy of multi-tenant cloud ISP infrastructure Security as a Service The focus on NFV security and trust 06/11/2017 5
  • 6.  ETSI Industry Specification Group founded in November 2012  Defining the requirements and architecture for the NFV  Over 60 publications up to this point  2-year phases NFV Release 3 under way (2017-2018)  NFV SEC Working Group focuses on security in NFV analyse threats to security in virtualized environments identify and specify best practices in security in NFV investigate security enhancements for NFV NFV standardisation activities 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 6
  • 7.  Trust in a Virtual Network Function (VNF) derives from VNF package integrity and provenance data Hypervisor software integrity state VNF Components software integrity state  Image integrity check via digital signatures  Platform integrity verification? Trusted Computing as enabling technology ETSI standardisation on trust in NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 7 Cloud, NFV Are you ok? Can I trust you?
  • 8.  Definition of Trustworthy Boot encompasses technologies and methods for validation and assurance of boot integrity Measured Boot Secure Boot Intel TBOOT  Trust Manager to extend the NFV MANO administrative domain centralised implementation of trust determination logic interface between different administrative domains and operators repository of trust around VNF packages and vendors ETSI standardisation on trust in NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 8
  • 9. Trust assessment of the NFV infrastructure  Definition of an architecture to assess the trustworthiness of a NFV Infrastructure (NFVI) node, based on Trusted Computing  Remote Attestation workflow to attest the platform integrity against a whitelist of known- good values  Trusted Platform Module (TPM) device to authenticate an hardware platform and collect its measurements (e.g. BIOS, OS, hypervisor, applications) via Measured Boot 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework NFVI node Remote Attestation Server Platform measures TPM Whitelist database RA request 9
  • 10.  NFV environments leverage cloud management systems physical resources shared among different tenants multi-tenancy raises privacy issues  Privacy may be addressed by VNF image encryption to ensure that VNF images cannot be accessed by non authorized users secure (and trusted) onboarding of a VNF via digital signature/encryption of VNF packages or images + Trusted Computing to ensure that the underlying NFV Infrastructure has not been manipulated Security of VNFs in the multi-tenant cloud NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 10
  • 11.  Frameworks for attestation of cloud environments exist Intel OpenAttestation (now deprecated) Intel Open Cloud Integrity Technology  Based on Trusted Computing Intel Trusted Execution Technology (TXT)  Focus on integrity verification of compute nodes recent developments aim to extend trust to virtual instances  Available solutions are not (yet) tailored for NFV lifecycle management Cloud attestation solutions for NFV 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 11
  • 12.  Cloud attestation framework (Open CIT) as reference trust architecture  Integrity verification of NFVI  Trust Agent: collects measurements from the NFV infrastructure nodes  Attestation Server: initiates the RA workflow  Attestation Reporting Hub: exposes attestation results to third-parties  Secure and trusted onboarding of VNFs  Key Management Service: generates cryptographic keys  Trust Director: workflow manager 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework Extension of the NFV reference architecture 12
  • 13. The SHIELD project 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 13
  • 14. The SHIELD concept 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 14 Big Data Analytics Trusted Computing Network Function Virtualisation
  • 15. The SHIELD architecture 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 15
  • 16.  Prototype based on OpenAttestation framework  Attestation of a NFVI host based on CentOS 7 Whitelist of packages from distro repositories  Attestation of Docker-based vNSFs  Integrity Measurement Architecture (IMA) run-time attestation based on a security policy  measure all executed binaries and scripts  measure all open files (read-only) can detect misbehaviour in running NFVI nodes/vNSFs NFVI, vNSF attestation prototype 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 16
  • 17.  Extension of Chain of Trust to VNFs based on different virtualisation techniques  Application of novel data protection techniques to secure communication between nodes of a NFV environment e.g. 802.1AE (MACsec) protocol for data link confidentiality and integrity  Integration of a cloud attestation technology with a reference NFV framework Open issues and next steps 06/11/2017On the establishment of trust in the cloud-based ETSI NFV framework 17