Securing your nfv and sdn integrated open stack cloud- challenges, use-cases and solutions

Securing NFV and SDN
Integrated OpenStack Cloud
Challenges and Solutions
Sridhar Pothuganti
Trinath Somanchi
INDIA

Session Outline
• SDN and NFV – Complementing the cloud.
• Threat Analysis.
• Solving Security challenges.
• Security Hardened NFV and SDN integrated OpenStack Cloud.
• OPNFV Security Initiatives.
• OpenStack Security Initiatives.
• NXP Security Platform.
• Security check list.
• Security Recommendations.

Complementing the Cloud
Reference: https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-sdn-nvf-solution.pdf
SDN Architecture:
• Logically centralized intelligence.
• Programmability.
• Abstraction.
NFV Architecture:
• Virtualized Network Functions.
• COTS NFVI.
• Logically distributed management.
VNF VNFVNFVNF VNFVNFVNF Apps
Apps
AppsApps
VNF VNFVNFVNF VNFVNFVNF
Network Services
Network Services
Network Services
Network Services
Network Functions
Open Northbound
API
Control Layer
Componentization
Open Southbound
API
Network Function
Virtualization
Application Layer
Control Layer
Infrastructure Layer

NFV – Threat Analysis
NFV Vulnerabilities and Weaknesses
NFVI
Vulnerabilities
Shared Resources
Insecure interfaces
Improper control and
monitoring
Design flaws.
Improper Security
enforcements.
Attacks
Conventional attacks –
DoS/DDoS.
Manipulation of VM
OS
Data destruction
Hypervisor level
attacks.
Hardware attacks.
VNF
Vulnerabilities
Inside
Software crashes
Software design flaws
Software bugs.
Outside
3rd Party networks
Shared resources.
Multi tenancy issues.
Noisy neighbor
Attacks
Conventional attacks.
Control plane attacks.
MANO
Vulnerabilities
Inconsistent
orchestration and
Management
Insecure interfaces
Data theft.
Compromised policies
and isolation
Attacks
Conventional Attacks
Orchestration and
control plane attacks.

SDN – Threat Analysis
Application Plane (AP)
Control Plane (CP)
Data Plane (DP)
Business Applications
North Bound Interfaces – NBI
Programmable open APIs
South Bound Interfaces – SBI
SDN Controller
Control and Data plane programmable interface. Eg: Openflow
Unauthorized access to
Controller and
Applications
Misconfiguration – SDN
element failures.
Malicious application threats
via integrated 3rd Party
applications
Improper configuration of
Security policies
Insecure interfaces
API Threats
Improper Controller
Configuration and bugs.
Controller Operations
System vulnerabilities
OpenFlow Vulnerabilities
Vulnerabilities in
interconnected Network
elements
Conventional Attacks
(DoS/DDoS)
Data leakage/theft
Account data leakage
threat
TLS Absence Threat
Controller unavailability-
DoS/DDoS

Security Challenges
Operation Support Systems
Business Support Systems
Compute Storage Network
Virtualization Layer
Compute
Virtualization
Storage
Virtualization
Network
Virtualization
Vi-Ha
EMS - 1 EMS - 2 EMS - n
VNF - 1 VNF - 2 VNF - n
Orchestrator
Orchestrat
or
Orchestrat
or
VNF
Manager(s)
Virtualized
Infrastructure
Manager(s)
Vn-Nf
Service, VNF, Infrastructure
Description
Os-Ma
Se-Ma
Ve-Vnfm
Or-Vnfm
Or-Vi
Vi-Vnfm
Nf-Vi
NFVI
NFV Infrastructure
> Attacks on Shared pool of resources,
> Hypervisor layer attacks,
> Vulnerabilities in virtualized entities.
VNF Layer
> Dos/DDoS attacks,
> Control Plane attacks,
> Noisy neighbor,
> Attacks due to insecure interfaces,
control and monitoring gaps.
> Different vendor NFV standards
SDN Fabric
> Attacks on Forwarding plane,
> Flooding of network.
> weak ACL in Ctrl and Mgmt plane.
> Vulnerabilities in SDN resources.
NFV MANO
> Weak access control,
> Inefficient monitoring,
> Vulnerabilities in underlying layers.
OSS/BSS
> Vulnerabilities in underlying layers.
> Weak ACL and Monitoring.
> Dos/DDoS attacks in SDN fabric.
> Vulnerabilities due to deployed
legacy systems.

Threat focus on NFV and SDN Cloud
VNF
Manager
Voice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDNC
OSS/BSS
NFV Orchestrator
Network
Orchestration
Service
Orchestration
VIM
IP Edge
IP Edge
DC Edge
DC Edge
Telco CloudAttacks
from VMs
Attacks on
Host,
Hypervisor
and VM
DDoS/MiM/Network
Traffic Poisoning
Attacks
Attacks from
remote/3rd
Party
applications

• The TRUST domain.
• SDN Controller security.
• Security analytics.
• Virtual Security Functions (VSFs and ISFs)
• Role based access and identity management.
• MANO Security.
• NFVI – Hypervisor and Physical layer security hardening.
• Secured interfaces - Security Automation
Building Comprehensive
Security

Security Hardening - Approaches
• Architectural approaches
• ETSI NFV Security Management Framework
• Layered Approaches
• VNF Security
• MANO Security
• SDN Security
• VIM Security (OpenStack)
• NFVI Security

NFV Security Management Framework
• NFV Security Manager - NSM
• Overall Security Management.
• Security Policy Planning, Enforcement and Validation.
• Security Element Manager - SEM.
• EMS managing VSFs.
• Virtualized Security Function - VSF
• Logically coupled and de-coupled Security for VNFs
• Network Service centric deployment.
• NFVI based Security Functions - ISF
• Hypervisor based FWs.
• HSM and Crypto Accelerators.
• Physical Security Functions – PSF
• Out of the scope PSFs, managed by SEMs.
Physical Network Functions
Operation Support Systems
Business Support Systems
Compute Storage Network
Virtualization Layer
Compute
Virtualization
Storage
Virtualization
Network
Virtualization
Vi-Ha
EMS - 1 EMS - 2 EMS - n
VNF - 1 VNF - 2 VNF - n
Orchestrator
Orchestrat
or
Orchestrat
or
VNF
Manager(s)
Virtualized
Infrastructure
Manager(s)
Vn-Nf
Service, VNF, Infrastructure
Description
Os-Ma
Se-Ma
Ve-Vnfm
Or-Vnfm
Or-Vi
Vi-Vnfm
Nf-Vi
NFVI
NFV
Security
Manager
Security EMs
VSF
Infrastructure Security Functions

VNF Security
VNF LCM Security Monitoring
Vulnerability scanning in regular intervals.
Patch management and version upgrade.
Security wipe while termination of VNF instance.
VNF Package Management – Onboarding
Integrity checks
Check whether the VNF Package include the various components expected, and are they free of tampering.
Trust checks
Check whether the VNF package consist of components from trusted vendors/suppliers.
In both of these cases, the use of cryptographic signing and certificates can provide assurances.
VNF External Security
Noisy Neighbor
Attack: An instance of VNF/VNFC trying to exhaust the whole resources
Mitigation: Isolation of each VM/container and limit resources in VNFD
VM escape attack
Attack: Malware in VM trying to access the resources of hypervisor or host
Mitigation: Proper access control list with only necessary resource-sharing with VM.

MANO Security – Two Faces
NFVO and VNFM – Management and Orchestration entities
• Attacks:
• A attacker can get access to the Orchestrator
and instantiate a modified VNF. This can break
access privileges and VNF isolation.
• VNF placement attacks.
• Security Solutions
• Secured communication and access.
• Security monitoring system – detect and
separate defective VNF.
• Storage protection
Security MANOMANO Security
Management and Orchestration of VSF, ISF and PSF.
• Automation of Security Management.
• Similar to VNF Orchestration and Management.
• Security Policy enforcement for Network Service.
• Not limited to Security functions in virtualized
network, but also security functions in traditional
physical network to enhance the overall
protection level.

SDN Security
• Monitor and detect malicious flows in the data plane and
restrict/isolate the traffic.
• Use separate VLANs for data and management traffic isolation.
• Use IPSEC-VPN for secured communication across overlay
networks.
• Monitor the traffic and update Firewall policies – Perimeter
defense.
• Trust attestation of applications.
• Secured Communication channel between planes.
• Reactive flow deployment.
• Detect and isolate defective applications.
• Strict access control to SDN Controller.

VIM Security (OpenStack)
Keystone
A&A
Enabled Federated
Identity.
Access policies.
Non-Persistent
tokens.
Strong HA for PKI
Tokens.
Nova
Trusted Compute
pools.
Keypair based
access to VMs.
Encrypting
Metadata traffic.
SELinux and
Virtualization.
FIPS 140-2 certified
Hypervisors.
Compiler
Hardening.
Secured
communication.
Neutron
Networking
resource policy
engine
Security Groups
Enable Quotas.
Mitigate ARP
Spoofing.
Secured
Communications.
Glance
Ownership to
Images.
Strictly checked
configuration
Keystone for
Authentication
Encryption of
Images.
Vulnerability checks
on Images.
Cinder
Secured
Communication
Limit max body
size – Request.
Strict permission
and Configuration.
Enable Volume
Encryption.
Secured Network
attached Storage.
Swift
Network Security –
Rsync.
File permissions.
Secured Storage
Services.
Strict ACL.
Secured
Communication.
Barbican
Key Management
as a Service.
Manage Secrets,
PKI keys, Split keys.
Isolation of Keys is
a top priority
OpenStack
Security
OpenStack
Security Advisories
(OSSA)
OpenStack Security
Notes (OSSN)
OpenStack Security
Guide
OpenStack Security
Project blog
OpenStack
Security
Management tools.

NFVI Security
Secure boot
Trusted Platform Module or Trust Zone.
Secure Monitor
Tamper Detection
Hardware root of trust
Run time integrity check
FirmwareSecurity
Adopting Security Enhanced (SE) Linux
Trusted Execution Environment (TEE)
Patch kernel for Vulnerabilities.
I/O Isolation
KernelSecurity
Secure Key Storage
Secure Monitoring
Hardware accelerators – Firewall and IPSec
Strong I/O Virtualization
Hardware
Security

Run-Time Security
Management and Enforcement
OP-TEE
Framework, drivers
Secure Installer, Loader
Secure Credential Mgmt
Secure Storage
Secure System Partitioning
Resource Mgmt
Tool
LUKS
dm-crypt
TSS
PKCS-11
Extended Verification
Mod
Integrity
Measurement
Architecture
Secure Monitoring, Statistics
QorIQ Trust
Tools
Secure Provisioning and Update
Application Isolation Environment
I/O isolation, protection
SE-Linux
KVM, Docker, Java
Application
Application
Application
Application
Linux LTS kernel
- Latest security patches
Trust Architecture
ARMv8 cores ARM Trust-Zone
Secure Boot – HW Root of Trust
Secure
Monitor
Compute, IO, Memory partitioning
Run-Time Integrity
Checker
Secure Key
Storage
NFVI Security - NXP
Manufacturing
Protection
8
Secure
Boot
1
Secure
Storage
2
Key
Protection
3
Key
Revocation
4
Secure
Debug
5
Tamper
Detection
6
Strong
Partitioning
7
All QorIQ SoCs support Trust Architecture

OPNFV Security Initiatives
Security Management System
Management of isolation and protection of, and interaction between, these VNFs become a big challenge.
In order to avoid losing control over the VNFs in the cloud, Moon aims at designing and developing a security management system for OPNFV.
Project proposal: https://wiki.opnfv.org/display/moon/Moon+Project+Proposal
Project - Moon
A group dedicated to improve OPNFV security through architecture, documentation, code review, vulnerability management.
Security is part of the INFRA working group, together with Releng, Octopus and Pharos. See more information
at https://wiki.opnfv.org/display/INF.
OPNFV Security Group
Ensure security compliance and vulnerability checks , as part of an automated CI / CD platform delivery process and as a
standalone application.
The project makes use of the existing SCAP format to perform deep scanning of NFVi nodes, to insure they are hardened and free of known CVE reported
vulnerabilities. The SCAP content itself, is then consumed and run using an upstream opensource tool known as OpenSCAP.
Project - SecurityScanning

OpenStack Security Initiatives
Barbican is the OpenStack Key Manager service.
It provides secure storage, provisioning and management of secret data.
This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates and raw binary data
Project - Barbican
Anchor is a lightweight, open source, Public Key Infrastructure (PKI), which uses automated provisioning of short-term
certificates to enable cryptographic trust in OpenStack services.
Certificates are typically valid for 12-24 hours and are issued based on the result from a policy enforcing decision engine. Short term certificates
enable passive revocation, to bypass the issues with the traditional revocation mechanisms used in most PKI deployments.
Project - Anchor
Bandit - security linter for Python source code, utilizing the ast module from the Python standard library.
Several projects leveraging it in their CI gate tests.
Syntribos - Syntribos is an open source automated API security testing tool.
Maintained by members of the OpenStack Security Project.
Secured Code
OpenStack Security Advisory (OSSA) and Security Notes (OSSN)
Targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.
OpenStack Security Guide: https://docs.openstack.org/security-guide/index.html

NXP Security Platform
QorIQ Trust
Architecture provides
HW Root of Trust.
Anti-cloning features.
Anti-rollback to
vulnerable firmware.
Persistent secret
storage not visible to
hackers.
Secure Boot
Secure signing of
images and key
provisioning.
3-way secrets
isolation between
NXP, ODM and
customer.
Secured firmware
upgrades
Secure
Provisioning
Secure run-time
system operations.
Secure credential
management – e.g.
DRM keys.
Detect tampering of
software via integrity
checks.
Decrypt system
firmware on-the-fly
Trusted Linux
Isolate and host
multiple services in
containers, VMs.
Verify applications
before install and
launch.
HW level resource
isolation and
management.
Application
Isolation
NIST certified Security
engine with rich
algorithm support.
True Random Number
Generation with 100%
entropy
Integrated with Linux
IPSec and OpenSSL.
Crypto
Acceleration
802.11ax,
ac, ad
ARM CPUs
up to 100K Coremark
Trust
Arch
Packet Engine
2-20Gbps
Ethernet Controllers
2x 1GE -> 2x 10GE
Security
Engine
Secure vCPE
LS1046
LS1043
LS1012
LS1024
Virtual Networking, Security drivers
Linux NW Stack
KVM / Docker
Layer 2 – 4 offload
(IPSec, Firewall, NAPT, QoS)
VNF
DPDK, ODP
VirtualizationFramework
Secure Platform
Secure-Boot is just the beginning – Security needs to cover the entire System.
VNF VNF VNF

Security Hardened NFV and SDN
integrated OpenStack Cloud
VNF ManagerVoice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDNC
OSS/BSS
NFV Orchestrator
Network
Orchestration
Service
Orchestration
VIM
IP Edge
IP Edge
DC Edge
DC Edge
Telco Cloud
Security Orchestration
Virtualized
Security
Physical
Security
VNF Security
Engine
Firewall
IPS/IDS
Authorized Access
Security Policing
Trust attestation

Security Checklist
 Monitor Virtual networks – Daily practice.
 VNF FCAPS – Analysis and Analytics.
 OpenStack communication via Secured tunnels.
 Encrypted password for DB access – Monthly TODO.
 Verify VNF images for Vulnerabilities.
 Infra design – Network Security Defense patterns.
 Scan block storage.
 Strict Policy and Security groups.
 OpenStack Security ML
 Hardware Crypto accelerators.
 Role based access control.
 Scan the complete cloud.
 Secure the Data plane layer – Use TLS 1.2 for authentication.
 Security Harden SDN Controller Operating System.
 Strict authentication and Authorization to SDN Controller.
 Implement HA of SDN Controller to guard against DDoS attacks.
 Enable Application level Security.
 Use TLS or SSH – NBC and Controller management.
 All routers and switches security hardened.
 Isolate tenant traffic from management traffic.
 Periodically patch the software components for vulnerabilities.
 Security Monitoring – a daily practice.
 Adopt Security Orchestrator frameworks – VSF Orchestration.
 Isolated Key Manager – a chest for all keys.
 Encrypt and split the storage.
 ReSTful communication – Secured.
 No Test ports/API at Production.
 Upgrade the system – for security bug fixes.
 Distributed SDN Controllers and VNF Managers – Large DC
 Leverage Hardware security capabilities.
 FIPS 140-2 certified Hypervisors.
 Federated Identity.
ABSOLUTE SECURITY IS A MYTH.

That’s all folks
Thank you all
VNF – Virtual Network Function
VSF – Virtual Security Function
ISF – Infrastructure Security Function
TPM – Trusted Platform Module
HSM – Hardware Security Module
AAA – Authorization, Authentication and Account
DC – Data center
VIM – Virtual Infrastructure Manager
MANO – Management and Orchestration
VNFM – Virtual Infrastructure Manager
NFVO – Network Function Virtualization Orchestrator
sVIRT – Secured Virtualization
PME – Pattern Matching Engine.
Glossary of Terms Questions/Discussion
Sridhar Pothuganti
Email: sridhar.pothuganti@nxp.com
IRC: SridharP
Trinath Somanchi
Email: trinath.somanchi@nxp.com
IRC: trinaths

Securing your nfv and sdn integrated open stack cloud- challenges, use-cases and solutions

More Related Content

What's hot

Viewers also liked

Similar to Securing your nfv and sdn integrated open stack cloud- challenges, use-cases and solutions

More from OPNFV

Recently uploaded

Securing your nfv and sdn integrated open stack cloud- challenges, use-cases and solutions