Developments in the ETSI NFV Security Expert Group Igor Faynberg, ETSI NFV SEC Expert Group Convener July 23, 2014
Outline ETSI NFV SEC EG history, objectives, and a charter Current state of deliverables New factors Lawful intercept Proof-of-concept (VNF router and DDOS) Items in the work
ETSI NFV Security Expert Group Was created with the objective to advise all working groups rather than have its individual work item (but that has changed!) Started with three experts at the onset of the NFV; no communications beyond e-mail exchange Presently grown to the steady 14 active participants from 8 companies (200 on the list, 25 at F2F meetings); holding regular bi-weekly meetings; receiving a steady stream of contributions
Deliverables Security consideration sections for documents in INF, SWA, and MANO Three work items are in progress Problem statement (Rapporteur: Bob Briscoe, BT) chartered in April 2013 (now approved by EG) aims to identify new areas of concern specific to NFV Prepare standardization plan OpenStack security (Rapporteur: Hui-Lan Lu, ALU) chartered in February 2014 aims to identify security features, best practices, and gaps in OpenStack software Security and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer, Citrix) Chartered in February 2014 (now approved by EG) aims to provide guidance in NFV-specific areas Two unofficial work items under development (Certificate management and Access Monitoring)
Charter summaries DGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem Statement Define NFV sufficiently to understand its security impact Provide a reference list of deployment scenarios Identify new security vulnerabilities resulting from NFV Identify candidate NFV working groups responsible for addressing each vulnerability DGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing security features in management software relevant to NFV Catalogue security features in management software relevant to NFV: modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms. Recommend options that are appropriate for NFV deployment DGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and Trust Guidance Define areas of consideration where security and trust technologies, practices and processes have different requirements than non-NFV systems and operations. Supply guidance for the environment that supports and interfaces with NFV systems and operations.
Problems identified in the Security Problem Statement Topology Validation and Enforcement Availability of Management Support Infrastructure Secured Boot Secure Crash Performance Isolation User/Tenant Authentication, Authorization, and Accounting Authenticated Time Service Private Keys within Cloned Images Back-doors via Virtualized Test and Monitoring Functions Multi-Administrator Isolation Security monitoring across multiple administrative domains (i.e., lawful interception) Stable draft is publicly available at http://docbox.etsi.org/ISG/NFV/Open/
OpenStack Security Motivation Functional aspects Safe application of OpenStack in NFV Gaps identification Export control of cryptographic software Compliance with procurement processes Follow-up on alerts from US-CERT and other similar organizations Determination of the relevant elements for security analytics Functional aspects Identity and access management Communication security Stored data security Firewalling, zoning, and topology hiding Availability Logging and monitoring
Lawful Intercept (new!) The primary source: COM 96/C329/01 on Lawful Interception adopted on the 17th January 1995 by the EU Council of Ministers. Further requirements: EU Privacy Directive (EC 2002/58/EC). NFV-specific problems: Hypervisor introspection makes undetectability of “virtual” taps impossible Ditto for data retention One solution: Physical zoning
Key Lawful Intercept Requirements Undetectability Target and correspondents cannot detect interception Unauthorized personnel cannot detect interception Accountability Only communication pertaining to the target is intercepted Intercepted communication is available only to authorized personnel LI measures are accessible only to authorized personnel Consistency of interception can be checked Activation, change, and de-activation are fully logged Logs are tamper-proof and accessible only to authorized personnel Confidentiality It is possible to encrypt all sensitive information (at rest and in motion) Decipherability Intercepted communication, if encrypted, is delivered in decrypted form or with available encryption keys
Security Proof-of-Concept: VNF Router Performance with DDoS Functionality (AT&T, Brocade, Intel, Telefonica) Overall PoC Project Completion Status: In progress, to be completed by end of June 2014 Key Milestone: Report with detailed performance characterization of the following aspects Additional latency due to DDoS detection block as a function of throughput DDoS attack detection time as a function of throughput and number of legitimate flows in the system Additional latency due to DDoS mitigation action block (QoS action such as re-mark) as a function of throughput
In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and Spirent) Help operators keep track of the network use, subscriber dynamics. Detect anomalies: malware or DDOS attacks Correlated analytics for the information in the form of subscriber’s IP address, IMSI, end user device, application, location, and bandwidth consumed by the application.
Certificate Management in the NFV Environment Proposal (Huawei) Provide guidance for NFV certificate deployment. Describe specific use cases, the threats and the requirements for NFV scenario Specify the trust validation mechanism applied for VM (Virtual Machine) and Virtualized Network Function (VNF).