1. Developments in the ETSI NFV Security Expert Group
Igor Faynberg, ETSI NFV SEC Expert Group Convener
July 23, 2014

2. Outline ETSI NFV SEC EG history, objectives, and a charter
Current state of deliverables
New factors
Lawful intercept
Proof-of-concept (VNF router and DDOS)
Items in the work

3. ETSI NFV Security Expert Group
Was created with the objective to advise all working groups rather than have its individual work item (but that has changed!)
Started
with three experts at the onset of the NFV;
no communications beyond exchange
Presently
grown to the steady 14 active participants from 8 companies (200 on the list, 25 at F2F meetings);
holding regular bi-weekly meetings;
receiving a steady stream of contributions

4. Deliverables
Security consideration sections for documents in INF, SWA, and MANO
Three work items are in progress
Problem statement (Rapporteur: Bob Briscoe, BT)
chartered in April (now approved by EG)
aims to
identify new areas of concern specific to NFV
Prepare standardization plan  
OpenStack security (Rapporteur: Hui-Lan Lu, ALU)
chartered in February 2014
aims to identify security features, best practices, and gaps in OpenStack software
Security and trust guidance (Co-rapporteurs: Mike Bursell, Intel and Kurt Roemer, Citrix)
Chartered in February 2014 (now approved by EG)
aims to provide guidance in NFV-specific areas
Two unofficial work items under development (Certificate management and Access Monitoring)

5. Charter summaries
DGS/NFV-SEC001; Network Functions Virtualisation (NFV); NFV Security; Problem Statement
Define NFV sufficiently to understand its security impact
Provide a reference list of deployment scenarios
Identify new security vulnerabilities resulting from NFV
Identify candidate NFV working groups responsible for addressing each vulnerability
DGS/NFV-SEC002: Network Functions Virtualisation (NFV); NFV SEC; Cataloguing security features in management software relevant to NFV
Catalogue security features in management software relevant to NFV: modules that provide security services (such as authentication, authorization, confidentiality, integrity protection, logging, and auditing) with the full graphs of their respective dependencies down to the modules that implement cryptographic protocols and algorithms.
Recommend options that are appropriate for NFV deployment
DGS/NFV-SEC003: Network Functions Virtualisation (NFV); NFV Security, Security and Trust Guidance
Define areas of consideration where security and trust technologies, practices and processes have different requirements than non-NFV systems and operations.
Supply guidance for the environment that supports and interfaces with NFV systems and operations.

6. Problems identified in the Security Problem Statement
Topology Validation and Enforcement
Availability of Management Support Infrastructure
Secured Boot
Secure Crash
Performance Isolation
User/Tenant Authentication, Authorization, and Accounting
Authenticated Time Service
Private Keys within Cloned Images
Back-doors via Virtualized Test and Monitoring Functions
Multi-Administrator Isolation
Security monitoring across multiple administrative domains (i.e., lawful interception)
Stable draft is publicly available at

7. OpenStack Security Motivation Functional aspects
Safe application of OpenStack in NFV
Gaps identification
Export control of cryptographic software
Compliance with procurement processes
Follow-up on alerts from US-CERT and other similar organizations
Determination of the relevant elements for security analytics
Functional aspects
Identity and access management
Communication security
Stored data security
Firewalling, zoning, and topology hiding
Availability
Logging and monitoring

8. Lawful Intercept (new!)
The primary source: COM 96/C329/01 on Lawful Interception adopted on the 17th January 1995 by the EU Council of Ministers.
Further requirements: EU Privacy Directive (EC 2002/58/EC).
NFV-specific problems:
Hypervisor introspection makes undetectability of “virtual” taps impossible
Ditto for data retention
One solution: Physical zoning

9. Key Lawful Intercept Requirements
Undetectability
Target and correspondents cannot detect interception
Unauthorized personnel cannot detect interception
Accountability
Only communication pertaining to the target is intercepted
Intercepted communication is available only to authorized personnel
LI measures are accessible only to authorized personnel
Consistency of interception can be checked
Activation, change, and de-activation are fully logged
Logs are tamper-proof and accessible only to authorized personnel
Confidentiality
It is possible to encrypt all sensitive information (at rest and in motion)
Decipherability
Intercepted communication, if encrypted, is delivered in decrypted form or with available encryption keys

10. Security Proof-of-Concept: VNF Router Performance with DDoS Functionality (AT&T, Brocade, Intel, Telefonica)
Overall PoC Project Completion Status: In progress, to be completed by end of June 2014
Key Milestone: Report with detailed performance characterization of the following aspects
Additional latency due to DDoS detection block as a function of throughput
DDoS attack detection time as a function of throughput and number of legitimate flows in the system
Additional latency due to DDoS mitigation action block (QoS action such as re-mark) as a function of throughput

11. In the works: Correlated analytics (from the Access Monitoring proposal by AT&T, Intel, and Spirent)
Help operators keep track of the network use, subscriber dynamics.
Detect anomalies: malware or DDOS attacks
Correlated analytics for the information in the form of subscriber’s IP address, IMSI, end user device, application, location, and bandwidth consumed by the application.

12. Certificate Management in the NFV Environment Proposal (Huawei)
Provide guidance for NFV certificate deployment.
Describe specific use cases, the threats and the requirements for NFV scenario
Specify the trust validation mechanism applied for VM (Virtual Machine) and Virtualized Network Function (VNF).