Threats to Network Function Virtualization (NFV) deployments exist at every layer of the NFV deployment. Starting from the Hardware layer, traversing up through the Hypervisor, SDN Controller, Network and finishing with the Applications deployed, each of these bring with them security concerns. Best practices to alleviate threats during and after deployment of the NFVI exist. Securing physical access to the servers, ensuring the Hypervisor patches are up-to-date and ensuring the images being deployed are from a trusted source are some of the basic hygiene requirements for deploying NFV.
Security vendors such as Juniper, safeguard users, applications and infrastructure throughout the network. The security of the macro environment (as it pertains to the network) is in the purview of the network designers and the implementation of the best practices as laid out in numerous reference documents. When working together, the security vendor and the customer form the basis of a Shared Responsibility model, where the former is responsible for the security of the network, infrastructure and the perimeter while the latter is responsible for the ensuring the sanctity of the VNF images, Hypervisors and the Identity and Access Management.
The NFV Architectural framework as defined by ETSI is shown in Figure 1 below:
NFV Architectural Framework (Source: ETSI GS NFVI 002)
As can be seen in the figure, the architecture defines three separate blocks
- The Virtual Network Functions (VNFs)
- NFV Infrastructure (NFVI) and
- NFV Management and Orchestration (MANO)
The threats with the deployment in the above architecture are:
- Network design risks – with the ease of creation of virtual networks, errors can creep in that will result in unwanted access privileges to bad agents, bandwidth choking, traffic steering problems, etc.
- Malware in VNF images – Poorly scanned and vulnerable VFs can lead to a compromised virtual network allowing attackers to sneak in
- External threats – Much like physical networks, external threat agents in the form of DoS attacks can cripple the virtual network by consuming resources
- Hypervisor/ Virtualization layer – Vulnerabilities in the Hypervisors can be exploited by attackers seeking to gain access to multiple VNFs
- Traffic spoofing between MANO and VNFs – Unless properly managed, the traffic between the MANO and VNFs can be tapped and spoofed
For a holistic security solution, a Shared Responsibility Model works best, where the customer and the vendor together secure the deployment. Breaking it down into multiple line items makes for a clear demarcation:
Responsibilities of the Vendor
- Securing against threats originating from and targeting the VNFs
- Safeguarding the Hardware Resources from known and unknown software threats
- Prevent DoS attacks against external interfaces of the VNFs
- Provide logs of all attack vectors and events on the Security devices/ VNFs
- Perimeter security
- Automated Security Policies
Responsibility of Customer
- Sanctity/ Integrity of the VNF itself
- Configuring RBAC policies to safeguard against unauthorized access; Identity Management
- Virtualization layer security – upgrading/ maintaining Hypervisor
- Physical security of the assets
Shared Responsibility
- Network Design to ensure ideal network segmentation
- Traffic filtering and Tenant Separation
The only way for securing a deployment is for the two parties involved – the customer and the vendor to work together and make it successful. Like an advertisement says,
“Today, it is no longer about winning. It is about working together to make a better tomorrow”
I couldn’t put it better than that.
Mithun's Musings 