Network functions virtualization (NFV) introduces security challenges, but it also presents opportunities to address security problems due to its scale, flexibility, and central control. Compute, storage, and network resources can be optimally allocated and stitched together for security purposes, just as they can for other NFV applications. A recursive divide-and-conquer approach is ideal for NFV, with security schemes applied at the platform, virtualized network zone and application levels. To reduce complexity, a centralized approach that leverages NFV’s automation capabilities is ideal.
New technology, new security issues
In the security community, it’s said that every new technology also brings new threats. New layers, components, interfaces, and capabilities provide new opportunities for attack by malicious agents. This is almost certainly the case for NFV. The technology is set to revolutionize how service providers construct and operate telecommunication networks. NFV’s use of virtualization, general-purpose hardware, and its ability to increase automation will both save costs and reduce time to market for new services and applications. At the same time, NFV introduces new challenges to security. At its simplest, NFV involves virtual network functions (VNF) running on virtual machines (VMs). The security threats to a given VNF can, therefore, be viewed as a combination of all generic virtualization threats and those threats specific to network function software (Figure 1).
Generic virtualization threats are governed by the security properties of the virtualization platform, consisting of software and hardware. Network function-specific threats are determined by the quality of the network function’s design and software implementation. But virtualization provides an added security benefit: the potential to eliminate or mitigate some threats inherent to the network function software through new mechanisms, such as hypervisor introspection and centralized security management. For example, hypervisor introspection can detect and eliminate root-kits as it is less susceptible to their cloaking strategies. In addition, run-time memory analysis can improve the security posture of the VNF. Centralized security management, on the other hand, allows network functions to be configured and protected effectively according to a common policy instead of a collection of per-network function security procedures that may not be consistent and up-to-date. The strategy for improving security of a VNF must, therefore, be two-pronged to combine:
- Reducing generic virtualization threats as much as possible by securing the virtualization platform
- Eliminating as many network function-specific threats as possible by applying NFV-enabled security mechanisms, such as hypervisor-based introspection
NFV security challenges and opportunities
NFV creates several new security challenges compared to traditional network function deployments, including:
- Reliance on additional software (i.e., the hypervisor, and management and orchestration modules) creates a longer chain of trust
- Reduced isolation of network functions
- Fate-sharing due to resource pooling and multi-tenancy
- Effective key escrow for hosted network functions
The good news is that there are mechanisms and tools to deal with these challenges. What’s more, there are unique opportunities in NFV when it comes to security, including:
- Lower cost of ownership - NFV can potentially reduce the total cost of ownership, lowering CAPEX by migrating functions from proprietary to commodity hardware, and from dedicated boxes to virtual machines. This is as true for security appliances and functions as for other network products and applications.
- Streamlined security operations - In a cloud environment, multi-tenancy requires virtual resources to be logically separated among tenants. Using orchestration, certain VNFs can be deployed on separate compute nodes, and they can be further segregated by using separate networks. In addition, using security zones allows VNFs to be deployed on hosts that satisfy security-pertinent criteria, such as location and level of hardening (e.g., some hosts may employ the trusted computing technology).
- Patch management - NFV can reduce the operational impact of deploying security updates. An upgraded instance of the VNF can be launched and tested while the previous instance remains active. Services and customers can then be migrated to the upgraded instance over a period of time (the length dictated by operational needs). The older instance with the un-patched security flaw can be retired once this is complete.
- Incident response - NFV creates new possibilities for incident response because of the inherent flexibility it introduces. For example, automated incident response could include rapid and flexible re-configuration of virtual resources.
Another characteristic of network function virtualization that leads to improved incident response is the relative ease of decommissioning and re-commissioning VNFs. If a VNF is suspected of having been compromised (for example, through unauthorized access via a back door), an uncompromised version can be instantiated to replace it, and the compromised version can be decommissioned and a copy of it made for forensic analysis.
Creating comprehensive security with NFV
Service providers should take a systematic approach to developing security in an NFV environment. The major underlying scheme is recursive in nature—a build-up of more complex services on top of the elementary ones. Security is applied at three distinct layers (Figure 2):
- NVF platform
- Virtualized network zones
- Carrier applications
NFV platform security The foundation is the NFV platform, which includes the datacenters with basic compute capabilities, the networks that interconnect them, and the operations and management systems, including the management and orchestration modules. Ensuring platform security through known controls and achieving physical and logical zoning is the top priority. The steps needed to ensure platform security can be grouped according to what they are securing:
- Physical cloud nodes (for compute, storage and networking)
- Management systems (i.e., lifecycle, orchestration and API access)
Virtualized network zone security The second security layer in the NFV environment is the deployment of virtual security appliances. For example, service providers can deploy virtual firewalls to establish new network zones. These are as secure as physical firewalls, but at much higher speed, lower cost, and with far greater flexibility. This new, virtualized environment – which may include visibly separate networks offered as a service – can be much more complex than any carrier’s current network, yet its security is backed by the platform controls. Carrier application security The third NFV security layer is the application level. Virtualized functions in support of applications, such as the evolved packet core, software-defined networking controller (SDNC), and home subscriber service (HSS), are placed in the established security zones. That deployment’s security is assured by a combination of native application security controls and those provided at the network zone layer. This is further enhanced by the platform capabilities. Once deployed, the security services provided by the applications can be recursively used to further improve platform security. For example, the virtualized HSS can provide an extra authentication factor for access to platform software.
The case for automation
One problem with this multi-layered approach is the seeming complexity of the resulting system. Even with all security processes and policies properly documented and the datacenter personnel trained, there is far too much information to rely on manual processing. Service providers must, therefore, automate security processes and implement them as part of the management system that oversees the cloud environment in all datacenters and compute nodes. A centralized management system for command and control can ensure systematic and consistent implementation of security. Security monitoring appliances can be extremely beneficial. Interworking with hypervisors, these appliances can finely inspect the memory of virtual machines without modifying the virtual machines themselves. By using analytics on the data collected from the platform and multiple security appliances, the centralized management system can assess, in near-real time, the state of security in the whole cloud. It can then quickly take any necessary enforcement action combined with remediation through auto-healing. Similarly, virtual load balancers and virtual DNS servers (in addition to their main purposes) can be deployed to further mitigate denial of service (DOS) attacks, complementing other anti-DOS measures. This article is excerpted from the Alcatel-Lucent strategic white paper entitled Providing Security in NFV: Challenges and Opportunities. To contact the author or request additional information, please send an email to firstname.lastname@example.org.