Post on 22-Sep-2020
transcript
1 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved.
Securing NFV
Rob Marson/Anton Kaska IEEE SRPSDVE Study Group
November 2014
2 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
What’s Missing?
3 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
• Network as a shared pool of programmable resources
• Management without borders
• Agile IT processes for network and service management
• Low Touch: more automation
NFV is a Significant Transformation of Networks and Processes
Many Benefits: Operations and Equipment Savings, New Service Innovations
4 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
Will the Promises be Realized?
• NFV must become “operationalized”
• Complex access and policy
management
• New virtualized network vulnerabilities and threats
Security May Become the Major Barrier to NFV Adoption
5 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
Image: Cyan, ETSI
Virtual Network Functions require secure access. VNFs could belong to different end customers, users. Unique policies and access management needs.
Virtual Network Infrastructure supports all services: maintaining integrity is vital.
Multiple management interfaces to secure. Interplay, policies, etc.
Securing NFV: Many Layers and Dimensions to Consider
Multiple Management and Orchestration sub-domains. Multiple orchestrators and VNF Managers possible. Which systems can communicate to physical and virtual resources? To each other?
Implementations will Vary by Operator
6 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
POP/Office
Regional Data center
Premise NFVI
Service Provider
Managed CPE
Premises/Edge Data Center/CO Customer
VNF Service Provider
VNF Customer
VNF Service Provider
VNF
NFVI
Remote Data Center / CO
Customer VNF
Service Provider
VNF
• Remote physical and virtual environments • Protecting VNF and NFVI integrity vital • Multi-tenancy management, access controls • Domain isolation: CPE, NFVI and VNF
Don’t Forget Multi-Site NFV
7 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
Potential Security Implications
Observations Implications
Multi-tenancy Must ensure that users and autonomous systems have correct access privileges.
Multiple layers of interdependency between VNFs, NFVI, OSS
More policy management rules, more forensic logging.
Roles/responsibilities (some silos will continue to exist): no single recipe
Flexible access management systems needed: processes will vary by operator.
Autonomous systems, dynamic network configuration changes
Policies must extend to humans and machines, more logging, more snap shots required.
Multi-Site NFV: services extend beyond the data center, and over hybrid networks
End-to-End, service-oriented view of security necessary
8 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
NFV Security Must Not be a Weak Link
9 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
Complexity Should Not Outweigh Benefits
10 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential
Some Parting Comments and Thoughts
• Securing NFV must not be an after thought if full benefits are to be realized.
• Flexible access management strategies needed: there is no single recipe, processes vary by operator, by service, by region.
• The definition of Identity Access Management must extend to systems, as well as people.
• People are not going away, humans will continue to access virtual networks.
• What are some future compliance considerations?
NFV Transformation will Occur, The Degree of Success Depends on Making it Operational.
11 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved.
END