Securing NFV and SDN Integrated OpenStack Cloud
Challenges and Solutions
Sridhar Pothuganti
Trinath Somanchi
INDIA
Session Outline
• SDN and NFV – Complementing the cloud.
• Threat Analysis.
• Solving Security challenges.
• Security Hardened NFV and SDN integrated OpenStack Cloud.
• OPNFV Security Initiatives.
• OpenStack Security Initiatives.
• NXP Security Platform.
• Security check list.
• Security Recommendations.
Complementing the Cloud
Reference: https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-sdn-nvf-solution.pdf
SDN Architecture:• Logically centralized intelligence.• Programmability.• Abstraction.
NFV Architecture:• Virtualized Network Functions.• COTS NFVI.• Logically distributed management.
VNF VNFVNFVNF VNFVNFVNF Apps
Apps
AppsApps
VNF VNFVNFVNF VNFVNFVNF
Network Services
Network Services
Network Services
Network Services
Network Functions
Open Northbound API
Control Layer Componentization
Open Southbound API
Network Function Virtualization
Application Layer
Control Layer
Infrastructure Layer
Threat Analysis
NFV – Threat Analysis
NFV Vulnerabilities and Weaknesses
NFVI
Vulnerabilities
Shared Resources
Insecure interfaces
Improper control and monitoring
Design flaws.
Improper Security enforcements.
Attacks
Conventional attacks –DoS/DDoS.
Manipulation of VM OS
Data destruction
Hypervisor level attacks.
Hardware attacks.
VNF
Vulnerabilities
Inside
Software crashes
Software design flaws
Software bugs.
Outside
3rd Party networks
Shared resources.
Multi tenancy issues.
Noisy neighbor
Attacks
Conventional attacks.
Control plane attacks.
MANO
Vulnerabilities
Inconsistent orchestration and
Management
Insecure interfaces
Data theft.
Compromised policies and isolation
Attacks
Conventional Attacks
Orchestration and control plane attacks.
SDN – Threat Analysis
Application Plane (AP)
Control Plane (CP)
Data Plane (DP)
Business Applications
North Bound Interfaces – NBI
Programmable open APIs
South Bound Interfaces – SBI
SDN Controller
Control and Data plane programmable interface. Eg: Openflow
Unauthorized access to Controller and Applications
Misconfiguration – SDN element failures.
Malicious application threats via integrated 3rd Party applications
Improper configuration of Security policies
Insecure interfaces API Threats
Improper Controller Configuration and bugs.
Controller Operations System vulnerabilities
OpenFlow Vulnerabilities
Vulnerabilities in interconnected Network
elements
Conventional Attacks (DoS/DDoS)
Data leakage/theft
Account data leakage threat
TLS Absence Threat
Controller unavailability-DoS/DDoS
Security Challenges
Operation Support SystemsBusiness Support Systems
Compute Storage Network
Virtualization Layer
Compute Virtualization
Storage Virtualization
NetworkVirtualization
Vi-Ha
EMS - 1 EMS - 2 EMS - n
VNF - 1 VNF - 2 VNF - n
Orchestrator
Orchestrator
Orchestrator
VNFManager(s)
VirtualizedInfrastructure
Manager(s)
Vn-Nf
Service, VNF, Infrastructure Description
Os-Ma
Se-Ma
Ve-Vnfm
Or-Vnfm
Or-Vi
Vi-Vnfm
Nf-Vi
NFVI
NFV Infrastructure> Attacks on Shared pool of resources,> Hypervisor layer attacks, > Vulnerabilities in virtualized entities.
VNF Layer> Dos/DDoS attacks,> Control Plane attacks,> Noisy neighbor,> Attacks due to insecure interfaces,
control and monitoring gaps. > Different vendor NFV standards
SDN Fabric> Attacks on Forwarding plane,> Flooding of network.> weak ACL in Ctrl and Mgmt plane.> Vulnerabilities in SDN resources.
NFV MANO> Weak access control,> Inefficient monitoring,> Vulnerabilities in underlying layers.
OSS/BSS> Vulnerabilities in underlying layers.> Weak ACL and Monitoring.> Dos/DDoS attacks in SDN fabric.> Vulnerabilities due to deployed
legacy systems.
Threat focus on NFV and SDN Cloud
VNFManager
Voice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDNC
OSS/BSS
NFV Orchestrator
Network Orchestration
Service Orchestration
VIM
IP Edge
IP Edge
DC EdgeDC Edge
Telco CloudAttacks from VMs
Attacks on Host,
Hypervisor and VM
DDoS/MiM/Network Traffic Poisoning
Attacks
Attacks from remote/3rd
Party applications
• The TRUST domain.
• SDN Controller security.
• Security analytics.
• Virtual Security Functions (VSFs and ISFs)
• Role based access and identity management.
• MANO Security.
• NFVI – Hypervisor and Physical layer security hardening.
• Secured interfaces - Security Automation
Building Comprehensive Security
Solving Security Challenges
Security Hardening - Approaches
• Architectural approaches• ETSI NFV Security Management Framework
• Layered Approaches• VNF Security
• MANO Security
• SDN Security
• VIM Security (OpenStack)
• NFVI Security
NFV Security Management Framework
• NFV Security Manager - NSM• Overall Security Management.• Security Policy Planning, Enforcement and Validation.
• Security Element Manager - SEM.• EMS managing VSFs.
• Virtualized Security Function - VSF• Logically coupled and de-coupled Security for VNFs • Network Service centric deployment.
• NFVI based Security Functions - ISF• Hypervisor based FWs.• HSM and Crypto Accelerators.
• Physical Security Functions – PSF• Out of the scope PSFs, managed by SEMs.
Physical Network Functions
Operation Support SystemsBusiness Support Systems
Compute Storage Network
Virtualization Layer
Compute Virtualization
Storage Virtualization
NetworkVirtualization
Vi-Ha
EMS - 1 EMS - 2 EMS - n
VNF - 1 VNF - 2 VNF - n
Orchestrator
Orchestrator
Orchestrator
VNFManager(s)
VirtualizedInfrastructure
Manager(s)
Vn-Nf
Service, VNF, Infrastructure Description
Os-Ma
Se-Ma
Ve-Vnfm
Or-Vnfm
Or-Vi
Vi-Vnfm
Nf-Vi
NFVI
NFV Security Manager
Security EMs
VSF
Infrastructure Security Functions
Security Hardening - Approaches
• Architectural approaches• ETSI NFV Security Management Framework
• Layered Approaches• VNF Security
• MANO Security
• SDN Security
• VIM Security (OpenStack)
• NFVI Security
VNF Security
VNF LCM Security MonitoringVulnerability scanning in regular intervals.Patch management and version upgrade.Security wipe while termination of VNF instance.
VNF Package Management – OnboardingIntegrity checks
Check whether the VNF Package include the various components expected, and are they free of tampering.
Trust checks
Check whether the VNF package consist of components from trusted vendors/suppliers.
In both of these cases, the use of cryptographic signing and certificates can provide assurances.
VNF External SecurityNoisy Neighbor
Attack: An instance of VNF/VNFC trying to exhaust the whole resourcesMitigation: Isolation of each VM/container and limit resources in VNFD
VM escape attack Attack: Malware in VM trying to access the resources of hypervisor or hostMitigation: Proper access control list with only necessary resource-sharing with VM.
MANO Security – Two Faces
NFVO and VNFM – Management and Orchestration entities• Attacks:
• A attacker can get access to the Orchestrator and instantiate a modified VNF. This can break access privileges and VNF isolation.
• VNF placement attacks.• Security Solutions
• Secured communication and access.• Security monitoring system – detect and
separate defective VNF.• Storage protection
Security MANOMANO Security
Management and Orchestration of VSF, ISF and PSF.• Automation of Security Management.• Similar to VNF Orchestration and Management. • Security Policy enforcement for Network Service.• Not limited to Security functions in virtualized
network, but also security functions in traditional physical network to enhance the overall protection level.
SDN Security
• Monitor and detect malicious flows in the data plane and restrict/isolate the traffic.
• Use separate VLANs for data and management traffic isolation.• Use IPSEC-VPN for secured communication across overlay
networks.• Monitor the traffic and update Firewall policies – Perimeter
defense.• Trust attestation of applications.• Secured Communication channel between planes.• Reactive flow deployment.• Detect and isolate defective applications.• Strict access control to SDN Controller.
VIM Security (OpenStack)
Keystone
A&A
Enabled Federated Identity.
Access policies.
Non-Persistent tokens.
Strong HA for PKI Tokens.
Nova
Trusted Compute pools.
Keypair based access to VMs.
Encrypting Metadata traffic.
SELinux and Virtualization.
FIPS 140-2 certified Hypervisors.
Compiler Hardening.
Secured communication.
Neutron
Networking resource policy engine
Security Groups
Enable Quotas.
Mitigate ARP Spoofing.
Secured Communications.
Glance
Ownership to Images.
Strictly checked configuration
Keystone for Authentication
Encryption of Images.
Vulnerability checks on Images.
Cinder
Secured Communication
Limit max body size – Request.
Strict permission and Configuration.
Enable Volume Encryption.
Secured Network attached Storage.
Swift
Network Security –Rsync.
File permissions.
Secured Storage Services.
Strict ACL.
Secured Communication.
Barbican
Key Management as a Service.
Manage Secrets, PKI keys, Split keys.
Isolation of Keys is a top priority
OpenStack Security
OpenStack Security Advisories (OSSA)
OpenStack Security Notes (OSSN)
OpenStack Security Guide
OpenStack Security Project blog
OpenStack Security Management tools.
NFVI Security
Secure bootTrusted Platform Module or Trust Zone.Secure MonitorTamper DetectionHardware root of trustRun time integrity checkFi
rmw
are
Secu
rity
Adopting Security Enhanced (SE) LinuxTrusted Execution Environment (TEE)Patch kernel for Vulnerabilities.I/O IsolationKe
rnel
Sec
uri
ty
Secure Key StorageSecure MonitoringHardware accelerators – Firewall and IPSecStrong I/O Virtualization
Har
dw
are
Secu
rity
Run-Time Security Management and Enforcement
OP-TEEFramework, drivers
Secure Installer, Loader
Secure Credential Mgmt
Secure Storage
Secure System PartitioningResource Mgmt
Tool
LUKS dm-crypt
TSSPKCS-11
Extended Verification Mod
Integrity Measurement Architecture
Secure Monitoring, Statistics
QorIQ Trust Tools
Secure Provisioning and Update
Application Isolation Environment
I/O isolation, protection
SE-Linux
KVM, Docker, Java
Ap
plic
atio
n
Ap
plic
atio
n
Ap
plic
atio
n
Ap
plic
atio
n
Linux LTS kernel- Latest security patches
Trust Architecture
ARMv8 cores ARM Trust-Zone
Secure Boot – HW Root of Trust
Secure Monitor
Compute, IO, Memory partitioningRun-Time Integrity
CheckerSecure Key
Storage
NFVI Security - NXP
ManufacturingProtection
8
SecureBoot
1SecureStorage
2
KeyProtection
3
KeyRevocation
4
SecureDebug
5
TamperDetection
6
Strong Partitioning
7
All QorIQ SoCs support Trust Architecture
OPNFV Security Initiatives
Security Management SystemManagement of isolation and protection of, and interaction between, these VNFs become a big challenge. In order to avoid losing control over the VNFs in the cloud, Moon aims at designing and developing a security management system for OPNFV.
Project proposal: https://wiki.opnfv.org/display/moon/Moon+Project+Proposal
Project - Moon
A group dedicated to improve OPNFV security through architecture, documentation, code review, vulnerability management.
Security is part of the INFRA working group, together with Releng, Octopus and Pharos. See more information at https://wiki.opnfv.org/display/INF.
OPNFV Security Group
Ensure security compliance and vulnerability checks , as part of an automated CI / CD platform delivery process and as a standalone application.
The project makes use of the existing SCAP format to perform deep scanning of NFVi nodes, to insure they are hardened and free of known CVE reported vulnerabilities. The SCAP content itself, is then consumed and run using an upstream opensource tool known as OpenSCAP.
Project - SecurityScanning
OpenStack Security Initiatives
Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data. This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates and raw binary data
Project - Barbican
Anchor is a lightweight, open source, Public Key Infrastructure (PKI), which uses automated provisioning of short-term certificates to enable cryptographic trust in OpenStack services.
Certificates are typically valid for 12-24 hours and are issued based on the result from a policy enforcing decision engine. Short term certificates enable passive revocation, to bypass the issues with the traditional revocation mechanisms used in most PKI deployments.
Project - Anchor
Bandit - security linter for Python source code, utilizing the ast module from the Python standard library. Several projects leveraging it in their CI gate tests.
Syntribos - Syntribos is an open source automated API security testing tool.Maintained by members of the OpenStack Security Project.
Secured Code
OpenStack Security Advisory (OSSA) and Security Notes (OSSN) Targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.OpenStack Security Guide: https://docs.openstack.org/security-guide/index.html
NXP Security Platform
QorIQ Trust Architecture provides HW Root of Trust.
Anti-cloning features.
Anti-rollback to vulnerable firmware.
Persistent secret storage not visible to hackers.
Secure Boot
Secure signing of images and key provisioning.
3-way secrets isolation between NXP, ODM and customer.
Secured firmware upgrades
Secure Provisioning
Secure run-time system operations.
Secure credential management – e.g. DRM keys.
Detect tampering of software via integrity checks.
Decrypt system firmware on-the-fly
Trusted Linux
Isolate and host multiple services in containers, VMs.
Verify applications before install and launch.
HW level resource isolation and management.
Application Isolation
NIST certified Security engine with rich algorithm support.
True Random Number Generation with 100% entropy
Integrated with Linux IPSec and OpenSSL.
Crypto Acceleration
802.11ax,
ac, ad
ARM CPUsup to 100K Coremark
Trust
Arch
Packet Engine
2-20Gbps
Ethernet Controllers
2x 1GE -> 2x 10GE
Security
Engine
Secure vCPE
LS1046LS1043
LS1012LS1024
Virtual Networking, Security drivers
Linux NW Stack
KVM / Docker
Layer 2 – 4 offload
(IPSec, Firewall, NAPT, QoS)
VNF
DPDK, ODP
Virtu
aliz
atio
n F
ram
ew
ork
Secure Platform
Secure-Boot is just the beginning – Security needs to cover the entire System.
VNF VNF VNF
Security Hardened NFV and SDN integrated OpenStack Cloud
VNF ManagerVoice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDNC
OSS/BSS
NFV Orchestrator
Network Orchestration
Service Orchestration
VIM
IP Edge
IP Edge
DC EdgeDC Edge
Telco Cloud
Security Orchestration
Virtualized Security
Physical Security
VNF SecurityEngine
Firewall
IPS/IDS
Authorized Access
Security Policing
Trust attestation
Security Checklist
Monitor Virtual networks – Daily practice. VNF FCAPS – Analysis and Analytics. OpenStack communication via Secured tunnels. Encrypted password for DB access – Monthly TODO. Verify VNF images for Vulnerabilities. Infra design – Network Security Defense patterns. Scan block storage. Strict Policy and Security groups. OpenStack Security ML Hardware Crypto accelerators. Role based access control. Scan the complete cloud.
Secure the Data plane layer – Use TLS 1.2 for authentication. Security Harden SDN Controller Operating System. Strict authentication and Authorization to SDN Controller. Implement HA of SDN Controller to guard against DDoS attacks. Enable Application level Security. Use TLS or SSH – NBC and Controller management. All routers and switches security hardened. Isolate tenant traffic from management traffic. Periodically patch the software components for vulnerabilities. Security Monitoring – a daily practice. Adopt Security Orchestrator frameworks – VSF Orchestration. Isolated Key Manager – a chest for all keys. Encrypt and split the storage. ReSTful communication – Secured. No Test ports/API at Production. Upgrade the system – for security bug fixes. Distributed SDN Controllers and VNF Managers – Large DC Leverage Hardware security capabilities. FIPS 140-2 certified Hypervisors. Federated Identity.
ABSOLUTE SECURITY IS A MYTH.
That’s all folks
Thank you all
VNF – Virtual Network Function
VSF – Virtual Security Function
ISF – Infrastructure Security Function
TPM – Trusted Platform Module
HSM – Hardware Security Module
AAA – Authorization, Authentication and Account
DC – Data center
VIM – Virtual Infrastructure Manager
MANO – Management and Orchestration
VNFM – Virtual Infrastructure Manager
NFVO – Network Function Virtualization Orchestrator
sVIRT – Secured Virtualization
PME – Pattern Matching Engine.
Glossary of Terms Questions/Discussion
Sridhar PothugantiEmail: [email protected]: SridharP
Trinath SomanchiEmail: [email protected]: trinaths