Embed Size (px)
Citation preview
Network Function Virtualization
AtlSecCon 2015
SECURITY BEST PRACTICES
What is Network Function Virtualization?
Virtual Core Network Services
Introduces Concept of Control Plane and Data Plane
Typical Virtual Network Services
Core Layer 2 Switching (VLANS)
Layer 3 Routing (Internal and External Routing Functions- OSPF, BGP, etc)
Edge Firewall Services
VPN Tunneling
Embedded IPS/IDS
Automated Service Provisioning
Automated Threat Response
A means to make the network more flexible and simple by
minimising dependence on HW constraints
v
Network Functions are SW-based over well-known HW
Multiple roles over same HW
ORCHESTRATION, AUTOMATION
& REMOTE INSTALL
DPIBRAS
GGSN/
SGSN
Firewall
CG-NAT
PE Router
VIRTUAL
APPLIANCES
STANDARD
HIGH VOLUME
SERVERS
Virtualised Network Model:
VIRTUAL APPLIANCE APPROACHv
Network Functions are based on specific HW&SW
One physical node per role
DPI
BRASGGSN/SGSN
Session Border
ControllerFirewall CG-NAT
PE Router
Traditional Network Model:
APPLIANCE APPROACH
Source: Adapted from D. Lopez Telefonica I+D, NFV
INTERNET DataBase
WWW
Enterprise Services
Users
Fundamental Changes in Architecture
Traditional Infrastructure Virtualized Infrastructure
Physical Servers
INTERNET
Internet VLAN
ManagementVLAN
EnterpriseVM
VirtualFirewall
WWWVM
DatabaseVM
Users
Network Function Virtualization vs.
Software Defined Networks
Complimentary set of services
Network Function Virtualization (NFV)
Originated from the need to scale Network Services (Service Provider World)
Data plane functions running in VMs on commodity servers
Software Defined Networking (SDN)
Originated from API control of Network Features (IT World)
Also Separating the Control and Data Planes
Together Allow Scalable Cloud Applications and Services (Apps)
Applications running on top of the network with transportable network
characteristics.
The ETSI NFV ISG
• Global operators-led Industry
Specification Group (ISG) under the
auspices of ETSI
– ~150 member organisations
• Open membership
– ETSI members sign the “Member
Agreement”
– Non-ETSI members sign the
“Participant Agreement”
– Opening up to academia
• Operates by consensus
– Formal voting only when required
• Deliverables: White papers
addressing challenges and operator
requirements, as input to SDOs
– Not a standardisation body by itself
• Currently, four WGs and two EGs
– Infrastructure
– Software Architecture
– Management & Orchestration
– Reliability & Availability
– Performance & Portability
– Security
Source: Adapted from D. Lopez Telefonica I+D, NFV
ETSI NFV Reference Architecture
Computing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation LayerVirtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution
reference points
Main NFV
reference points
Other reference
points
Virtual
Computing
Virtual
Storage
Virtual
Network
NFV Management and
Orchestration
EMS 2 EMS 3EMS 1
Service and Infrastructure
Requirements
Or-Vi
Or-Vnfm
Vnfm-Vi
Os-Ma
Se-Or
Ve-Vnfm
Nf-Vi
Vn-Nf
Vi-Ha
Virtualization Layer-Hardware Resources (VI-Ha)VNF – NFVI (Vn-Nf)Orchestrator – VNF Manager (Or-Vnfm)Virtualized Infrastructure Manager – VNF Manager (Vi-Vnfm)Orchestrator – Virtualized Infrastructure Manager (Or-Vi)NFVI-Virtualized Infrastructure Manager (Nf-Vi)Operation Support System (OSS)/Business Support Systems(BSS) – NFV Management and Orchestration (Os-Ma)VNF/ Element Management System (EMS) – VNF Manager(Ve-Vnfm)Service, VNF and Infrastructure Description – NFVManagement and Orchestration (Se-Ma): VNF Deploymenttemplate, VNF Forwarding Graph, service-related information,NFV infrastructure information
Ref: ETSI, “Architectural Framework,” Oct 2013,
Integrated Cloud Stacks - VMware
Integrated Cloud Stacks - VMware
Non-Disruptive Deployment
Programmatically Provisioned
Services Distributed to the Virtual Switch
Physical Workloads and Legacy VLANs
Virtual Networks are isolated from each other(Overlapping IP Addresses)
Virtual Networks are isolated from underlyingphysical network (IPv6 over IPv4)
Security – Complete Isolation
Central Policies, Distributed
Enforcement, Move with VMs
Internet
Security PolicySecurity Policy
The Power of Distribution
Integrated Cloud Stacks - OpenStack
Source: Openstack.org
OpenStack Neutron Architecture
Management Network
Data Network
External Network API Network
Internet
OpenStack Neutron – Compute Node
OpenStack Neutron – Network Node
To Public Network
To Private Network
NFV Challenges
Very Quickly Evolving Standards
Still some industry to do on standardization of transport layer (Data Center Extension) Services (Ie. MPLS, VXLAN)
Some very new NFV software stacks require market testing for security
Initial complexity of deployment and learning curve means a higher risk of mis-configuration and security exposure
Must trust the inherent security barriers between the management and control planes.
Extreme diligence on security the management plane of a virtualized system for obvious reasons.
Cloud Administrators are being thrust into the role of security architects in many cases.
NFV Opportunities
Very Rapid Deployment Models
Allows for significantly quicker recovery from incidents.
Create new DMZ, redeploy VM’s, Add Firewall in Minutes rather than days
Allows the addition of extra layers of security with lower costs.
Many virtualized firewalls are significantly cheaper than traditional H/W based devices
Flexibility to easily, rapidly, dynamically provision and instantiate new services in various locations
Improved operational efficiency
Software-oriented innovation to rapidly prototype and test new services
More service differentiation & customization
Reduced (OPEX) operational costs: reduced power, reduced space, improved network monitoring
IT-oriented skillset and talent
Rapid development of software based virtual security appliances
NFV Security Best Practices
Stick to traditional best practices
Defense in depth
Log management (Including accurate time/date stamps)
Diligence on software bugs (some NFV stacks have much lower public
scrutiny)
Don’t assume software teams have network security experience
Layer 2 Security
Isolated VLANS for Secure Zones
Layer 3 Security
Access Control via Access List and Firewall Rules
IPS/IDS
NFV Industry Resources
Cloud Security Alliance
OpenFlow (Cisco, HP, Juniper, Arita, Alcatel-Lucent, etc)
OpenDaylight Project (IBM,Cisco,Juniper,VMware,Microsoft,Dell,etc)
Cisco - Evolved Services Platform
Juniper - Contrail & vMX 3D Universal Edge Router
Alcatel-Lucent - CloudBand Platform
HP - OpenNFV Reference Architecture
VMware – NSX Virtualization Platform
F5 - Synthesis Architecture
