Securing NFV and SDN Integrated OpenStack Cloud

Challenges and Solutions

Sridhar Pothuganti

Trinath Somanchi

INDIA

Session Outline

• SDN and NFV – Complementing the cloud.

• Threat Analysis.

• Solving Security challenges.

• Security Hardened NFV and SDN integrated OpenStack Cloud.

• OPNFV Security Initiatives.

• OpenStack Security Initiatives.

• NXP Security Platform.

• Security check list.

• Security Recommendations.

Complementing the Cloud

Reference: https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-sdn-nvf-solution.pdf

SDN Architecture:• Logically centralized intelligence.• Programmability.• Abstraction.

NFV Architecture:• Virtualized Network Functions.• COTS NFVI.• Logically distributed management.

VNF VNFVNFVNF VNFVNFVNF Apps

Apps

AppsApps

VNF VNFVNFVNF VNFVNFVNF

Network Services

Network Services

Network Services

Network Services

Network Functions

Open Northbound API

Control Layer Componentization

Open Southbound API

Network Function Virtualization

Application Layer

Control Layer

Infrastructure Layer

Threat Analysis

NFV – Threat Analysis

NFV Vulnerabilities and Weaknesses

NFVI

Vulnerabilities

Shared Resources

Insecure interfaces

Improper control and monitoring

Design flaws.

Improper Security enforcements.

Attacks

Conventional attacks –DoS/DDoS.

Manipulation of VM OS

Data destruction

Hypervisor level attacks.

Hardware attacks.

VNF

Vulnerabilities

Inside

Software crashes

Software design flaws

Software bugs.

Outside

3rd Party networks

Shared resources.

Multi tenancy issues.

Noisy neighbor

Attacks

Conventional attacks.

Control plane attacks.

MANO

Vulnerabilities

Inconsistent orchestration and

Management

Insecure interfaces

Data theft.

Compromised policies and isolation

Attacks

Conventional Attacks

Orchestration and control plane attacks.

SDN – Threat Analysis

Application Plane (AP)

Control Plane (CP)

Data Plane (DP)

Business Applications

North Bound Interfaces – NBI

Programmable open APIs

South Bound Interfaces – SBI

SDN Controller

Control and Data plane programmable interface. Eg: Openflow

Unauthorized access to Controller and Applications

Misconfiguration – SDN element failures.

Malicious application threats via integrated 3rd Party applications

Improper configuration of Security policies

Insecure interfaces API Threats

Improper Controller Configuration and bugs.

Controller Operations System vulnerabilities

OpenFlow Vulnerabilities

Vulnerabilities in interconnected Network

elements

Conventional Attacks (DoS/DDoS)

Data leakage/theft

Account data leakage threat

TLS Absence Threat

Controller unavailability-DoS/DDoS

Security Challenges

Operation Support SystemsBusiness Support Systems

Compute Storage Network

Virtualization Layer

Compute Virtualization

Storage Virtualization

NetworkVirtualization

Vi-Ha

EMS - 1 EMS - 2 EMS - n

VNF - 1 VNF - 2 VNF - n

Orchestrator

Orchestrator

Orchestrator

VNFManager(s)

VirtualizedInfrastructure

Manager(s)

Vn-Nf

Service, VNF, Infrastructure Description

Os-Ma

Se-Ma

Ve-Vnfm

Or-Vnfm

Or-Vi

Vi-Vnfm

Nf-Vi

NFVI

NFV Infrastructure> Attacks on Shared pool of resources,> Hypervisor layer attacks, > Vulnerabilities in virtualized entities.

VNF Layer> Dos/DDoS attacks,> Control Plane attacks,> Noisy neighbor,> Attacks due to insecure interfaces,

control and monitoring gaps. > Different vendor NFV standards

SDN Fabric> Attacks on Forwarding plane,> Flooding of network.> weak ACL in Ctrl and Mgmt plane.> Vulnerabilities in SDN resources.

NFV MANO> Weak access control,> Inefficient monitoring,> Vulnerabilities in underlying layers.

OSS/BSS> Vulnerabilities in underlying layers.> Weak ACL and Monitoring.> Dos/DDoS attacks in SDN fabric.> Vulnerabilities due to deployed

legacy systems.

Threat focus on NFV and SDN Cloud

VNFManager

Voice

Voice

BB

BB

IPTV

IPTV

EMS EMS EMS

VNFs

SDNC

OSS/BSS

NFV Orchestrator

Network Orchestration

Service Orchestration

VIM

IP Edge

IP Edge

DC EdgeDC Edge

Telco CloudAttacks from VMs

Attacks on Host,

Hypervisor and VM

DDoS/MiM/Network Traffic Poisoning

Attacks

Attacks from remote/3rd

Party applications

• The TRUST domain.

• SDN Controller security.

• Security analytics.

• Virtual Security Functions (VSFs and ISFs)

• Role based access and identity management.

• MANO Security.

• NFVI – Hypervisor and Physical layer security hardening.

• Secured interfaces - Security Automation

Building Comprehensive Security

Solving Security Challenges

Security Hardening - Approaches

• Architectural approaches• ETSI NFV Security Management Framework

• Layered Approaches• VNF Security

• MANO Security

• SDN Security

• VIM Security (OpenStack)

• NFVI Security

NFV Security Management Framework

• NFV Security Manager - NSM• Overall Security Management.• Security Policy Planning, Enforcement and Validation.

• Security Element Manager - SEM.• EMS managing VSFs.

• Virtualized Security Function - VSF• Logically coupled and de-coupled Security for VNFs • Network Service centric deployment.

• NFVI based Security Functions - ISF• Hypervisor based FWs.• HSM and Crypto Accelerators.

• Physical Security Functions – PSF• Out of the scope PSFs, managed by SEMs.

Physical Network Functions

Operation Support SystemsBusiness Support Systems

Compute Storage Network

Virtualization Layer

Compute Virtualization

Storage Virtualization

NetworkVirtualization

Vi-Ha

EMS - 1 EMS - 2 EMS - n

VNF - 1 VNF - 2 VNF - n

Orchestrator

Orchestrator

Orchestrator

VNFManager(s)

VirtualizedInfrastructure

Manager(s)

Vn-Nf

Service, VNF, Infrastructure Description

Os-Ma

Se-Ma

Ve-Vnfm

Or-Vnfm

Or-Vi

Vi-Vnfm

Nf-Vi

NFVI

NFV Security Manager

Security EMs

VSF

Infrastructure Security Functions

Security Hardening - Approaches

• Architectural approaches• ETSI NFV Security Management Framework

• Layered Approaches• VNF Security

• MANO Security

• SDN Security

• VIM Security (OpenStack)

• NFVI Security

VNF Security

VNF LCM Security MonitoringVulnerability scanning in regular intervals.Patch management and version upgrade.Security wipe while termination of VNF instance.

VNF Package Management – OnboardingIntegrity checks

Check whether the VNF Package include the various components expected, and are they free of tampering.

Trust checks

Check whether the VNF package consist of components from trusted vendors/suppliers.

In both of these cases, the use of cryptographic signing and certificates can provide assurances.

VNF External SecurityNoisy Neighbor

Attack: An instance of VNF/VNFC trying to exhaust the whole resourcesMitigation: Isolation of each VM/container and limit resources in VNFD

VM escape attack Attack: Malware in VM trying to access the resources of hypervisor or hostMitigation: Proper access control list with only necessary resource-sharing with VM.

MANO Security – Two Faces

NFVO and VNFM – Management and Orchestration entities• Attacks:

• A attacker can get access to the Orchestrator and instantiate a modified VNF. This can break access privileges and VNF isolation.

• VNF placement attacks.• Security Solutions

• Secured communication and access.• Security monitoring system – detect and

separate defective VNF.• Storage protection

Security MANOMANO Security

Management and Orchestration of VSF, ISF and PSF.• Automation of Security Management.• Similar to VNF Orchestration and Management. • Security Policy enforcement for Network Service.• Not limited to Security functions in virtualized

network, but also security functions in traditional physical network to enhance the overall protection level.

SDN Security

• Monitor and detect malicious flows in the data plane and restrict/isolate the traffic.

• Use separate VLANs for data and management traffic isolation.• Use IPSEC-VPN for secured communication across overlay

networks.• Monitor the traffic and update Firewall policies – Perimeter

defense.• Trust attestation of applications.• Secured Communication channel between planes.• Reactive flow deployment.• Detect and isolate defective applications.• Strict access control to SDN Controller.

VIM Security (OpenStack)

Keystone

A&A

Enabled Federated Identity.

Access policies.

Non-Persistent tokens.

Strong HA for PKI Tokens.

Nova

Trusted Compute pools.

Keypair based access to VMs.

Encrypting Metadata traffic.

SELinux and Virtualization.

FIPS 140-2 certified Hypervisors.

Compiler Hardening.

Secured communication.

Neutron

Networking resource policy engine

Security Groups

Enable Quotas.

Mitigate ARP Spoofing.

Secured Communications.

Glance

Ownership to Images.

Strictly checked configuration

Keystone for Authentication

Encryption of Images.

Vulnerability checks on Images.

Cinder

Secured Communication

Limit max body size – Request.

Strict permission and Configuration.

Enable Volume Encryption.

Secured Network attached Storage.

Swift

Network Security –Rsync.

File permissions.

Secured Storage Services.

Strict ACL.

Secured Communication.

Barbican

Key Management as a Service.

Manage Secrets, PKI keys, Split keys.

Isolation of Keys is a top priority

OpenStack Security

OpenStack Security Advisories (OSSA)

OpenStack Security Notes (OSSN)

OpenStack Security Guide

OpenStack Security Project blog

OpenStack Security Management tools.

NFVI Security

Secure bootTrusted Platform Module or Trust Zone.Secure MonitorTamper DetectionHardware root of trustRun time integrity checkFi

rmw

are

Secu

rity

Adopting Security Enhanced (SE) LinuxTrusted Execution Environment (TEE)Patch kernel for Vulnerabilities.I/O IsolationKe

rnel

Sec

uri

ty

Secure Key StorageSecure MonitoringHardware accelerators – Firewall and IPSecStrong I/O Virtualization

Har

dw

are

Secu

rity

Run-Time Security Management and Enforcement

OP-TEEFramework, drivers

Secure Installer, Loader

Secure Credential Mgmt

Secure Storage

Secure System PartitioningResource Mgmt

Tool

LUKS dm-crypt

TSSPKCS-11

Extended Verification Mod

Integrity Measurement Architecture

Secure Monitoring, Statistics

QorIQ Trust Tools

Secure Provisioning and Update

Application Isolation Environment

I/O isolation, protection

SE-Linux

KVM, Docker, Java

Ap

plic

atio

n

Ap

plic

atio

n

Ap

plic

atio

n

Ap

plic

atio

n

Linux LTS kernel- Latest security patches

Trust Architecture

ARMv8 cores ARM Trust-Zone

Secure Boot – HW Root of Trust

Secure Monitor

Compute, IO, Memory partitioningRun-Time Integrity

CheckerSecure Key

Storage

NFVI Security - NXP

ManufacturingProtection

8

SecureBoot

1SecureStorage

2

KeyProtection

3

KeyRevocation

4

SecureDebug

5

TamperDetection

6

Strong Partitioning

7

All QorIQ SoCs support Trust Architecture

OPNFV Security Initiatives

Security Management SystemManagement of isolation and protection of, and interaction between, these VNFs become a big challenge. In order to avoid losing control over the VNFs in the cloud, Moon aims at designing and developing a security management system for OPNFV.

Project proposal: https://wiki.opnfv.org/display/moon/Moon+Project+Proposal

Project - Moon

A group dedicated to improve OPNFV security through architecture, documentation, code review, vulnerability management.

Security is part of the INFRA working group, together with Releng, Octopus and Pharos. See more information at https://wiki.opnfv.org/display/INF.

OPNFV Security Group

Ensure security compliance and vulnerability checks , as part of an automated CI / CD platform delivery process and as a standalone application.

The project makes use of the existing SCAP format to perform deep scanning of NFVi nodes, to insure they are hardened and free of known CVE reported vulnerabilities. The SCAP content itself, is then consumed and run using an upstream opensource tool known as OpenSCAP.

Project - SecurityScanning

OpenStack Security Initiatives

Barbican is the OpenStack Key Manager service. It provides secure storage, provisioning and management of secret data. This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates and raw binary data

Project - Barbican

Anchor is a lightweight, open source, Public Key Infrastructure (PKI), which uses automated provisioning of short-term certificates to enable cryptographic trust in OpenStack services.

Certificates are typically valid for 12-24 hours and are issued based on the result from a policy enforcing decision engine. Short term certificates enable passive revocation, to bypass the issues with the traditional revocation mechanisms used in most PKI deployments.

Project - Anchor

Bandit - security linter for Python source code, utilizing the ast module from the Python standard library. Several projects leveraging it in their CI gate tests.

Syntribos - Syntribos is an open source automated API security testing tool.Maintained by members of the OpenStack Security Project.

Secured Code

OpenStack Security Advisory (OSSA) and Security Notes (OSSN) Targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.OpenStack Security Guide: https://docs.openstack.org/security-guide/index.html

NXP Security Platform

QorIQ Trust Architecture provides HW Root of Trust.

Anti-cloning features.

Anti-rollback to vulnerable firmware.

Persistent secret storage not visible to hackers.

Secure Boot

Secure signing of images and key provisioning.

3-way secrets isolation between NXP, ODM and customer.

Secured firmware upgrades

Secure Provisioning

Secure run-time system operations.

Secure credential management – e.g. DRM keys.

Detect tampering of software via integrity checks.

Decrypt system firmware on-the-fly

Trusted Linux

Isolate and host multiple services in containers, VMs.

Verify applications before install and launch.

HW level resource isolation and management.

Application Isolation

NIST certified Security engine with rich algorithm support.

True Random Number Generation with 100% entropy

Integrated with Linux IPSec and OpenSSL.

Crypto Acceleration

802.11ax,

ac, ad

ARM CPUsup to 100K Coremark

Trust

Arch

Packet Engine

2-20Gbps

Ethernet Controllers

2x 1GE -> 2x 10GE

Security

Engine

Secure vCPE

LS1046LS1043

LS1012LS1024

Virtual Networking, Security drivers

Linux NW Stack

KVM / Docker

Layer 2 – 4 offload

(IPSec, Firewall, NAPT, QoS)

VNF

DPDK, ODP

Virtu

aliz

atio

n F

ram

ew

ork

Secure Platform

Secure-Boot is just the beginning – Security needs to cover the entire System.

VNF VNF VNF

Security Hardened NFV and SDN integrated OpenStack Cloud

VNF ManagerVoice

Voice

BB

BB

IPTV

IPTV

EMS EMS EMS

VNFs

SDNC

OSS/BSS

NFV Orchestrator

Network Orchestration

Service Orchestration

VIM

IP Edge

IP Edge

DC EdgeDC Edge

Telco Cloud

Security Orchestration

Virtualized Security

Physical Security

VNF SecurityEngine

Firewall

IPS/IDS

Authorized Access

Security Policing

Trust attestation

Security Checklist

Monitor Virtual networks – Daily practice. VNF FCAPS – Analysis and Analytics. OpenStack communication via Secured tunnels. Encrypted password for DB access – Monthly TODO. Verify VNF images for Vulnerabilities. Infra design – Network Security Defense patterns. Scan block storage. Strict Policy and Security groups. OpenStack Security ML Hardware Crypto accelerators. Role based access control. Scan the complete cloud.

Secure the Data plane layer – Use TLS 1.2 for authentication. Security Harden SDN Controller Operating System. Strict authentication and Authorization to SDN Controller. Implement HA of SDN Controller to guard against DDoS attacks. Enable Application level Security. Use TLS or SSH – NBC and Controller management. All routers and switches security hardened. Isolate tenant traffic from management traffic. Periodically patch the software components for vulnerabilities. Security Monitoring – a daily practice. Adopt Security Orchestrator frameworks – VSF Orchestration. Isolated Key Manager – a chest for all keys. Encrypt and split the storage. ReSTful communication – Secured. No Test ports/API at Production. Upgrade the system – for security bug fixes. Distributed SDN Controllers and VNF Managers – Large DC Leverage Hardware security capabilities. FIPS 140-2 certified Hypervisors. Federated Identity.

ABSOLUTE SECURITY IS A MYTH.

That’s all folks

Thank you all

VNF – Virtual Network Function

VSF – Virtual Security Function

ISF – Infrastructure Security Function

TPM – Trusted Platform Module

HSM – Hardware Security Module

AAA – Authorization, Authentication and Account

DC – Data center

VIM – Virtual Infrastructure Manager

MANO – Management and Orchestration

VNFM – Virtual Infrastructure Manager

NFVO – Network Function Virtualization Orchestrator

sVIRT – Secured Virtualization

PME – Pattern Matching Engine.

Glossary of Terms Questions/Discussion

Sridhar PothugantiEmail: sridhar.pothuganti@nxp.comIRC: SridharP

Trinath SomanchiEmail: trinath.somanchi@nxp.comIRC: trinaths