Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Ulrich Kohn, CISSP
Technical Marketing Director
Mitigating Security Risk in Practical vCPE
Solutions
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2
Protection Is Becoming a Challenge
Multiple reasons wh...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.3
NFV: Opportunity or Threat to Network Security?
Manage...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.4
Vodafone VPN+ Multi-Vendor Demonstration
at Mobile Wor...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.5
Some Attack Vectors
Virtualised Network Functions
(VNF...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.6
OpenStack Security Controls
• Keystone authentication ...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.7
vCPE Use Case – Edge NFV
Enterprise
Metro Network
Carr...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.8
A BT Perspective:
Securing Openstack Over the Internet...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.9
Risk Mitigation in Edge NFV
Virtual
Compute
Network
VN...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.10
Security Assurance in Edge NFV
Open OS/Hyperv.
X86 Se...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.11
Security Work of Selected Standard Bodies and
Industr...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.12
Securing Edge NFV Devices
• OpenStack in distributed ...
Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclu...
Nächste SlideShare
Wird geladen in …5
×

Mitigating Security Risk in Practical vCPE Solutions

Ulrich Kohn analyzes security risks associated with the vCPE use case with a special focus on the virtualization layer and the virtual infrastructure manager. He describes attack vectors and explains technical controls provided with OpenStack to counter the emerging risk.

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Mitigating Security Risk in Practical vCPE Solutions

  1. 1. Ulrich Kohn, CISSP Technical Marketing Director Mitigating Security Risk in Practical vCPE Solutions
  2. 2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Protection Is Becoming a Challenge Multiple reasons why security is a key concern • Attackers: from script kiddies to organized crime and intelligence services • Increased sophistication: advanced persistent threats (APT), bootkit-based threats • Disruptive technologies: control/data plane separation; virtualization; open versus proprietary
  3. 3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3 NFV: Opportunity or Threat to Network Security? Managed security services is a $20 to $30bn market – KEEP THE BALANCE • Immediate activation of security safeguards • Security analytics • PaaS and security offload, pooling of security expertise • Application isolation, micro- segmentation, central control • Image, patch management Opportunities • Larger attack surface, high- value targets • Higher system complexity • Shared resources, common hypervisor • From proprietary to open protocols • Out-of-country processing (compliance) Challenges
  4. 4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.4 Vodafone VPN+ Multi-Vendor Demonstration at Mobile World Congress, February 2016 Automated site activation including firewalling Use Case 1: Automated scale-in and scale-out Use Case 2: DDos prevention with analytics Use Case 3:
  5. 5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Some Attack Vectors Virtualised Network Functions (VNFs) Management and orchestration VNF VNF VNF VNF VNF NFV Infrastructure (NFVI) Virtual Compute Virtual Storage Virtual Network Virtualisation Layer Hardware Resources Compute Storage Network Disgruntled employee Hypervisor and controller attacks Customer portal, public APIs e.g. DDoS Backdoor to hypervisor, control software Rogue VNF, noisy neighbor, malicious code Social engineering Spoofing, sniffing, MITM Compromise remote debugging/test interfaces Increased complexity, human error Rootkit
  6. 6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.6 OpenStack Security Controls • Keystone authentication and token-based authorization • TLS for accessing APIs • SSH for VM management / system-level communication; SSH key injection with VM creation • Multi-tenant capability • Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant based: address filter, firewall, NAT • Availability zones • Sanitization of released storage space Network Horizon Dashboard ImagesObject Storage Volume Service Compute Service Keystone Identity Service Virtual Infrastructure Manager (VIM) NeutronGlanceSwiftCinderNova API, Authentication, Network, Images, Volums, Objects
  7. 7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.7 vCPE Use Case – Edge NFV Enterprise Metro Network Carrier Ethernet Communication Service Provider vRouter FSP 150 ProVM with integrated server Core IP-MPLS Servers e.g. video vFirewall vIDS Challenges with OpenStack in a distributed compute environment • OpenStack optimized for DC applications within security perimeter • vCPE Use case: internal OpenStack interfaces connect over public networks • End point in untrusted environment (CSP view) • Present implementations do not provide comprehensive security controls* *Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015
  8. 8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.8 A BT Perspective: Securing Openstack Over the Internet Source: “How NFV is different from Cloud: Using Openstack for Distributed NFV”, Peter Willis, BT; SDN and OF World Congress, Düsseldorf, Oct 2015.
  9. 9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Risk Mitigation in Edge NFV Virtual Compute Network VNF VNF VNF VNF virtual virtual, physical Risk mitigation with OpenStack security controls Security appliances such as IDS/IPS, firewalls but also service assurance functions Security additions to DPDK e.g. experimental Crypto API (Release 2.2), keep alive signaling, new performance management functions Encryption per virtual connections and/or bulk encryption Trusted platform module, hardware security modules for secure boot, key integrity Lower layer encryption becomes essential security control CPE device
  10. 10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.10 Security Assurance in Edge NFV Open OS/Hyperv. X86 Server perf. assurance hardened SW/HW OpenStack in box HW acceleration tamper resistant assurancelevel Hardened Server FSP 150vSE Hybrid Server FSP 150 ProVM COTS Server Open OS/Hyperv. X86 Server perf. assurance hardened SW/HW HW encryption Open OS/Hyperv. X86 Server functionality
  11. 11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.11 Security Work of Selected Standard Bodies and Industry Alliances • ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV- SEC 001, October 2014 + SEC 00x releases in 2015 • OpenStack Foundation: “OpenStack Security Guide“; best practices and implementation guide for securing an OpenStack implementation • ONF: “Principles and Practices for Securing Software-Defined Networks”, January 2015, ONF TR-511 • ONOS: Security response process, security emergency team • OPNFV security-related projects such as Moon, Barbican Standard bodies and industry alliances focus on security
  12. 12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Securing Edge NFV Devices • OpenStack in distributed compute environments calls for additional security controls • Defense in depth for mitigating attack surface in NFV-centric networks • Pure-player software and hybrid edge NFV devices for different levels of security assurance ADVA Optical Networking - your expert in edge NFV
  13. 13. Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

×