We are pleased to share with you all an interesting article contributed by Avi Dorfman.
VP R&D at Telco Systems
All around the world, telecommunications operators and service providers are excited about the opportunities that Network Functions Virtualization (NFV) promise to provide. Although operational use of these software-centric technologies in this industry is still in early stages, many providers are actively testing and evaluating solutions in their labs and formulating their strategies for deployment. Leading companies such as AT&T, BT and NTT Communications have whetted the broader industry’s appetite for these emerging technologies through their success with actual use cases and by showing that the benefits are out there.
However, operators that begin to adopt NFV will encounter technologies that are much more IT-like, built upon open source software and white box hardware. This opens the network to vulnerabilities that didn’t exist before. NFV networks present several challenges and risks from a cyber security perspective. Service providers’ network security experts who are already working with the new technologies say the challenges are worth solving, and the risks worth mitigating, because the ultimate rewards of utilizing NFV are so compelling.
NFV Cyber Security Challenges
1. Security Pitfalls of OpenStack
OpenStack was created as a data center/cloud platform. As such, it assumes that both the OpenStack controller and the OpenStack compute nodes are on the same network and in short proximity. However in some Telecom NFV networks, the compute nodes are outside of the core, which requires the operator to loosen the security rules between the controller and the compute nodes. This slackening of the security causes some risks and challenges that must be addressed before OpenStack is suitable for service providers. All the OpenStack controllers need to run specific protocols, and rules in the firewalls must be configured in order to manage the flows. In some cases many pinholes must be opened in the firewall in order to allow OpenStack to work. Clearly this type of architecture is one of the major challenges when speaking about how to protect and secure the NFV infrastructure.
2. Both the data plane and the control plane are implemented in software
In the traditional environment, operators have devices or appliances that are dedicated to one task. The equipment usually contains some pieces of hardware that were created specifically for a single purpose or were optimized for that purpose. For example, on a switch, router or firewall, there might be an ASIC such as a packet processor that can provide a line rate or wire speed performance. These appliances containing these ASICs, network processors or other types of hardware are very stable. They are very good at handling peaks and increases in traffic and it’s hard to break them by overloading them. Now with NFV, the approach is to take the functions of the physical appliances and run them in software on an ordinary Intel CPU. Now, because the functions are running in software, they are much more vulnerable to increasing traffic loads—specifically the high volume loads that exist in DoS and DDoS attacks. It’s much easier to make the software based devices fail when there is a significant increase in load.
3. The control plane of each function is open for remote operation
In a traditional environment, the control plane allows for the service provider to provision and control the hardware devices and appliances. However, the control plane is largely predefined and has only a few options to be configured; for example, to change some rules on a device. Now with NFV, an entire host can be programmed by an external controller. This provides the opportunity for those devices to be taken over by a malicious actor. A second aspect is that some of the services are becoming self-service. In this mode, the end customer can go onto their exclusive portal and, for example, increase bandwidth on demand, or add a virtual function such as a firewall. These orders go to an orchestrator that controls and orchestrates the devices. This means that there is a connection between outside of the carrier world that goes up to the subscriber or user world that allows control of the network. This is another vulnerability or pinhole that can be exploited by attackers.
4. Malware may propagate easily across VMs and hosts
In today’s security schemes, much of the protection is applied at the perimeter. For example, there is a firewall or some other type of advanced protection that controls what goes in and out of the carrier network. Even with perimeter protection, it’s possible that the network can become infected with some malware that might be harmful or might allow an unauthorized person to get access into the network. The challenge with NFV is that now the entire network is made by hosting machines that run a virtualization environment. What’s more, the virtual machines reside all over the network, from the data center out to customer premises, and in mobile sites as well. Compared to the traditional network environment where most of these devices are single-purpose and well protected, now these devices are actually servers and they run in the virtualization environment. Each host actually has a virtual network that resides on it – a virtual switch – and the whole network is connected. Virtual machines are pieces of software that are frequently being instantiated (i.e., turned on and off). In this way malware software can propagate itself throughout the network by jumping from one virtual machine to another or from one virtual machine on one host to many other hosts.
To address these cyber security risks, the industry needs solutions that are able to handle the vulnerability, not only when it comes into the network but also assuming malware can already be present on the network. Security solutions need to be able to look at the points where malicious code can copy itself or communicate with the outside, which is on the NFV infrastructure; the layer that allows the virtualization, which is the hypervisor; the virtual switch, and so forth.
The NFV technology will change the entire telecom industry in the coming years. As it moves out from the data center to the carrier network itself, NFV holds the promise of bringing cost savings and new business opportunities. However there are several threats and security problems that come with this technology migration. Operators and other service providers who are accustomed to a very closed and protected environment must now consider how to protect the open NFV infrastructure that punches holes in the traditional separation between the control plane and the data plane.