Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
Real World Private 5G Cases   4 Deployment Models On-Premise Cases 5G Core Control Plane Sharing Cases

5G Core Sharing Cases

Private 5G Deployment   • Private 5G Frequency Allocation Status in Korea  South Korean government's regulations on private 5G and KT's strategy for entering the market
Cases in Korea   Private 5G Operators |   SK Networks Service (SI) Sejong Telecom (Wire-line Carrier) KT MOS (Affiliate of KT) • Newgens (SI) • NAVER Cloud more >>  
    Enterprise DIY |   Korea Hydro & Nuclear Power (Power Plant) Korea Electric Power Corporation (Energy) • Republic of Korea Navy more >>
CHANNELS     HFR Private 5G Solution (my5G)       my5G Solution Components       my5G Key Features        my5G Resources        my5G News          
4 Cyber Security Threats on NFV Networks
January 06, 2017 | By Avi Dorfman @ Telco Systems
Online viewer:
Comments (0)

We are pleased to share with you all an interesting article contributed by Avi Dorfman who is technology executive with over 20 years of experience in the development and delivery of telecommunications systems.



Avi Dorfman

VP R&D at Telco Systems



All Articles by Avi Dorfman

  How to contribute your article to Netmanias.com !  
  List of Contributors  




All around the world, telecommunications operators and service providers are excited about the opportunities that Network Functions Virtualization (NFV) promise to provide. Although operational use of these software-centric technologies in this industry is still in early stages, many providers are actively testing and evaluating solutions in their labs and formulating their strategies for deployment.


Leading companies such as AT&T, BT and NTT Communications have whetted the broader industry’s appetite for these emerging technologies through their success with actual use cases and by showing that the benefits are out there.


However, operators that begin to adopt NFV will encounter technologies that are much more IT-like, built upon open source software and white box hardware. This opens the network to vulnerabilities that didn’t exist before. NFV networks present several challenges and risks from a cyber security perspective.


Service providers’ network security experts who are already working with the new technologies say the challenges are worth solving, and the risks worth mitigating, because the ultimate rewards of utilizing NFV are so compelling.




NFV Cyber Security Challenges  


1. Security Pitfalls of OpenStack


OpenStack was created as a data center/cloud platform. As such, it assumes that both the OpenStack controller and the OpenStack compute nodes are on the same network and in short proximity.


However in some Telecom NFV networks, the compute nodes are outside of the core, which requires the operator to loosen the security rules between the controller and the compute nodes. This slackening of the security causes some risks and challenges that must be addressed before OpenStack is suitable for service providers.


All the OpenStack controllers need to run specific protocols, and rules in the firewalls must be configured in order to manage the flows. In some cases many pinholes must be opened in the firewall in order to allow OpenStack to work. Clearly this type of architecture is one of the major challenges when speaking about how to protect and secure the NFV infrastructure.


2. Both the data plane and the control plane are implemented in software


In the traditional environment, operators have devices or appliances that are dedicated to one task. The equipment usually contains some pieces of hardware that were created specifically for a single purpose or were optimized for that purpose. For example, on a switch, router or firewall, there might be an ASIC such as a packet processor that can provide a line rate or wire speed performance.


These appliances containing these ASICs, network processors or other types of hardware are very stable. They are very good at handling peaks and increases in traffic and it’s hard to break them by overloading them. Now with NFV, the approach is to take the functions of the physical appliances and run them in software on an ordinary Intel CPU.


Now, because the functions are running in software, they are much more vulnerable to increasing traffic loads—specifically the high volume loads that exist in DoS and DDoS attacks. It’s much easier to make the software based devices fail when there is a significant increase in load.


3. The control plane of each function is open for remote operation


In a traditional environment, the control plane allows for the service provider to provision and control the hardware devices and appliances. However, the control plane is largely predefined and has only a few options to be configured; for example, to change some rules on a device. Now with NFV, an entire host can be programmed by an external controller.


This provides the opportunity for those devices to be taken over by a malicious actor. A second aspect is that some of the services are becoming self-service. In this mode, the end customer can go onto their exclusive portal and, for example, increase bandwidth on demand, or add a virtual function such as a firewall.


These orders go to an orchestrator that controls and orchestrates the devices. This means that there is a connection between outside of the carrier world that goes up to the subscriber or user world that allows control of the network. This is another vulnerability or pinhole that can be exploited by attackers.


4. Malware may propagate easily across VMs and hosts


In today’s security schemes, much of the protection is applied at the perimeter. For example, there is a firewall or some other type of advanced protection that controls what goes in and out of the carrier network.


Even with perimeter protection, it’s possible that the network can become infected with some malware that might be harmful or might allow an unauthorized person to get access into the network. The challenge with NFV is that now the entire network is made by hosting machines that run a virtualization environment. What’s more, the virtual machines reside all over the network, from the data center out to customer premises, and in mobile sites as well.


Compared to the traditional network environment where most of these devices are single-purpose and well protected, now these devices are actually servers and they run in the virtualization environment. Each host actually has a virtual network that resides on it – a virtual switch – and the whole network is connected.


Virtual machines are pieces of software that are frequently being instantiated (i.e., turned on and off). In this way malware software can propagate itself throughout the network by jumping from one virtual machine to another or from one virtual machine on one host to many other hosts.


To address these cyber security risks, the industry needs solutions that are able to handle the vulnerability, not only when it comes into the network but also assuming malware can already be present on the network. Security solutions need to be able to look at the points where malicious code can copy itself or communicate with the outside, which is on the NFV infrastructure; the layer that allows the virtualization, which is the hypervisor; the virtual switch, and so forth.





The NFV technology will change the entire telecom industry in the coming years. As it moves out from the data center to the carrier network itself, NFV holds the promise of bringing cost savings and new business opportunities. However there are several threats and security problems that come with this technology migration.


Operators and other service providers who are accustomed to a very closed and protected environment must now consider how to protect the open NFV infrastructure that punches holes in the traditional separation between the control plane and the data plane.





Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.

[HFR Private 5G: my5G]


Details >>







Subscribe FREE >>

Currently, 55,000+ subscribed to Netmanias.

  • You can get Netmanias Newsletter

  • You can view all netmanias' contents

  • You can download all netmanias'

    contents in pdf file







View All (854)
4.5G (1) 5G (101) AI (7) AR (1) ARP (3) AT&T (1) Akamai (1) Authentication (5) BSS (1) Big Data (2) Billing (1) Blockchain (3) C-RAN/Fronthaul (18) CDN (4) CPRI (4) Carrier Ethernet (3) Charging (1) China (1) China Mobile (2) Cisco (1) Cloud (5) CoMP (6) Connected Car (4) DHCP (5) EDGE (1) Edge Computing (1) Ericsson (2) FTTH (6) GSLB (1) GiGAtopia (2) Gigabit Internet (19) Google (7) Google Global Cache (3) HLS (5) HSDPA (2) HTTP Adaptive Streaming (5) Handover (1) Huawei (1) IEEE 802.1 (1) IP Routing (7) IPTV (21) IoST (3) IoT (56) KT (43) Korea (20) Korea ICT Market (1) Korea ICT Service (13) Korea ICT Vendor (1) LG U+ (18) LSC (1) LTE (78) LTE-A (16) LTE-B (1) LTE-H (2) LTE-M (3) LTE-U (4) LoRa (7) MEC (4) MPLS (2) MPTCP (3) MWC 2015 (8) NB-IoT (6) Netflix (2) Network Protocol (21) Network Slice (1) Network Slicing (4) New Radio (9) Nokia (1) OSPF (2) OTT (3) PCRF (1) Platform (2) Private 5G (10) QoS (3) RCS (4) Roaming (1) SD-WAN (17) SDN/NFV (71) SIM (1) SK Broadband (2) SK Telecom (35) Samsung (5) Security (16) Self-Driving (1) Small Cell (2) Spectrum Sharing (2) Switching (6) TAU (2) UHD (5) VR (2) Video Streaming (12) VoLTE (8) VoWiFi (2) Wi-Fi (31) YouTube (6) blockchain (1) eICIC (1) eMBMS (1) iBeacon (1) security (1) telecoin (1) uCPE (2)
Password confirmation
Please enter your registered comment password.