1. Network Function Virtualization
AtlSecCon 2015
SECURITY BEST PRACTICES

2. What is Network Function Virtualization?
 Virtual Core Network Services
 Introduces Concept of Control Plane and Data Plane
 Typical Virtual Network Services
 Core Layer 2 Switching (VLANS)
 Layer 3 Routing (Internal and External Routing Functions- OSPF,
BGP, etc)
 Edge Firewall Services
 VPN Tunneling
 Embedded IPS/IDS
 Automated Service Provisioning
 Automated Threat Response

3. A means to make the network more flexible and simple by
minimising dependence on HW constraints
v
 Network Functions are SW-based over well-known HW
 Multiple roles over same HW
ORCHESTRATION, AUTOMATION
& REMOTE INSTALL
DPI
BRAS
GGSN/
SGSN
Firewall
CG-NAT
PE Router
VIRTUAL
APPLIANCES
STANDARD
HIGH VOLUME
SERVERS
Virtualised Network Model:
VIRTUAL APPLIANCE APPROACHv
 Network Functions are based on specific HW&SW
 One physical node per role
DPI
BRAS
GGSN/SGSN
Session Border
ControllerFirewall CG-NAT
PE Router
Traditional Network Model:
APPLIANCE APPROACH
Source: Adapted from D. Lopez Telefonica I+D, NFV

4. INTERNET DataBase
WWW
Enterprise
Services
Users
Fundamental Changes in Architecture
Traditional Infrastructure Virtualized Infrastructure
Physical Servers
INTERNET
Internet
VLAN
Management
VLAN
Enterprise
VM
Virtual
Firewall
WWW
VM
Database
VM
Users

5. Network Function Virtualization vs.
Software Defined Networks
 Complimentary set of services
 Network Function Virtualization (NFV)
 Originated from the need to scale Network Services (Service Provider World)
 Data plane functions running in VMs on commodity servers
 Software Defined Networking (SDN)
 Originated from API control of Network Features (IT World)
 Also Separating the Control and Data Planes
 Together Allow Scalable Cloud Applications and Services (Apps)
 Applications running on top of the network with transportable network
characteristics.

6. The ETSI NFV ISG
• Global operators-led Industry
Specification Group (ISG) under the
auspices of ETSI
– ~150 member organisations
• Open membership
– ETSI members sign the “Member
Agreement”
– Non-ETSI members sign the
“Participant Agreement”
– Opening up to academia
• Operates by consensus
– Formal voting only when required
• Deliverables: White papers
addressing challenges and operator
requirements, as input to SDOs
– Not a standardisation body by itself
• Currently, four WGs and two EGs
– Infrastructure
– Software Architecture
– Management & Orchestration
– Reliability & Availability
– Performance & Portability
– Security
Source: Adapted from D. Lopez Telefonica I+D, NFV

7. ETSI NFV Reference Architecture
Computing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation Layer
Virtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution
reference points
Main NFV
reference points
Other reference
points
Virtual
Computing
Virtual
Storage
Virtual
Network
NFV Management and
Orchestration
EMS 2 EMS 3EMS 1
Service and Infrastructure
Requirements
Or-Vi
Or-Vnfm
Vnfm-Vi
Os-Ma
Se-Or
Ve-Vnfm
Nf-Vi
Vn-Nf
Vi-Ha
Virtualization Layer-Hardware Resources (VI-Ha)
VNF – NFVI (Vn-Nf)
Orchestrator – VNF Manager (Or-Vnfm)
Virtualized Infrastructure Manager – VNF Manager (Vi-Vnfm)
Orchestrator – Virtualized Infrastructure Manager (Or-Vi)
NFVI-Virtualized Infrastructure Manager (Nf-Vi)
Operation Support System (OSS)/Business Support Systems
(BSS) – NFV Management and Orchestration (Os-Ma)
VNF/ Element Management System (EMS) – VNF Manager
(Ve-Vnfm)
Service, VNF and Infrastructure Description – NFV
Management and Orchestration (Se-Ma): VNF Deployment
template, VNF Forwarding Graph, service-related information,
NFV infrastructure information
Ref: ETSI, “Architectural Framework,” Oct 2013,

8. Integrated Cloud Stacks - VMware

9. Integrated Cloud Stacks - VMware

10. Non-Disruptive Deployment

11. Programmatically Provisioned

12. Services Distributed to the Virtual Switch

13. Physical Workloads and Legacy VLANs

14. Virtual Networks are isolated from each other
(Overlapping IP Addresses)
Virtual Networks are isolated from underlying
physical network (IPv6 over IPv4)
Security – Complete Isolation

15. Central Policies, Distributed
Enforcement, Move with VMs
Internet
Security Policy
Security Policy

16. The Power of Distribution

17. Integrated Cloud Stacks - OpenStack
Source: Openstack.org

18. OpenStack Neutron Architecture
Management Network
Data Network
External Network API Network
Internet

19. OpenStack Neutron – Compute Node

20. OpenStack Neutron – Network Node
To Public Network
To Private Network

21. NFV Challenges
 Very Quickly Evolving Standards
 Still some industry to do on standardization of transport layer (Data Center
Extension) Services (Ie. MPLS, VXLAN)
 Some very new NFV software stacks require market testing for security
 Initial complexity of deployment and learning curve means a higher risk of
mis-configuration and security exposure
 Must trust the inherent security barriers between the management and
control planes.
 Extreme diligence on security the management plane of a virtualized system for
obvious reasons.
 Cloud Administrators are being thrust into the role of security architects in
many cases.

22. NFV Opportunities
 Very Rapid Deployment Models
 Allows for significantly quicker recovery from incidents.
 Create new DMZ, redeploy VM’s, Add Firewall in Minutes rather than days
 Allows the addition of extra layers of security with lower costs.
 Many virtualized firewalls are significantly cheaper than traditional H/W based devices
 Flexibility to easily, rapidly, dynamically provision and instantiate new services in various
locations
 Improved operational efficiency
 Software-oriented innovation to rapidly prototype and test new services
 More service differentiation & customization
 Reduced (OPEX) operational costs: reduced power, reduced space, improved network
monitoring
 IT-oriented skillset and talent
 Rapid development of software based virtual security appliances

23. NFV Security Best Practices
 Stick to traditional best practices
 Defense in depth
 Log management (Including accurate time/date stamps)
 Diligence on software bugs (some NFV stacks have much lower public
scrutiny)
 Don’t assume software teams have network security experience
 Layer 2 Security
 Isolated VLANS for Secure Zones
 Layer 3 Security
 Access Control via Access List and Firewall Rules
 IPS/IDS

24. NFV Industry Resources
 Cloud Security Alliance
 OpenFlow (Cisco, HP, Juniper, Arita, Alcatel-Lucent, etc)
 OpenDaylight Project (IBM,Cisco,Juniper,VMware,Microsoft,Dell,etc)
 Cisco - Evolved Services Platform
 Juniper - Contrail & vMX 3D Universal Edge Router
 Alcatel-Lucent - CloudBand Platform
 HP - OpenNFV Reference Architecture
 VMware – NSX Virtualization Platform
 F5 - Synthesis Architecture

25. Winston.Morton@Nuviser.com
@WinstonMorton