All around the world telecommunications operators and service providers are excited about the opportunities that NFV (network functions virtualization) promise to provide. Although operational use of these software-centric technologies in this industry is still in the early stages, many providers are actively testing and evaluating solutions in their labs and formulating their strategies for deployment.
Leading companies such as AT&T, BT and NTT Communications have whetted the broader industry’s appetite for these emerging technologies through their success with actual user cases, and by showing that the benefits are out there.
However, operators that begin to adopt NFV will encounter technologies that are much more IT-like, built upon open source software and white box hardware. This opens the network to vulnerabilities that didn’t exist before.
NFV networks present several challenges and risks from a cyber security perspective. Service providers’ network security experts who are already working with the new technologies say the challenges are worth solving, and the risks worth mitigating, because the ultimate rewards of utilizing NFV are so compelling.
NFV Cyber Security Challenges
1. Security Pitfalls of OpenStack
OpenStack has become the de facto standard for cloud computing architectures for the data center, especially infrastructure-as-a-service (IaaS) deployments. For many enterprises, it is the preferred architecture to enable compute nodes, network and storage with unlimited capacity and scalability without the costly overhead and hardware commitment requirements of the old data center model.
Among the strengths of OpenStack are seamless scaling, interoperability and connectivity across vendors and networks, and cloud automation. Recently, many heavy hitters of the IT world have made significant investments in OpenStack because they believe there are enterprise-class capabilities that aren’t readily available with other architectures.
OpenStack was created as a data center/cloud platform. As such, it assumes that both the OpenStack controller (which is managing and provisioning the OpenStack compute nodes) and the OpenStack compute nodes (which are running the VMs) are on the same network and in short proximity.
However, in some telecom NFV networks, the compute nodes are outside of the core, which requires the operator to loosen the security rules between the controller and the compute nodes (from the core network to the access network). This slackening of the security causes some risks and challenges that must be addressed before OpenStack is suitable for service providers.
All the OpenStack controllers need to run specific protocols, and rules in the firewalls must be configured in order to manage the flows. In some cases, many pinholes must be opened in the firewall in order to allow OpenStack to work. Clearly this type of architecture is one of the major challenges when speaking about how to protect and secure the NFV infrastructure.
2. Both the data plane and the control plane are implemented in software
In the traditional environment, operators have devices or appliances that are dedicated to one task. The equipment usually contains some pieces of hardware that were created specifically for a single purpose or were optimized for that purpose.
For example, on a switch, router or firewall, there might be an ASIC (application-specific integrated circuit), such as a packet processor that can provide a line rate or wire speed performance. It is very effective and focused on the actual packet processing or, for example, on applying access lists on a firewall.
The appliances containing these ASICs, network processors or other types of hardware are very stable. They are very good at handling peaks and increases in traffic and it’s hard to break them by overloading them.
With NFV, the approach is to take the functions of the physical appliances and run them in software on an ordinary Intel CPU (central processing unit). Now, because the functions are running in software, they are much more vulnerable to increasing traffic loads – specifically the high volume loads that exist in DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks. It’s much easier to make the software-based devices fail when there is a significant increase in load.
3. The control plane of each function is open for remote operation
In a traditional environment, the control plane allows for the service provider to provision and control the hardware devices and appliances. However, the control plane is largely predefined and has only a few options to be configured; for example, to change some rules on a device.
With NFV, an entire host can be programmed by an external controller, which provides the opportunity for those devices to be taken over by a malicious actor.
A second aspect is that some of the services are becoming self-service. In this mode, the end customer can go onto their exclusive portal and, for example, increase bandwidth on demand, or add a virtual function such as a firewall.
These orders go to an orchestrator that controls and orchestrates the devices. This means that there is a connection between outside the carrier world that goes up to the subscriber or the user world that allows control of the network. This is another vulnerability or pinhole that can be exploited by attackers.
4. Malware may propagate easily across VMs and hosts
In today’s security schemes, much of the protection is applied at the perimeter. For example, there is a firewall or some other type of advanced protection that controls what enters and leaves the carrier network. Even with perimeter protection, it’s possible that the network can become infected with some malware that might be harmful or might allow an unauthorized person to obtain access into the network.
The challenge with NFV is that now the entire network is made up of hosting machines that run a virtualization environment. What’s more, the virtual machines reside all over the network, from the data center out to customer premises, and in mobile sites as well.
Compared to the traditional network environment where most of these devices are single-purpose and well protected, now these devices are actually servers and they run in the virtualization environment. Each host actually has a virtual network that resides on it – a virtual switch – and the whole network is connected.
Virtual machines are pieces of software that are frequently being instantiated (i.e., turned on and off). In this way, malware software can propagate itself throughout the network by jumping from one virtual machine to another or from one virtual machine on one host to many other hosts.
To address these cyber security risks, the industry needs solutions that are able to handle the vulnerability, not only when it comes into the network but also assuming malware can already be present on the network. Security solutions need to be able to look at the points where malicious code can copy itself or communicate with the outside, which is on the NFV infrastructure – the layer that allows the virtualization, which is the hypervisor, the virtual switch, and so forth.
NFV technology will change the entire telecom industry in the coming years. As it moves out from the data center to the carrier network itself, NFV holds the promise of bringing cost savings and new business opportunities.
However, there are several threats and security problems that come with this technology migration. Operators and other service providers who are accustomed to a very closed and protected environment must now consider how to protect the open NFV infrastructure which punches holes in the traditional separation between the control plane and the data plane.
Click on the link to learn more about Telco Systems SDN and distributed NFV software products and ecosystem
Click on the link to download the white paper Protecting SDN and NFV Networks from Cyber Security Vulnerabilities