SlideShare une entreprise Scribd logo

Mitigating Security Risk in Practical vCPE Solutions

Télécharger en tant que PPTX, PDF
ADVA
ADVA

Ulrich Kohn analyzes security risks associated with the vCPE use case with a special focus on the virtualization layer and the virtual infrastructure manager. He describes attack vectors and explains technical controls provided with OpenStack to counter the emerging risk.

Technologie
1  sur  13
Ulrich Kohn, CISSP Technical Marketing Director Mitigating Security Risk in Practical vCPE Solutions
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Protection Is Becoming a Challenge Multiple reasons why security is a key concern • Attackers: from script kiddies to organized crime and intelligence services • Increased sophistication: advanced persistent threats (APT), bootkit-based threats • Disruptive technologies: control/data plane separation; virtualization; open versus proprietary
© 2016 ADVA Optical Networking. All rights reserved. Confidential.3 NFV: Opportunity or Threat to Network Security? Managed security services is a $20 to $30bn market – KEEP THE BALANCE • Immediate activation of security safeguards • Security analytics • PaaS and security offload, pooling of security expertise • Application isolation, micro- segmentation, central control • Image, patch management Opportunities • Larger attack surface, high- value targets • Higher system complexity • Shared resources, common hypervisor • From proprietary to open protocols • Out-of-country processing (compliance) Challenges
© 2016 ADVA Optical Networking. All rights reserved. Confidential.4 Vodafone VPN+ Multi-Vendor Demonstration at Mobile World Congress, February 2016 Automated site activation including firewalling Use Case 1: Automated scale-in and scale-out Use Case 2: DDos prevention with analytics Use Case 3:
© 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Some Attack Vectors Virtualised Network Functions (VNFs) Management and orchestration VNF VNF VNF VNF VNF NFV Infrastructure (NFVI) Virtual Compute Virtual Storage Virtual Network Virtualisation Layer Hardware Resources Compute Storage Network Disgruntled employee Hypervisor and controller attacks Customer portal, public APIs e.g. DDoS Backdoor to hypervisor, control software Rogue VNF, noisy neighbor, malicious code Social engineering Spoofing, sniffing, MITM Compromise remote debugging/test interfaces Increased complexity, human error Rootkit
© 2016 ADVA Optical Networking. All rights reserved. Confidential.6 OpenStack Security Controls • Keystone authentication and token-based authorization • TLS for accessing APIs • SSH for VM management / system-level communication; SSH key injection with VM creation • Multi-tenant capability • Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant based: address filter, firewall, NAT • Availability zones • Sanitization of released storage space Network Horizon Dashboard ImagesObject Storage Volume Service Compute Service Keystone Identity Service Virtual Infrastructure Manager (VIM) NeutronGlanceSwiftCinderNova API, Authentication, Network, Images, Volums, Objects
© 2016 ADVA Optical Networking. All rights reserved. Confidential.7 vCPE Use Case – Edge NFV Enterprise Metro Network Carrier Ethernet Communication Service Provider vRouter FSP 150 ProVM with integrated server Core IP-MPLS Servers e.g. video vFirewall vIDS Challenges with OpenStack in a distributed compute environment • OpenStack optimized for DC applications within security perimeter • vCPE Use case: internal OpenStack interfaces connect over public networks • End point in untrusted environment (CSP view) • Present implementations do not provide comprehensive security controls* *Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015
© 2016 ADVA Optical Networking. All rights reserved. Confidential.8 A BT Perspective: Securing Openstack Over the Internet Source: “How NFV is different from Cloud: Using Openstack for Distributed NFV”, Peter Willis, BT; SDN and OF World Congress, Düsseldorf, Oct 2015.
© 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Risk Mitigation in Edge NFV Virtual Compute Network VNF VNF VNF VNF virtual virtual, physical Risk mitigation with OpenStack security controls Security appliances such as IDS/IPS, firewalls but also service assurance functions Security additions to DPDK e.g. experimental Crypto API (Release 2.2), keep alive signaling, new performance management functions Encryption per virtual connections and/or bulk encryption Trusted platform module, hardware security modules for secure boot, key integrity Lower layer encryption becomes essential security control CPE device
© 2016 ADVA Optical Networking. All rights reserved. Confidential.10 Security Assurance in Edge NFV Open OS/Hyperv. X86 Server perf. assurance hardened SW/HW OpenStack in box HW acceleration tamper resistant assurancelevel Hardened Server FSP 150vSE Hybrid Server FSP 150 ProVM COTS Server Open OS/Hyperv. X86 Server perf. assurance hardened SW/HW HW encryption Open OS/Hyperv. X86 Server functionality
© 2016 ADVA Optical Networking. All rights reserved. Confidential.11 Security Work of Selected Standard Bodies and Industry Alliances • ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV- SEC 001, October 2014 + SEC 00x releases in 2015 • OpenStack Foundation: “OpenStack Security Guide“; best practices and implementation guide for securing an OpenStack implementation • ONF: “Principles and Practices for Securing Software-Defined Networks”, January 2015, ONF TR-511 • ONOS: Security response process, security emergency team • OPNFV security-related projects such as Moon, Barbican Standard bodies and industry alliances focus on security
© 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Securing Edge NFV Devices • OpenStack in distributed compute environments calls for additional security controls • Defense in depth for mitigating attack surface in NFV-centric networks • Pure-player software and hybrid edge NFV devices for different levels of security assurance ADVA Optical Networking - your expert in edge NFV
Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

Recommandé

Making NFV-Based Business Services Secure
Making NFV-Based Business Services SecureMaking NFV-Based Business Services Secure
Making NFV-Based Business Services Secure
ADVA
 
Introducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro SeriesIntroducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro Series
ADVA
 
Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™
ADVA
 
Secure Connectivity on Every Network Layer
Secure Connectivity on Every Network LayerSecure Connectivity on Every Network Layer
Secure Connectivity on Every Network Layer
ADVA
 
5G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 20165G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 2016
Daniel Sproats
 
Network Functions Virtualization – Our Strategy
Network Functions Virtualization – Our StrategyNetwork Functions Virtualization – Our Strategy
Network Functions Virtualization – Our Strategy
ADVA
 
Verizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPEVerizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPE
ADVA
 
The New NFV Powerhouse
The New NFV Powerhouse The New NFV Powerhouse
The New NFV Powerhouse
ADVA
 

Recommandé

Making NFV-Based Business Services Secure
Making NFV-Based Business Services SecureMaking NFV-Based Business Services Secure
Making NFV-Based Business Services Secure
ADVA
 
Introducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro SeriesIntroducing the ADVA FSP 150-GE110 Pro Series
Introducing the ADVA FSP 150-GE110 Pro Series
ADVA
 
Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™Introducing the ADVA MicroMux™
Introducing the ADVA MicroMux™
ADVA
 
Secure Connectivity on Every Network Layer
Secure Connectivity on Every Network LayerSecure Connectivity on Every Network Layer
Secure Connectivity on Every Network Layer
ADVA
 
5G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 20165G: Why Wait? - 5G Observatory 2016
5G: Why Wait? - 5G Observatory 2016
Daniel Sproats
 
Network Functions Virtualization – Our Strategy
Network Functions Virtualization – Our StrategyNetwork Functions Virtualization – Our Strategy
Network Functions Virtualization – Our Strategy
ADVA
 
Verizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPEVerizon Selects Ensemble Connector to Deliver VNS uCPE
Verizon Selects Ensemble Connector to Deliver VNS uCPE
ADVA
 
The New NFV Powerhouse
The New NFV Powerhouse The New NFV Powerhouse
The New NFV Powerhouse
ADVA
 
ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™
ADVA
 
Assuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network EdgeAssuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network Edge
ADVA
 
Oscilloquartz's Acquisition of Time4 Systems
Oscilloquartz's Acquisition of Time4 SystemsOscilloquartz's Acquisition of Time4 Systems
Oscilloquartz's Acquisition of Time4 Systems
ADVA
 
Transforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical TransportTransforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical Transport
ADVA
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
ADVA
 
Drawing Customers North - September, 2016
Drawing Customers North - September, 2016Drawing Customers North - September, 2016
Drawing Customers North - September, 2016
ADVA
 
Adva Cloud Computing Final
Adva Cloud Computing FinalAdva Cloud Computing Final
Adva Cloud Computing Final
Chris O'Neal
 
FSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDNFSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDN
ADVA
 
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFVFSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
ADVA
 
ADVA Optical Networking and Arista Networks Joint OOLS Demo
ADVA Optical Networking and Arista Networks Joint OOLS DemoADVA Optical Networking and Arista Networks Joint OOLS Demo
ADVA Optical Networking and Arista Networks Joint OOLS Demo
ADVA
 
Cloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or DifferentiatorCloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or Differentiator
ADVA
 
Scalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud EvolutionScalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud Evolution
ADVA
 
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
ADVA
 
Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
ADVA
 
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data CentersDrawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
ADVA
 
How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks
ADVA
 
Leveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive RevenueLeveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive Revenue
ADVA
 
Creating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions VirtualizationCreating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions Virtualization
ADVA
 
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber AssuranceADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA
 
Scalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the FutureScalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the Future
ADVA
 
Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
ADVA
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
 

Contenu connexe

Tendances

Adva Cloud Computing Final
Adva Cloud Computing FinalAdva Cloud Computing Final
Adva Cloud Computing Final
Chris O'Neal
 

Tendances (20)

ADVA ConnectGuard™
ADVA ConnectGuard™ADVA ConnectGuard™
ADVA ConnectGuard™
 
Assuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network EdgeAssuring Superior VNF Performance at the Network Edge
Assuring Superior VNF Performance at the Network Edge
 
Oscilloquartz's Acquisition of Time4 Systems
Oscilloquartz's Acquisition of Time4 SystemsOscilloquartz's Acquisition of Time4 Systems
Oscilloquartz's Acquisition of Time4 Systems
 
Transforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical TransportTransforming Packet Networks With Open Optical Transport
Transforming Packet Networks With Open Optical Transport
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
 
Drawing Customers North - September, 2016
Drawing Customers North - September, 2016Drawing Customers North - September, 2016
Drawing Customers North - September, 2016
 
Adva Cloud Computing Final
Adva Cloud Computing FinalAdva Cloud Computing Final
Adva Cloud Computing Final
 
FSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDNFSP Network Hypervisor: Optical Network Virtualization for SDN
FSP Network Hypervisor: Optical Network Virtualization for SDN
 
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFVFSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
FSP 150 ProVMe (P2.4): The Easy Route to Edge NFV
 
ADVA Optical Networking and Arista Networks Joint OOLS Demo
ADVA Optical Networking and Arista Networks Joint OOLS DemoADVA Optical Networking and Arista Networks Joint OOLS Demo
ADVA Optical Networking and Arista Networks Joint OOLS Demo
 
Cloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or DifferentiatorCloud Services: Is the Transport Network a Utility or Differentiator
Cloud Services: Is the Transport Network a Utility or Differentiator
 
Scalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud EvolutionScalable and Secure Connectivity for Seamless Cloud Evolution
Scalable and Secure Connectivity for Seamless Cloud Evolution
 
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
 
Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
 
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data CentersDrawing Customers North - Highlighting the Benefits of Nordic Data Centers
Drawing Customers North - Highlighting the Benefits of Nordic Data Centers
 
How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks How to Quantum-Secure Optical Networks
How to Quantum-Secure Optical Networks
 
Leveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive RevenueLeveraging NFV Infrastructure to Drive Revenue
Leveraging NFV Infrastructure to Drive Revenue
 
Creating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions VirtualizationCreating New Business Services for the IoT With Network Functions Virtualization
Creating New Business Services for the IoT With Network Functions Virtualization
 
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber AssuranceADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
ADVA ALM: Advanced Link Monitoring Technology for Ultimate Fiber Assurance
 
Scalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the FutureScalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the Future
 

Similaire à Mitigating Security Risk in Practical vCPE Solutions

OpenStack-Foundation-NFV-Report
OpenStack-Foundation-NFV-ReportOpenStack-Foundation-NFV-Report
OpenStack-Foundation-NFV-Report
Eric Zhaohui Ji
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
Achieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackAchieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStack
Eric Zhaohui Ji
 

Similaire à Mitigating Security Risk in Practical vCPE Solutions (20)

Making NFV Easy
Making NFV EasyMaking NFV Easy
Making NFV Easy
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
MOS 7.0 vmware integration webinar
MOS 7.0 vmware integration webinarMOS 7.0 vmware integration webinar
MOS 7.0 vmware integration webinar
 
NTT i3 at OpenStack Summit - May 20th, 2015
NTT i3 at OpenStack Summit - May 20th, 2015NTT i3 at OpenStack Summit - May 20th, 2015
NTT i3 at OpenStack Summit - May 20th, 2015
 
ADVA Optical Networking Acquires Overture
ADVA Optical Networking Acquires Overture ADVA Optical Networking Acquires Overture
ADVA Optical Networking Acquires Overture
 
Hosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture DesignHosted Security as a Service - Solution Architecture Design
Hosted Security as a Service - Solution Architecture Design
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
OpenStack Benelux Conference 2014 | Openstack Iaas and the Future of Applicat...
OpenStack Benelux Conference 2014 | Openstack Iaas and the Future of Applicat...OpenStack Benelux Conference 2014 | Openstack Iaas and the Future of Applicat...
OpenStack Benelux Conference 2014 | Openstack Iaas and the Future of Applicat...
 
【Cisco OpenStack Seminar 2015.10.26】 OpenStack as Strategy for future growth
【Cisco OpenStack Seminar 2015.10.26】 OpenStack as Strategy for future growth【Cisco OpenStack Seminar 2015.10.26】 OpenStack as Strategy for future growth
【Cisco OpenStack Seminar 2015.10.26】 OpenStack as Strategy for future growth
 
OpenStack-Foundation-NFV-Report
OpenStack-Foundation-NFV-ReportOpenStack-Foundation-NFV-Report
OpenStack-Foundation-NFV-Report
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
DNA Intelligent WAN Campus Day
DNA Intelligent WAN Campus DayDNA Intelligent WAN Campus Day
DNA Intelligent WAN Campus Day
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
 
Summit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - Cavium
Summit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - CaviumSummit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - Cavium
Summit 16: ARM Mini-Summit - Efficient NFV solutions for Cloud and Edge - Cavium
 
[OpenStack Day in Korea 2015] Track 3-2 - Huawei Cloud Computing Powered by O...
[OpenStack Day in Korea 2015] Track 3-2 - Huawei Cloud Computing Powered by O...[OpenStack Day in Korea 2015] Track 3-2 - Huawei Cloud Computing Powered by O...
[OpenStack Day in Korea 2015] Track 3-2 - Huawei Cloud Computing Powered by O...
 
Putting the M in MANO: Major new Ensemble release delivers NFV management and...
Putting the M in MANO: Major new Ensemble release delivers NFV management and...Putting the M in MANO: Major new Ensemble release delivers NFV management and...
Putting the M in MANO: Major new Ensemble release delivers NFV management and...
 
SDN / NFV opensource and standards in wireless networks 2015 for cnv
SDN / NFV opensource and standards in wireless networks 2015 for cnvSDN / NFV opensource and standards in wireless networks 2015 for cnv
SDN / NFV opensource and standards in wireless networks 2015 for cnv
 
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaProteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
 
Cisco ASA con fire power services
Cisco ASA con fire power services Cisco ASA con fire power services
Cisco ASA con fire power services
 
Achieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStackAchieving Network Deployment Flexibility with Mirantis OpenStack
Achieving Network Deployment Flexibility with Mirantis OpenStack
 

Plus de ADVA

ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ADVA
 
Open optical edge connecting mobile access networks
Open optical edge connecting mobile access networksOpen optical edge connecting mobile access networks
Open optical edge connecting mobile access networks
ADVA
 

Plus de ADVA (20)

Industrial optically pumped cesium beam clock
Industrial optically pumped cesium beam clockIndustrial optically pumped cesium beam clock
Industrial optically pumped cesium beam clock
 
The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...
The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...
The need for GBaaS as GPS/GNSS is no longer a reliable source for critical PN...
 
Industry's longest holdover with the OSA 3350 SePRC™ optical cesium clock
Industry's longest holdover with the OSA 3350 SePRC™ optical cesium clockIndustry's longest holdover with the OSA 3350 SePRC™ optical cesium clock
Industry's longest holdover with the OSA 3350 SePRC™ optical cesium clock
 
Addressing PNT threats in critical defense infrastructure
Addressing PNT threats in critical defense infrastructureAddressing PNT threats in critical defense infrastructure
Addressing PNT threats in critical defense infrastructure
 
Precise and assured timing for enterprise networks
Precise and assured timing for enterprise networksPrecise and assured timing for enterprise networks
Precise and assured timing for enterprise networks
 
Introducing Ensemble Cloudlet for on-premises cloud demand
Introducing Ensemble Cloudlet for on-premises cloud demandIntroducing Ensemble Cloudlet for on-premises cloud demand
Introducing Ensemble Cloudlet for on-premises cloud demand
 
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
ePRTC in data centers - GNSS-backup-as-a-service (GBaaS)
 
Sync on TAP - Syncing infrastructure with software
Sync on TAP - Syncing infrastructure with softwareSync on TAP - Syncing infrastructure with software
Sync on TAP - Syncing infrastructure with software
 
Meet stringent latency demands with time-sensitive networking
Meet stringent latency demands with time-sensitive networkingMeet stringent latency demands with time-sensitive networking
Meet stringent latency demands with time-sensitive networking
 
Making networks secure with multi-layer encryption
Making networks secure with multi-layer encryptionMaking networks secure with multi-layer encryption
Making networks secure with multi-layer encryption
 
Quantum threat: How to protect your optical network
Quantum threat: How to protect your optical networkQuantum threat: How to protect your optical network
Quantum threat: How to protect your optical network
 
Optical networks and the ecodesign tradeoff between climate change mitigation...
Optical networks and the ecodesign tradeoff between climate change mitigation...Optical networks and the ecodesign tradeoff between climate change mitigation...
Optical networks and the ecodesign tradeoff between climate change mitigation...
 
Trends in next-generation data center interconnects (DCI)
Trends in next-generation data center interconnects (DCI)Trends in next-generation data center interconnects (DCI)
Trends in next-generation data center interconnects (DCI)
 
Open optical edge connecting mobile access networks
Open optical edge connecting mobile access networksOpen optical edge connecting mobile access networks
Open optical edge connecting mobile access networks
 
Introducing Adva Network Security – a trusted German anchor
Introducing Adva Network Security – a trusted German anchorIntroducing Adva Network Security – a trusted German anchor
Introducing Adva Network Security – a trusted German anchor
 
Meet the industry's first pluggable 10G demarcation device
Meet the industry's first pluggable 10G demarcation deviceMeet the industry's first pluggable 10G demarcation device
Meet the industry's first pluggable 10G demarcation device
 
Introducing ADVA AccessWave25™
Introducing ADVA AccessWave25™Introducing ADVA AccessWave25™
Introducing ADVA AccessWave25™
 
10G edge technology for outdoor environments
10G edge technology for outdoor environments10G edge technology for outdoor environments
10G edge technology for outdoor environments
 
The quantum age - secure transport networks
The quantum age - secure transport networksThe quantum age - secure transport networks
The quantum age - secure transport networks
 
From leased lines to optical spectrum services
From leased lines to optical spectrum servicesFrom leased lines to optical spectrum services
From leased lines to optical spectrum services
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Mitigating Security Risk in Practical vCPE Solutions

  • 1. Ulrich Kohn, CISSP Technical Marketing Director Mitigating Security Risk in Practical vCPE Solutions
  • 2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Protection Is Becoming a Challenge Multiple reasons why security is a key concern • Attackers: from script kiddies to organized crime and intelligence services • Increased sophistication: advanced persistent threats (APT), bootkit-based threats • Disruptive technologies: control/data plane separation; virtualization; open versus proprietary
  • 3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3 NFV: Opportunity or Threat to Network Security? Managed security services is a $20 to $30bn market – KEEP THE BALANCE • Immediate activation of security safeguards • Security analytics • PaaS and security offload, pooling of security expertise • Application isolation, micro- segmentation, central control • Image, patch management Opportunities • Larger attack surface, high- value targets • Higher system complexity • Shared resources, common hypervisor • From proprietary to open protocols • Out-of-country processing (compliance) Challenges
  • 4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.4 Vodafone VPN+ Multi-Vendor Demonstration at Mobile World Congress, February 2016 Automated site activation including firewalling Use Case 1: Automated scale-in and scale-out Use Case 2: DDos prevention with analytics Use Case 3:
  • 5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Some Attack Vectors Virtualised Network Functions (VNFs) Management and orchestration VNF VNF VNF VNF VNF NFV Infrastructure (NFVI) Virtual Compute Virtual Storage Virtual Network Virtualisation Layer Hardware Resources Compute Storage Network Disgruntled employee Hypervisor and controller attacks Customer portal, public APIs e.g. DDoS Backdoor to hypervisor, control software Rogue VNF, noisy neighbor, malicious code Social engineering Spoofing, sniffing, MITM Compromise remote debugging/test interfaces Increased complexity, human error Rootkit
  • 6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.6 OpenStack Security Controls • Keystone authentication and token-based authorization • TLS for accessing APIs • SSH for VM management / system-level communication; SSH key injection with VM creation • Multi-tenant capability • Traffic isolation by VLANs, Linux name spaces, security groups (Neutron, Nova); port/tenant based: address filter, firewall, NAT • Availability zones • Sanitization of released storage space Network Horizon Dashboard ImagesObject Storage Volume Service Compute Service Keystone Identity Service Virtual Infrastructure Manager (VIM) NeutronGlanceSwiftCinderNova API, Authentication, Network, Images, Volums, Objects
  • 7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.7 vCPE Use Case – Edge NFV Enterprise Metro Network Carrier Ethernet Communication Service Provider vRouter FSP 150 ProVM with integrated server Core IP-MPLS Servers e.g. video vFirewall vIDS Challenges with OpenStack in a distributed compute environment • OpenStack optimized for DC applications within security perimeter • vCPE Use case: internal OpenStack interfaces connect over public networks • End point in untrusted environment (CSP view) • Present implementations do not provide comprehensive security controls* *Source: NFV Interoperability Evaluation, NIA/EANTC report on LightReading.com; Dec. 2015
  • 8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.8 A BT Perspective: Securing Openstack Over the Internet Source: “How NFV is different from Cloud: Using Openstack for Distributed NFV”, Peter Willis, BT; SDN and OF World Congress, Düsseldorf, Oct 2015.
  • 9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Risk Mitigation in Edge NFV Virtual Compute Network VNF VNF VNF VNF virtual virtual, physical Risk mitigation with OpenStack security controls Security appliances such as IDS/IPS, firewalls but also service assurance functions Security additions to DPDK e.g. experimental Crypto API (Release 2.2), keep alive signaling, new performance management functions Encryption per virtual connections and/or bulk encryption Trusted platform module, hardware security modules for secure boot, key integrity Lower layer encryption becomes essential security control CPE device
  • 10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.10 Security Assurance in Edge NFV Open OS/Hyperv. X86 Server perf. assurance hardened SW/HW OpenStack in box HW acceleration tamper resistant assurancelevel Hardened Server FSP 150vSE Hybrid Server FSP 150 ProVM COTS Server Open OS/Hyperv. X86 Server perf. assurance hardened SW/HW HW encryption Open OS/Hyperv. X86 Server functionality
  • 11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.11 Security Work of Selected Standard Bodies and Industry Alliances • ETSI NFV ISG: “NFV Security; Problem Statement”, ETSI GS NFV- SEC 001, October 2014 + SEC 00x releases in 2015 • OpenStack Foundation: “OpenStack Security Guide“; best practices and implementation guide for securing an OpenStack implementation • ONF: “Principles and Practices for Securing Software-Defined Networks”, January 2015, ONF TR-511 • ONOS: Security response process, security emergency team • OPNFV security-related projects such as Moon, Barbican Standard bodies and industry alliances focus on security
  • 12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Securing Edge NFV Devices • OpenStack in distributed compute environments calls for additional security controls • Defense in depth for mitigating attack surface in NFV-centric networks • Pure-player software and hybrid edge NFV devices for different levels of security assurance ADVA Optical Networking - your expert in edge NFV
  • 13. Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

Notes de l'éditeur

  1. 4