Fortinet participated as a sponsor and panellist at the NFV (Network Function Virtualization) tracks at ETSI Security Week, held on June 14th at ETSI’s headquarters in Sophia Antipolis, in the South of France. Fortinet is a participant in the ETSI NFV ISG group, focusing on NFV security, and earlier this year, Fortinet also participated in the ETSI plug-test to ensure VNF’s interoperability with different NFV stacks in real-world environments.
Security Week tracks included:
New types of threats introduced by the virtualization of network functions and the means to mitigate them and future challenges of securing 5G networks and shaping related standards.
Nicola Thomas (Fortinet CSE, EMEA) participated as a panellist alongside representatives from Vodafone, CableLabs, Palo Alto Networks, and Secure64 - to discuss industry perspectives and security challenges for NFV deployments.
Security, NFV and 5G:
With very few attacks on telecom infrastructures, some question the need for comprehensive cybersecurity for these environments. However, the architectures that are being specified for NFV use cloud technologies to allow multiple parties to share an underlying infrastructure, which increases the overall risk for these environments.
Today, every appliance that is part of a telecom network is carefully and manually checked and tested before being deployed in a central office or data center. This is relatively easy to achieve in an environment that is based on a physical, proprietary, and relatively static infrastructure. However, transitioning to a virtual, open, and highly agile infrastructure makes the task more complicated.
While this makes security issues easy to overlook, a breach at this level may mean the loss of ALL of the networks built on top of the virtual fabric, not just a single appliance - which is why verification and attestation becomes even more critical.
It is therefore critical that the industry agrees on a method to ensure that the code being automatically pushed in a shared, NFV-driven architecture is verified and tested.
As a security solutions provider, virtual machines must be able to trust and rely on the infrastructure’s hypervisors, processes, and management planes. The resulting goal is a stack of reliable technologies that enable telecoms to securely deliver services to their end customers. Building trust in the stack is less expensive and more efficient than creating self-protecting platforms that need to be manually managed, provisioned, and correlated.
New 5G use cases, such as network slicing, push this concept even further, and make it even more crucial to have a trusted underlying cloud infrastructure for organizations to build end user security upon.
Security issues specific to NFV
DataArt and NCSC provided us with excellent concrete examples of the attack surface on hypervisors. These are “abuse cases” that the ETSI Sec group is studying, and for which we promote end-to-end attestation and root of trust as one of the steps to mitigate risks.
The different questions and comments that rose during the sessions and panel discussions highlighted the need for the industry to build a culture of security. This lack of a security culture was highlighted even more when SCADA and law enforcement types of usage were discussed.
Many of those issues are in the process of being resolved, and some can be mitigated already. Participating in the ETSI NFV Security group is crucial for this industry to have an open specification process that can foster interoperability, agility, and security.
Solving the right problem.
During the entire ETSI Security Week event, and specifically in the panel discussion, two important themes were discussed: “what is security?” and “what is an acceptable cost?”
It is expected that a standards organization would start by agreeing on a definition. The challenge is that defining security is as complex as defining trust. Fortinet’s view is that the first efforts in securing an NFV environment should be aimed towards a graceful and rapid attack/breach identification and recovery.
This requires several strategies coming together: architecting a security infrastructure designed to work as a whole. This sort of security fabric approach enables IT teams to see and secure both virtual and physical environments and devices across the entire distributed ecosystem. Best practices that take into account business goals, requirements, and regulations are also important. Together, these create a holistic approach that facilitates organizations in the creation of manageable and affordable security processes, and helps them strategically select and deploy the appropriate technology to enable this strategy.
The current specifications for securing an NFV environment provide the industry with the opportunity to build principles of trust and interoperability. But many organizations can’t afford to wait for them to be delivered. Early discussions on design specifications to address security are crucial for us and other VNF vendors. The goal is to have a “stack of trust” already embedded in new stacks for future telecom networks.
The ETSI NFV SEC group is the right place to define an agreed-upon set of specifications that will enable the digital transformation of business requirements and objectives for Communications Service Providers. NFV is a core technology in this journey, enabling agility and change. And if addressed effectively, is an opportunity and enabler for securing the future of the digital economy.