SDN/NFV
Position Paper
Virtualization Working Group
Justin Foster
[email protected]
Kapil Raina
[email protected]
Kelvin Ng
[email protected]
© Cloud Security Alliance, 2015
Agenda
• Goals
• White Paper on NFV/SDN
(position paper)
• High level outline
• Next steps and timelines
© Cloud Security Alliance, 2015
Goals of Paper
• SDN/NFV are relatively new
technologies
• Focus of working group initially
was on mature technologies (e.g.
compute virtualization)
• Position paper acknowledges
these points and creates a more
general framework, rather than a
detailed approach as taken with
the other areas
• Focus will be heavier on NFV as
that is more directly related to
enterprises and vendor (that are
bulk of CSA audience)
What we Need
• Your participation
• Please review structural outline
and make comments
• Feel free to volunteer to write
components of the paper
• This is an industry led effort and
should reflect a range of input
Outline of Paper
• Introduction to paper (1/2 page)
• What is NFV/SDN? (1 page)
• What are the benefits?
• What are the risks?
• Security framework for NFV (3 pages)
• Traffic analysis, control plane, CDN, security specific
• Security framework for SDN (2 pages)
• Application Plane
• Control Plane
• Next steps in creating risk model for NFV/SDN (1 page)
Introduction - NFV
• Basic overview of how this fits into the CSA working group
• NFV definition, use cases
• Use Case 1: Vendor community (how traffic inspection and traffic forwarding
can be made easier)
• Use Case 2: Bad actors (how attacks can be launched against the
infrastructure)
• Use Case 3: End User (what end users can do to secure their NFV
infrastructure and leverage multi-vendor analysis)
• NFV benefits
• Lower costs, commoditized hardware for rapid deployment, greater
management ease
• NFV security risks
• Lack of standards, oversight of software changes, software compromise of
desktop/mobile world moves to networking
Introduction - SDN
• SDN Definition and Use Cases
• SDN focus on carrier networks
• SDN intersection with NFV
• SDN architecture (data/control plane)
• SDN security risks
• Control Plane (risks to controller compromise including trust of
control communications)
• Data Plane (risks to interception and manipulation)
• How we will deal with NFV and SDN together in paper
NFV Security Framework
Component
Function
• NFV Security framework
Relevance
Traffic Analysis
deep packet inspection, QoE
DPI engines can now be placed directly at each
egress point
Control Plane
AAA data, policy
enforcement
Simplifies some of SSO enforcement
Application
Optimization/
Acceleration
CDN, caching of files
Catch infected files and ensure they are not
cached
Security Specific
Firewalls, A/V, IDS, etc…
Moves traditional boxes and cloud services away
from fixed location or vendors; can leverage
multi-vendor analysis
SDN Security Framework
Component
Function
Relevance
• NFV Security framework
Control Plane
Manage devices
Hijacking of networking devices being managed;
insecure trust model in network; MITM attacks,
etc…
Application (Data)
Plane
Deliver network data to
devices
Data validity and trust; DOS attacks
Note: We do not specifically talk about Infrastructure layer (should we?)
Risk Model - Next Steps
• Ideally we need a risk model that can help detail (in subsequent
efforts) a detailed checklist of security steps to protect NFV/SDN
infrastructure
• Model will generally follow:
• Use case based approach
• Steps to protect infrastructure
• Steps to leverage NFV/SDN capability to provide additional
security capabilities
• Auditing mechanisms to verify above
• Scoring mechanism to help users of model verify “how secure”
they may be for their overall infrastructure
• How this model relates to other security frameworks (eg. CCM)
Whitepaper Timelines
• April 24, 2015: Presentation and call for volunteers
• May 24, 2015: Publication of detailed outline for paper and
solicitation for further volunteers
• June 24, 2015: Initial draft of paper
• July 30, 2015: Formal draft issued for general review
• August 30, 2015: Presentation of paper during VMworld
?
?
?
?
© Cloud Security Alliance, 2015