March 3, 2016


Improving Efficiency Of Vulnerability Assessment In NFV Based Cloud Networks

The concept of virtualizing the network equipment is picking up fast. Popularly known as Network Function Virtualization (NFV), this concept aims to virtualize network functions by running them as software on standard server grade hardware and do away with previously used proprietary equipment. The Specification group for NFV is being worked upon by the European Telecommunications Standards Institute (ETSI) and is made up of representatives from several leading telecommunication industries.

More than innovation, NFV is the need of the hour, as most of the Telecoms and cloud providers are looking at reducing their operational & maintenance cost along with the added flexibility to scale. This is certainly achievable by migrating network elements from OEM constrained proprietary equipment to standard COTS servers. Leading market research firms have put the overall global market for NFV at $ 8.7 Billion by 2020.

The transition of networks to include NFV cloud based architecture will not be straightforward. Once these virtual network functions (VNFs) start replacing the existing proprietary equipment, a direct impact to the overall design of the cloud or data center network is inevitable. This impact is introduced in the form of new components, layers, or interfaces. Thus, the introduction of VNF does not come without its pitfalls, and this may need implementation of additional requirements.

One such requirement is in the area of network security; and is the reason why ETSI is working on drafting security and trust guidelines for NFV.

The table below lists the characteristics of security vulnerabilities between a traditional vs. cloud network

Security requirement for a NFV in cloud can be seen as an intersection of generic and network specific vulnerabilities. These requirements are a direct impact of network design or topology changes due to replacement of physical network elements with software based network elements. Operators will now not only look at OPEX & CAPEX reduction but also the flexibility to configure, SCALE-UP and SCALE-DOWN based on requirements. Here is a generalization of some of the NFV specific security requirements:

  • Secured Intra VNF communication, use of Firewalls by VNF for filtering incoming traffic
  • Metadata security & Encryption of inter-VNF traffic
  • Secured boot, hardening and patching of hypervisor and OS
  • Secured crash and recovery
  • Securing APIs for NFV operations & management
  • Security policies to be intact for instantiated, suspended/resumed, migrated VNFs
  • No impact on visibility of data & control packets due to movements, scale-in/out of VNFs.

Fig. 1: Cloud Threat Landscape

It becomes obvious that security management in cloud or data center is a cumbersome job and requires a combination of complex set of vulnerability assessment & management solutions, coupled with compliance & process adherence standards. Many of these are done manually and require deployment of security experts and involvement of third party validation processes. Introduction of NFV related security requirements to the existing networks would add to the overall efforts and lead to the decline in efficiency of this complex security management process.

A suggestive approach to handle the network security vulnerabilities together with NFV cloud specific security requirements would be to build a framework or solution that can maximize automation while structuring the complete security management & validation process. It can be a one-stop comprehensive solution that provides a centralized control over network security management, by providing vulnerability assessment checks, adherence to processes & guidelines, reporting, and mitigations. Such a framework would reduce the overall test efforts, speed up the validation process, and decreases to some extent the specialized skill requirement of the personnel. At a broader level, some of the important features that make up this vulnerability assessment framework should include:

  • Automation of network and software discovery
  • Comprehensive scanning to detect network vulnerabilities
  • Validation of generic as well as network function specific vulnerabilities
  • Tools & analytic components to keep a check on network usage, user dynamics, and DDOS related attacks
  • Incorporation of compliance seeking standard security processes and policies to cover internal & external threats
  • Centralized reporting and mitigation

Implementation of NFV would support cost reduction but requires customization of networks; this customization will lead to additional security requirements. A comprehensive solution with an approach to maximize the automation of network vulnerability assessment can be an answer to the every changing dynamics of network security.