sdn and nfv integrated openstack cloud - birds eye view on security
TRANSCRIPT
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property
of their respective owners. © 2017 NXP B.V.
PUBLIC
SDN and NFV Integrated OpenStack Cloud
- Birds-eye View of Security -
Trinath Somanchi, Sridhar Pothuganti
NXP – HSDC – INDIA
Lightning Talks – OpenStack Summit, Sydney
Wednesday, 8th November 2017
PUBLIC 1
Session Outline• OpenStack with SDN and NFV – From Data Center to
Edge
• The OpenStack SDN and NFV Cloud
• Five Dimensional Threat Analysis
• Threat focus areas – Birds-eye View
• Layered Security Approaches
• Secured Platform - NFVI
• Security Initiatives from OpenStack
• Security Checklist
PUBLIC 2
Threat Analysis on
SDN and NFV integrated
OpenStack Cloud
PUBLIC 3
SDN and NFV - From Data Center to Edge
• Data Centers are moving to be Hybrid
• Aggregation Nodes are paths to support
Edge devices
• Edge devices evolve to hold VNFs
• Edge devices moving toward – Distributed
Control with local controllers
• New SDN – Security Defined Networking
• Security – a Challenge to tackle from DC to
Edge
• NFVI Security – a major concern
PUBLIC 4
The OpenStack SDN and NFV Cloud
Operation Support Systems
Business Support Systems
Compute Storage Network
Virtualization Layer
Compute
Virtualizatio
n
Storage
Virtualizatio
n
Network
Virtualizatio
n
Vi-Ha
EMS - 1 EMS - 2 EMS - n
VNF - 1 VNF - 2 VNF - n
Orchestrator
OrchestratorOrchestrator
VNF
Manager(s)
Virtualized
Infrastructure
Manager(s)
Vn-Nf
Service, VNF,
Infrastructure Description
Os-Ma
Se-Ma
Ve-Vnfm
Or-Vnfm
Or-Vi
Vi-Vnfm
Nf-Vi
NFVI
Virtual NetworkingNeutron
WorkflowMistral
Service Function ChainingNetworking
SFC
Open Virtual NetworkingNetworking
OVN
Orchestration Heat
Heat-translator
TOSCA Parser
Multi Site OpenStack Networking Tricircle
Multi Site OpenStack VIM KingBird
VNF Image Store Glance
Block and Object StoreSwift
Cinder
NFVO and VNFM Tacker
Monitor and TelemetryCeilometer
ODL SDN Controller PluginNetworking
ODL
Monitoring and Logging Monasca
Secrets Store Barbican
VNF High Availability Masakari Disaster RecoveryFreezer
PUBLIC 5
Five Dimensional Threat Analysis
Each Threat exposes a different aspect of SYSTEM VUNERABILITY at each layer.
Threat
Analysis
SDN
fabric
NFV Infrastructure
> Attacks on Shared pool of resources
> Hypervisor layer attacks
> Vulnerabilities in virtualized entities
VNF Layer
> Dos/DDoS attacks
> Control Plane attacks
> Noisy neighbor
> Attacks due to insecure interfaces
control and monitoring gaps
> Different vendor NFV standards
SDN Fabric
> Attacks on Forwarding plane
> Flooding of network
> weak ACL in Ctrl and Mgmt plane
> Vulnerabilities in SDN resources
NFV MANO
> Weak access control
> Inefficient monitoring
> Vulnerabilities in underlying layers
Others
> Weak access control
> Insecure interface
> Vulnerabilities in other layers
PUBLIC 6
VNF
ManagerVoice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDN
C
OSS/BSS
NFV Orchestrator
Network
Orchestration
Service
Orchestration
VIM
IP
Edge
IP
Edge
DC
Edge
DC
Edge
OpenStackTelco CloudAttacks
from VMs
Attacks on
Host,
Hypervisor
and VM
DDoS/MiM/Network
Traffic Poisoning
Attacks
Attacks from
remote/3rd
Party
applications
Threat Focus Areas – Birds-eye View
PUBLIC 7
Security Focus
PUBLIC 8
Layered Security approaches
OpenStack bridges between three security domains
Critical elements of a Secure OpenStack Cloud
PUBLIC 9
Secure OpenStack as Virtual Infrastructure Manager
Keystone
A&A
Multi-factor Auth
Enabled Federated Identity.
Access policies.
Non-Persistent tokens.
Strong HA for PKI Tokens.
Nova
•Trusted Compute pools.
Keypair based access to VMs.
Encrypting Metadata traffic.
SELinux and Virtualization.
FIPS 140-2 certified Hypervisors.
Compiler Hardening.
Secured communication.
Neutron
Networking resource policy engine
Security Groups
Enable Quotas.
Mitigate ARP Spoofing.
Secured Communications.
Glance
Ownership to Images.
Strictly checked configuration
Keystone for Authentication
Encryption of Images.
Vulnerability checks on Images.
Cinder
Secured Communication
Limit max body size – Request.
Strict permission and Configuration.
Enable Volume Encryption.
Secured Network attached Storage.
Swift
Network Security –Rsync.
File permissions.
Secured Storage Services.
Strict ACL.
Secured Communication.
Barbican
Key Management as a Service.
Manage Secrets, PKI keys, Split keys.
Isolation of Keys is a top priority
OpenStack Security
OpenStack Security Advisories (OSSA)
•OpenStack Security Notes (OSSN)
•OpenStack Security Guide
•OpenStack Security Project blog
• OpenStack Security Management tools.
PUBLIC 10
OpenStack readiness for Secured Cloud“Notable Fortune 100 enterprises BMW, Disney and Walmart have irrefutably proven that OpenStack is viable for production environments [5]
• Securing OpenStack is an extension of a well-understood problem― securing normal IT
infrastructure, such as keeping the infrastructure patched, reducing attack surfaces, and managing
logging and auditing.
PUBLIC 11
Secured Platform – NFVI
Run-Time Security
Management and Enforcement
OP-TEE
Framework, drivers
Secure Installer, Loader
Secure Credential Mgmt
Secure Storage
Secure System PartitioningResource Mgmt
Tool
LUKS
dm-crypt
TSS
PKCS-11
Extended
Verification Mod
Integrity
Measurement
Architecture
Secure Monitoring, Statistics
QorIQ Trust
Tools
Secure Provisioning and Update
Application Isolation
Environment
I/O isolation, protection
SE-Linux
KVM, Docker, Java
Ap
plic
ation
Ap
plic
ation
Ap
plic
ation
Ap
plic
ation
Linux LTS kernel
- Latest security patches
Trust Architecture
ARMv8 cores ARM Trust-Zone
Secure Boot – HW Root of Trust
Secure
Monitor
Compute, IO, Memory partitioningRun-Time Integrity
Checker
Secure Key
Storage
Manufacturing
Protection
8
Secure
Boot
1Secure
Storage2
Key
Protection
3
Key
Revocation
4
Secure
Debug
5
Tamper
Detection
6
Strong
Partitioning7
PUBLIC 12
NFVI - Secure Platform in a Gateway
QorIQ Trust Architecture provides HW Root of Trust.
Anti-cloning features.
Anti-rollback to vulnerable firmware.
Persistent secret storage not visible to hackers.
Secure Boot
Secure signing of images and key provisioning.
3-way secrets isolation between NXP, ODM and customer.
Secured firmware upgrades
Secure Provisioning
Secure run-time system operations.
Secure credential management – e.g. DRM keys.
Detect tampering of software via integrity checks.
Decrypt system firmware on-the-fly
Trusted Linux
Isolate and host multiple services in containers, VMs.
Verify applications before install and launch.
HW level resource isolation and management.
Application Isolation
NIST certified Security engine with rich algorithm support.
True Random Number Generation with 100% entropy
Integrated with Linux IPSec and OpenSSL.
Crypto Acceleration
802.11ax,
ac, ad
ARM CPUsup to 100K Coremark
Trust
Arch
Packet Engine
2-20Gbps
Ethernet Controllers
2x 1GE -> 2x 10GE
Security
Engine
Secure Gateway
LS1046LS1043
LS1012LS1024
Networking, Security drivers
Linux NW Stack
OpenWRTLayer 4-7
DPI, AIS
Customer
Applications
Layer 2 – 4 offload
(IPSec, Firewall, NAPT, QoS)
Customer Control
Plane
DPDK, ODPV
irtu
aliz
atio
n F
ram
ew
ork
Secure Platform
LA1575
PUBLIC 13
Secure SDN and NFV Integrated OpenStack Cloud
VNF
ManagerVoice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDN
C
OSS/BSS
NFV Orchestrator
Network
Orchestration
Service
Orchestration
VIM
IP
Edge
IP
Edge
DC
Edge
DC
Edge
Telco Cloud
Security Orchestration
Virtualized
Security
Hardware
Security
VNF Security
Engine
Firewall
IPS/IDS
Authorized Access
Security Policing
Trust attestation
PUBLIC 14
Security Checklist
Monitor Virtual networks – Daily practice.
VNF FCAPS – Analysis and Analytics.
OpenStack communication via Secured tunnels.
Encrypted password for DB access – Monthly TODO.
Verify VNF images for Vulnerabilities.
Infra design – Network Security Defense patterns.
Scan block storage.
Strict Policy and Security groups.
OpenStack Security ML
Hardware Crypto accelerators.
Role based access control.
Scan the complete cloud.
Secure the Data plane layer – Use TLS 1.2 for authentication.
Security Harden SDN Controller Operating System.
Strict authentication and Authorization to SDN Controller.
Implement HA of SDN Controller to guard against DDoS attacks.
Enable Application level Security.
Use TLS or SSH – NBC and Controller management.
All routers and switches security hardened.
Isolate tenant traffic from management traffic.
Periodically patch the software components for vulnerabilities.
Security Monitoring – a daily practice.
Adopt Security Orchestrator frameworks – VSF Orchestration.
Isolated Key Manager – a chest for all keys.
Encrypt and split the storage.
ReSTful communication – Secured.
No Test ports/API at Production.
Upgrade the system – for security bug fixes.
Distributed SDN Controllers and VNF Managers – Large DC
Leverage Hardware security capabilities.
FIPS 140-2 certified Hypervisors.
Federated Identity.
ABSOLUTE SECURITY IS A MYTH.
PUBLIC 15
That’s all folks
1. Securing OpenStack Clouds - https://www.openstack.org/assets/securing-openstack-clouds/OpenStack-SecurityBrief-
letteronline.pdf
2. OpenStack Security Guide - https://docs.openstack.org/security-guide/
3. OpenStack Security Wiki - https://wiki.openstack.org/wiki/Security
4. OpenStack Security - https://security.openstack.org/
5. Security Notes (OSSN) - https://wiki.openstack.org/wiki/Security_Notes
6. Security Advisories - https://security.openstack.org/ossalist.html
7. OpenStack is Ready for Business - https://www.openstack.org/enterprise/forrester-report/
8. QorIQ Layerscape Secure Platform - Securing the Complete Product Lifecycle -
https://www.nxp.com/products/microcontrollers-and-processors/power-architecture-processors/qoriq-
platforms/developer-resources/qoriq-layerscape-secure-platform-securing-the-complete-product-lifecycle:SECURE-
PLATFORM
References
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2017 NXP B.V.