Network security and reliability are the most challenging tasks in any cloud. With NFV and SDN in place, Network Functions are virtualzied and network traffic is managed in separated control and data planes. Thus reducing the operational and capital expenditure. Virtualized Network Functions are tied with Software Defined Networks to boost the power of virtualization. This itself is challenging when Network services and security is a concern. While OpenStack is the best opted solution for IaaS, many service provides are moving towards best solutions to deal with service delivery and security challenges in SDN and NFV integrated OpenStack Cloud.

1. NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property
of their respective owners. © 2017 NXP B.V.
PUBLIC
SDN and NFV Integrated OpenStack Cloud
- Birds-eye View of Security -
Trinath Somanchi, Sridhar Pothuganti
NXP – HSDC – INDIA
Lightning Talks – OpenStack Summit, Sydney
Wednesday, 8th November 2017

2. PUBLIC 1
Session Outline
• OpenStack with SDN and NFV – From Data Center to
Edge
• The OpenStack SDN and NFV Cloud
• Five Dimensional Threat Analysis
• Threat focus areas – Birds-eye View
• Layered Security Approaches
• Secured Platform - NFVI
• Security Initiatives from OpenStack
• Security Checklist

3. PUBLIC2
Threat Analysis on
SDN and NFV integrated
OpenStack Cloud

4. PUBLIC 3
SDN and NFV - From Data Center to Edge
• Data Centers are moving to be Hybrid
• Aggregation Nodes are paths to support
Edge devices
• Edge devices evolve to hold VNFs
• Edge devices moving toward – Distributed
Control with local controllers
• New SDN – Security Defined Networking
• Security – a Challenge to tackle from DC to
Edge
• NFVI Security – a major concern

5. PUBLIC 4
The OpenStack SDN and NFV Cloud
Operation Support Systems
Business Support Systems
Compute Storage Network
Virtualization Layer
Compute
Virtualizatio
n
Storage
Virtualizatio
n
Network
Virtualizatio
n
Vi-Ha
EMS - 1 EMS - 2 EMS - n
VNF - 1 VNF - 2 VNF - n
Orchestrator
Orchestrator
Orchestrator
VNF
Manager(s)
Virtualized
Infrastructure
Manager(s)
Vn-Nf
Service, VNF,
Infrastructure Description
Os-Ma
Se-Ma
Ve-Vnfm
Or-Vnfm
Or-Vi
Vi-Vnfm
Nf-Vi
NFVI
Virtual NetworkingNeutron
WorkflowMistral
Service Function Chaining
Networking
SFC
Open Virtual Networking
Networking
OVN
Orchestration
Heat
Heat-translator
TOSCA Parser
Multi Site OpenStack Networking Tricircle
Multi Site OpenStack VIM KingBird
VNF Image Store Glance
Block and Object Store
Swift
Cinder
NFVO and VNFM Tacker
Monitor and TelemetryCeilometer
ODL SDN Controller Plugin
Networking
ODL
Monitoring and Logging Monasca
Secrets Store Barbican
VNF High Availability Masakari Disaster RecoveryFreezer

6. PUBLIC 5
Five Dimensional Threat Analysis
Each Threat exposes a different aspect of SYSTEM VUNERABILITY at each layer.
Threat
Analysis
SDN
fabric
NFV Infrastructure
> Attacks on Shared pool of resources
> Hypervisor layer attacks
> Vulnerabilities in virtualized entities
VNF Layer
> Dos/DDoS attacks
> Control Plane attacks
> Noisy neighbor
> Attacks due to insecure interfaces
control and monitoring gaps
> Different vendor NFV standards
SDN Fabric
> Attacks on Forwarding plane
> Flooding of network
> weak ACL in Ctrl and Mgmt plane
> Vulnerabilities in SDN resources
NFV MANO
> Weak access control
> Inefficient monitoring
> Vulnerabilities in underlying layers
Others
> Weak access control
> Insecure interface
> Vulnerabilities in other layers

7. PUBLIC 6
VNF
Manager
Voice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDN
C
OSS/BSS
NFV Orchestrator
Network
Orchestration
Service
Orchestration
VIM
IP
Edge
IP
Edge
DC
Edge
DC
Edge
OpenStackTelco Cloud
Attacks
from VMs
Attacks on
Host,
Hypervisor
and VM
DDoS/MiM/Network
Traffic Poisoning
Attacks
Attacks from
remote/3rd
Party
applications
Threat Focus Areas – Birds-eye View

8. PUBLIC 7
Security Focus

9. PUBLIC 8
Layered Security approaches
OpenStack bridges between three security domains
Critical elements of a Secure OpenStack Cloud

10. PUBLIC 9
Secure OpenStack as Virtual Infrastructure Manager
Keystone
A&A
Multi-factor Auth
Enabled Federated
Identity.
Access policies.
Non-Persistent
tokens.
Strong HA for PKI
Tokens.
Nova
•Trusted Compute
pools.
Keypair based
access to VMs.
Encrypting
Metadata traffic.
SELinux and
Virtualization.
FIPS 140-2 certified
Hypervisors.
Compiler
Hardening.
Secured
communication.
Neutron
Networking
resource policy
engine
Security Groups
Enable Quotas.
Mitigate ARP
Spoofing.
Secured
Communications.
Glance
Ownership to
Images.
Strictly checked
configuration
Keystone for
Authentication
Encryption of
Images.
Vulnerability checks
on Images.
Cinder
Secured
Communication
Limit max body
size – Request.
Strict permission
and Configuration.
Enable Volume
Encryption.
Secured Network
attached Storage.
Swift
Network Security –
Rsync.
File permissions.
Secured Storage
Services.
Strict ACL.
Secured
Communication.
Barbican
Key Management
as a Service.
Manage Secrets,
PKI keys, Split
keys.
Isolation of Keys is
a top priority
OpenStack
Security
OpenStack
Security Advisories
(OSSA)
•OpenStack
Security Notes
(OSSN)
•OpenStack
Security Guide
•OpenStack
Security Project
blog
• OpenStack
Security
Management tools.

11. PUBLIC 10
OpenStack readiness for Secured Cloud
“Notable Fortune 100 enterprises BMW, Disney and Walmart have irrefutably proven that OpenStack is viable for production environments [5]
• Securing OpenStack is an extension of a well-understood problem― securing normal IT
infrastructure, such as keeping the infrastructure patched, reducing attack surfaces, and managing
logging and auditing.

12. PUBLIC 11
Secured Platform – NFVI
Run-Time Security
Management and Enforcement
OP-TEE
Framework, drivers
Secure Installer, Loader
Secure Credential Mgmt
Secure Storage
Secure System Partitioning
Resource Mgmt
Tool
LUKS
dm-crypt
TSS
PKCS-11
Extended
Verification Mod
Integrity
Measurement
Architecture
Secure Monitoring, Statistics
QorIQ Trust
Tools
Secure Provisioning and Update
Application Isolation
Environment
I/O isolation, protection
SE-Linux
KVM, Docker, Java
Application
Application
Application
Application
Linux LTS kernel
- Latest security patches
Trust Architecture
ARMv8 cores ARM Trust-Zone
Secure Boot – HW Root of Trust
Secure
Monitor
Compute, IO, Memory partitioning
Run-Time Integrity
Checker
Secure Key
Storage
Manufacturing
Protection
8
Secure
Boot
1
Secure
Storage
2
Key
Protection
3
Key
Revocation
4
Secure
Debug
5
Tamper
Detection
6
Strong
Partitioning
7

13. PUBLIC 12
NFVI - Secure Platform in a Gateway
QorIQ Trust
Architecture provides
HW Root of Trust.
Anti-cloning features.
Anti-rollback to
vulnerable firmware.
Persistent secret
storage not visible to
hackers.
Secure Boot
Secure signing of
images and key
provisioning.
3-way secrets
isolation between
NXP, ODM and
customer.
Secured firmware
upgrades
Secure
Provisioning
Secure run-time
system operations.
Secure credential
management – e.g.
DRM keys.
Detect tampering of
software via integrity
checks.
Decrypt system
firmware on-the-fly
Trusted Linux
Isolate and host
multiple services in
containers, VMs.
Verify applications
before install and
launch.
HW level resource
isolation and
management.
Application
Isolation
NIST certified
Security engine with
rich algorithm
support.
True Random
Number Generation
with 100% entropy
Integrated with Linux
IPSec and
OpenSSL.
Crypto
Acceleration
802.11ax,
ac, ad
ARM CPUs
up to 100K Coremark
Trust
Arch
Packet Engine
2-20Gbps
Ethernet Controllers
2x 1GE -> 2x 10GE
Security
Engine
Secure Gateway
LS1046
LS1043
LS1012
LS1024
Networking, Security drivers
Linux NW Stack
OpenWRT
Layer 4-7
DPI, AIS
Customer
Applications
Layer 2 – 4 offload
(IPSec, Firewall, NAPT, QoS)
Customer Control
Plane
DPDK, ODPVirtualizationFramework
Secure Platform
LA1575

14. PUBLIC 13
Secure SDN and NFV Integrated OpenStack Cloud
VNF
Manager
Voice
Voice
BB
BB
IPTV
IPTV
EMS EMS EMS
VNFs
SDN
C
OSS/BSS
NFV Orchestrator
Network
Orchestration
Service
Orchestration
VIM
IP
Edge
IP
Edge
DC
Edge
DC
Edge
Telco Cloud
Security Orchestration
Virtualized
Security
Hardware
Security
VNF Security
Engine
Firewall
IPS/IDS
Authorized Access
Security Policing
Trust attestation

15. PUBLIC 14
Security Checklist
 Monitor Virtual networks – Daily practice.
 VNF FCAPS – Analysis and Analytics.
 OpenStack communication via Secured tunnels.
 Encrypted password for DB access – Monthly TODO.
 Verify VNF images for Vulnerabilities.
 Infra design – Network Security Defense patterns.
 Scan block storage.
 Strict Policy and Security groups.
 OpenStack Security ML
 Hardware Crypto accelerators.
 Role based access control.
 Scan the complete cloud.
 Secure the Data plane layer – Use TLS 1.2 for authentication.
 Security Harden SDN Controller Operating System.
 Strict authentication and Authorization to SDN Controller.
 Implement HA of SDN Controller to guard against DDoS attacks.
 Enable Application level Security.
 Use TLS or SSH – NBC and Controller management.
 All routers and switches security hardened.
 Isolate tenant traffic from management traffic.
 Periodically patch the software components for vulnerabilities.
 Security Monitoring – a daily practice.
 Adopt Security Orchestrator frameworks – VSF Orchestration.
 Isolated Key Manager – a chest for all keys.
 Encrypt and split the storage.
 ReSTful communication – Secured.
 No Test ports/API at Production.
 Upgrade the system – for security bug fixes.
 Distributed SDN Controllers and VNF Managers – Large DC
 Leverage Hardware security capabilities.
 FIPS 140-2 certified Hypervisors.
 Federated Identity.
ABSOLUTE SECURITY IS A MYTH.

16. PUBLIC 15
That’s all folks
1. Securing OpenStack Clouds - https://www.openstack.org/assets/securing-openstack-clouds/OpenStack-SecurityBrief-
letteronline.pdf
2. OpenStack Security Guide - https://docs.openstack.org/security-guide/
3. OpenStack Security Wiki - https://wiki.openstack.org/wiki/Security
4. OpenStack Security - https://security.openstack.org/
5. Security Notes (OSSN) - https://wiki.openstack.org/wiki/Security_Notes
6. Security Advisories - https://security.openstack.org/ossalist.html
7. OpenStack is Ready for Business - https://www.openstack.org/enterprise/forrester-report/
8. QorIQ Layerscape Secure Platform - Securing the Complete Product Lifecycle -
https://www.nxp.com/products/microcontrollers-and-processors/power-architecture-processors/qoriq-
platforms/developer-resources/qoriq-layerscape-secure-platform-securing-the-complete-product-lifecycle:SECURE-
PLATFORM
References

17. NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2017 NXP B.V.