WIXLIB

implementation costs. This enables easy upgrades,reduced power consumption, and equally reducedmaintenance.NFV Orchestrator: Responsible for onboarding the new network services and their lifecycle(e.g., instantiation, scaling in and out, performancemeasurement, and termination). The NFV orchestrator also performs global resource managementand authorization to resource requests in the NFV.VNF Manager(s): In charge of lifecycle management of VNFs from instantiating, updating,scaling, and terminating, and also performingother functions that are necessary for the entireVNF lifecycle. It also performs coordination andevent reporting to other NFVI components.Virtual Infrastructure Manager(s) (VIM): TheVIM functionality includes controlling and managing the interaction of VNFs with NFVI. Basically, itperforms resource management, which involvesmanagement and allocation of NFVI resourcessuch as compute, storage, and network resourcesto VNFs. It also analyzes the performance of NFVIand logs if there is any fault information. Otherfunctions of VIM involve collecting and forwarding performance and measurement events.Additionally, there exists a VNF descriptor(VNFD) in the NFV management and orchestration stack, which is a VNF deployment templateand contains descriptions regarding VNF operational and deployment requirements.Security Risks Associated with NFVVNFs run over virtual resources such as VMs. Thesecurity threats associated with VNFs are the combination of the security threats on physical networkingand on virtualization technologies where NFV specific threats emerge when the two sets of threatsintersect each other [8]. In the following, we discussthe potential security risks associated with NFVI,considering some potential attack scenarios.Isolation Failure RiskHere, we consider the case when an attackermanages to break into a hypervisor by compromising some VNFs running over it. This attack canimpose great risk once successfully carried out.This is called a VM escape attack and is depictedin Fig. 3. In this attack scenerio, the attacker firstcompromises one VNF by gaining access to itsoperating system (step 1 in Fig. 3). Using toolsand VNF network connectivity with the cloudmanagement network, the attacker gains accessto the hypervisor management API (step 2 in Fig.3) and then the attacker breaks into the hypervisor to cause great impact (step 3 in Fig. 3). Theseattacks are possible due to the improper isolation between hypervisors and VNFs. A practicalexample of this attack could be launched by anapplication, running in a VNF and sending craftednetwork packets in order to exploit heap overflowwith a compromised virtualization process andresulting in the execution of arbitrary code on thehypervisor to gain access to the host.In another attack scenario, a VNF may orchestrate other VNFs, which can be achieved bygranting the VNF API access to the virtualizationinfrastructure to instantiate new VNFs. The APIcan be misused by an attacker who can break inby compromising the VNF and gaining full accessto all infrastructure resources [9].IEEE Communications Magazine August 2017VNF1VNF2ApplicationVNF3ApplicationApplication ApplicationAttacker1OSOSOSVMtoolsVMtoolsHypervisor (VMM)VMtools32Managements APIsPhysical hardwareFigure 3. A VM escape attack scenario.Network Topology Validation andImplementation FailureUsing NFV, virtual networking components (e.g.,virtual routers and virtual networks) can be easily created. Quick and dynamic service decisionscan result in human error when a virtual routeris created and used to interconnect virtual networks without the use of any firewall. Comparedto physical network appliance deployments, thedynamicity of virtual network appliances and itsconnectivity can lead to improper separationbetween the network and its subnets. Using theabove mentioned VM escape attack, an attackercan compromise virtual firewalls to restrict firewall functionality while allowing enough access tocarry out the attack. In a similar attack scenario,an attacker may acquire knowledge about a multisite network infrastructure using the elastic natureof NFVI. Effectively, an attacker can trigger theVNF instantiation or migration in another NFVIpoint of presence with lower security protection(i.e., without any IDS/IPS/deep packet inspection(DPI) capabilities) [9].Regulatory Compliance FailureAttacks aiming to place and migrate workloadoutside the legal boundaries were not possibleusing traditional infrastructure. Using NFV, violation of regulatory policies and laws becomes possible by moving one VNF from a legal location toanother illegal location, as depicted in Fig. 4. Theconsequences of violating regulatory policies canbe in the form of a complete banning of serviceand/or exerting a financial penalty, which maybe the original intention of the attacker to harmthe service provider. One possible attack scenariocan be when an attacker exploits the insecureVNF API to dump the records of personal datafrom the database to violate user privacy.Denial of Service Protection FailureDoS attacks may be directed to virtual networksor VNFs’ public interfaces to exhaust networkresources and impact service availability. A hugevolume of traffic from a compromised VNF canbe generated and sent to other VNFs that wouldbe running on the same hypervisor or even ondifferent hypervisors. Similarly, some VNF applications can consume high CPU, hard disk, and213

Malicious InsiderVNF location shiftattackAttackerSGSN/GGSNLocation USAHLRRNCLocation UKLocation RussiaVNFaaSVNFVNFVNFHosting service providerVNFVNFVNFVNFVNFVNFVNF tenantsNFVIaaSNFVI providerIaaSNaaSNaaSPaaSPaaSNFV Best Security PracticesSaaSFigure 4. VNF location shift CRFvS-GW vP-GW vPCEFSGIVictimCommon hardware (COTS)eNodeBeNodeBMobile devices eNodeB(smartphones,LTEM2M, IoT)RANInternet,cloud igure 5. DNS amplification attack.memory resources in order to exhaust the hypervisor [9]. In this vein, Fig. 5 depicts one practicalscenario of DNS amplification attack. In this scenario, a NFVI infrastructure hosts a virtual DNSserver as a component of a virtual evolved packet core (vEPC). The NFVI orchestrator is ableto deploy additional virtual DNS servers if thetraffic load increases. An attacker may spoof IPaddresses of a number of victims and launchesa high number of malicious DNS queries usingthe spoofed IP addresses (step 1 in Fig. 5). Inresponse to such an attack, the orchestrator willinstantiate new VMs to scale-out the vDNS function to accommodate more queries (step 2 inFig. 5). Accordingly, multiple recursive DNS servers will respond to the victims that will ultimatelyreceive amplified DNS query responses (step 3in Fig. 5), which can result in its service disruption or unavailability.Security Logs Troubleshooting FailureIn this security attack, compromised VNFs cangenerate a huge amount of logs on the hypervisor,making it difficult to analyze logs from other VNFs,especially when the initial entries in the log filesare deleted. There is also risk when the infrastructure logs are leaked, which consequently enablescross relating of logs from one VNF operator withanother to extract sensitive information [10].214These risks are classified as internal security risksand are caused by vicious actions of internaladministrators. In one attack scenario, a malicious administrator takes the memory dump of auser’s VM. Since the malicious administrator hasthe root access to the hypervisor and by usinga search operation, they can extract the userID, passwords, and SSH keys from the memorydump, which in turn violates user privacy anddata confidentiality. In a second attack scenario,an internal attacker may extract a user’s data fromthe hard-drive volume, managed by the cloudstorage devices. To execute this attack, the attacker first creates a backup copy of the VM driveand then uses open source tools, such as kpartxand vgscan, to extract sensitive data from it [11].In this section, we shed light on best security practices that should be followed in order to achievereasonably better security protection against theabove mentioned threats in a NFV environment. Itshould be noted that these practices do not guarantee foolproof security of NFVI, but will providebetter resiliency against these threats.Boot Integrity Measurement Leveraging TPMUsing trusted platform module (TPM) as a hardware root of trust, the measurement of systemsensitive components such as platform firmware,BIOS, bootloader, OS kernel, and other systemcomponents can be securely stored and verified.The platform measurement can only be takenwhen the system is reset or rebooted; there is noway to write the new platform measurement inTPM during the system run-time. The validation ofthe platform measurements can be performed byTPM’s launch control policy (LCP) or through theremote attestation server [12]Hypervisor And Virtual Network SecurityThe hypervisor enables virtualization betweenunderlying hardware and VMs. Virtual networks inthe cloud use SDN to enable connectivity amongVMs and also with outside networks. Securityof these elements is a must in order to protectthe whole infrastructure [15]. One of the security best practices is to keep the hypervisor up-todate by regularly applying the released securitypatches. Failure to do that would result in exposure to security risks in the future. Another bestpractice is to disable all services that are not inuse. For example, SSH and remote access service may not be needed all the time; therefore,it would be a good idea to enable these servicesonly when needed [13]. Cloud administrators arethe gatekeepers of the whole infrastructure andtheir accounts are the keys. It should be mandated to secure admin accounts by applying a strongpassword policy along with strictly following anorganization’s security guidelines.Security ZoningTo prevent a VM from impacting other VMs orhosts, it is a good practice to separate VM trafficand management traffic. This will prevent attacksby VMs tearing into the management infrastructure. It is also a good idea to separate the VLANtraffic into groups and disable all other VLANsIEEE Communications Magazine August 2017

that are not in use. Likewise, VMs of similar functionalities can be grouped into specific zones andtheir traffic should be isolated. Each zone can beprotected using access control policies and a dedicated firewall based on its needed security level.One example of such zones is a demilitarizedzone (DMZ) [13, 15].after system reboot. This enables an attack scenario whereby a VM swap is copied and investigated to retrieve any useful information. Oneway to avoid this kind of attack is to encrypt VMswap areas. Linux based tools such as dm-cryptcan be used for this purpose [10].Linux Kernel SecurityIt is easy to tamper with VNF images. It requiresonly a few seconds to insert some malware intoa VNF image file while it is being uploaded toan image database or being transferred from animage database to a compute node. Luckily, VNFimages can be cryptographically signed and verified during launch time. This can be achieved bysetting up some signing authority and modifyingthe hypervisor configuration to verify an image’ssignature before they are launched [9].In virtualized platforms, the kernel of the hostsystems is a highly important component thatprovides isolation between the applications. TheSELinux module, developed by the National Security Agency (NSA), is implemented in Kernel andprovides robust isolation between the tenantswhen virtualization technology is used over thehost. Secure virtualization (sVirt) is a new formof SELinux, developed to integrate mandatoryaccess control security with Linux based hypervisors. sVirt provides isolation between VM processes and data files. Beyond these tools, otherkernel hardening tools can be useful to secure theLinux kernel. A notable example is hidepd, whichcan be used to prevent unauthorized users fromseeing other users’ process information. Anotherexample is GRSecurity, which provides protectionagainst attacks on corrupted memory [10].Hypervisor IntrospectionHypervisor introspection can be used to scrutinize software running inside VMs to find abnormal activities. It acts as a host-based IDS that hasaccess to the states of all VMs, so that the root kitand boot kit inside VMs cannot hide easily. Usingintrospection capabilities, the hypervisor’s functionalities are enhanced, enabling it, among otherthings, to monitor network traffic, access files instorage, and read memory execution. Hypervisorintrospection APIs are powerful tools to performdeep VM analysis and potentially increase VMsecurity. However, they can also be used as anexploit that makes it possible to break and bypassthe isolation between VMs and the hypervisor.LibVMI is the library for hypervisor introspectionfor various platforms, implemented in C languagewith Python bindings. It gives the hypervisor themeans to perform deep inspection of VMs (e.g.,memory checking, vCPU register inspection, andrecording trapping events) [14].Encrypting VNF Volume/Swap AreasVirtual volume disks associated with VNFs maycontain sensitive data. Therefore, they need tobe protected. The best practice to secure theVNF volume is by encrypting them and storingthe cryptographic keys at safe locations. TheTPM module can also be used to securely storethese keys. In addition, the hypervisor shouldbe configured to securely wipe out the virtualvolume disks in the event a VNF is crashed orintentionally destroyed to prevent it from unauthorized access [6]. VM swapping is a memorymanagement technique used to move memorysegments from the main memory to disk, whichis used as a secondary memory in order toincrease system performance in case the systemruns out of memory. These transferred memory segments can contain sensitive informationsuch as passwords and certificates. They can bestored on the disk and remain persistent evenIEEE Communications Magazine August 2017VNF Image SigningSecurity Management and OrchestrationTo prevent a VM fromimpacting other VMsor hosts, it is a goodpractice to separate VMtraffic and managementtraffic. This will preventattacks by VMs tearinginto managementinfrastructure. It is alsoa good idea to separatethe VLAN traffic intogroups and disable allother VLANs that arenot in use.One best practice consists of designing a NFVorchestrator incorporating security and trustrequirements of the NFVI. The orchestrationand management of security functions requiresintegration by enabling interaction among thesecurity orchestrator, the VNF manager, and theelement management systems (EMS). This typeof protection can be achieved by setting scaling boundaries in the VNFD or network servicedescriptor (NSD), for example, and having theNFVO enforce these restrictions to protect fromattacks such as a DNS amplification attack.Remote AttestationThe remote attestation technique can be usedto remotely verify the trust status of a NFV platform. The concept is based on boot integrity measurement leveraging TPM, as mentioned earlier.Remote attestation can be provided as a service,and may be used by either the platform owner ora consumer to verify if the platform has booted ina trusted manner [12]. Practical implementationsof the remote attestation service include the opencloud integrity tool (openCIT), an open sourcesoftware hosted on GitHub.Table 1 provides a summary of the securityrisks associated with NFVI as discussed above,and lists the targets of these risks along with possible mitigation techniques.Open Security ChallengesDespite the best practices described above, thereare still open security challenges that are yet tobe addressed. One of the security challenges isto define the standard interface in the ETSI NFVarchitecture to deploy virtual security functionsto react to various threats in real time. Such functionalities should be able to communicate withthe orchestration modules and follow the provided instructions. Another challenge is to securely manage and monitor VNFs by maintainingtheir configuration and state information duringmigration. This can be difficult to perform due tothe dynamicity and elasticity of VNF operationsin cloud environments. Another challenge is toperform the trust management between differentvendors who build NFV hardware and software.The challenge is to efficiently manage the trustchain among vendors and provide trustiness ofthe final VNF products.215

Security riskTargetBest practices1CompromisedhypervisorPlatformSeparation of VM and management traffic,regular hypervisor patching2Isolation failurePlatform/VNFsHypervisor introspection, security zoning3Platform integrityPlatformTPM boot integrity, remote attestation4DDoS attackVNFsFlexible VNF strategic deployment to defendagainst DDoS5Malicious insiderVNFsVolume/swap encryption, VNF image signing,strict operational practices6Regularity compliancefailureVNFsGeo-tagging using remote attestationTable 1. NFVI security risks and best practices.At the moment, attestation technologies onlyprovide the boot time attestation. This does notguarantee run time modification or prevent tampering with the system’s critical components,and such modification would only be detectedwhen the system is rebooted. Run time attestation is still an open research area that needs tobe explored further. There is also a strong needto develop a comprehensive security architecture to take care of these security challenges inNFVI. To achieve these goals, network operatorsand vendors need to work together to form avibrant security ecosystem. New standards, testbeds, and proofs of concept would serve as acatalyst for securing the NFV infrastructure. Theservices in this new virtualized environment arerapidly evolving, and in turn create new opportunities for innovation.ConclusionNFV undoubtedly provides great benefits for telecom service providers in terms of cost efficiencyand dynamic service deployability. However, it isextremely necessary to understand the securityimplications for these benefits. It is essential toknow the difference between general cloud computing infrastructure and NFV infrastructure and itsneeds and requirements. Previous studies presented analysis on security threats that exist in cloudcomputing along with mitigation techniques. It isequally required that similar studies have to becarried out for security in NFVI. Indeed, NFVIhosts highly sensitive workloads, and accordinglyneeds to be highly secured and protected. In thisarticle, we identified security attacks on NFVI. Wealso presented best security practices to protectagainst these attacks. Admittedly, security in NFVIis still in its infancy, and there are still many opensecurity challenges to tackle. This defines oneof the future research directions of the authors.Future work also includes putting into practice theproposed solutions by means of implementationsand experimental testbed setups.AcknowledgementThis article is issued within the research activitiesof the Finnish Dimecc Cyber Trust Program. Itwas also partially supported by the ANASTACIAproject, which

that exist in the NFV infrastructure, proposes best security practices to protect against them. IntroductIon The telecommunication infrastructure is experi-encing great structural changes in the way it used to be deployed, thanks to emerging technologies such as network functions virtualization (NFV). NFV is a great development in the process .