An ETSI Expert Group is working to address security issues with network functions virtualization (NFV). This group, established in early 2013, is providing security guidance to other ETSI Working Groups on NFV via a new security reference framework; identifying generic as well as potential new security threats that are unique to the networking aspects of virtualization; and advancing the remediation of those threats to the network environment by recommending standardization activity either within other industry standards bodies or within ETSI itself.
A significant part of the ETSI Security Working Group's work is focused on aspects of security process within the carrier. Any architectural shift -- in the case of virtualization as much as any other previous change in network architectures -- necessarily requires a change in security processes. And it is in the transition from one mature set of familiar processes to a new one that new vulnerabilities inevitably risk being exposed. For example, as the deployment model shifts towards remote execution over a wire rather than physically carrying new equipment onto the premises, the process whereby each stage of that process is authorized needs to be re-invented.
ETSI is also working on identifying and mitigating new security threats that are unique to virtualization of the networking function. These include the following:
Performance isolation to ensure that if the service level that is enjoyed by another virtualized network function sharing a server deteriorates in any way -- i.e. crashes or hangs or gets in a loop of some kind or sends floods of traffic -- that does not affect the availability or performance of the server to another virtualized network function.
Secure boot of the hypervisor and then the network function on top of the hypervisor since in theory that function has the potential to run on any server anywhere in the world. The operator needs standards to test what it is that they are looking to boot up, ensure that it's the correct instance that that operator should be booting up and ensure that the code that is about to be used is indeed the right code.
Topology validation to ensure that the intended topology conforms to the operator's security policies, such as those which specify that elements (a) and (b) can be connected without passing through a firewall or an Intrusion Protection instance whereas elements (a) and (c) cannot.
More about the ETSI Expert Group’s work on new security challenges with NFV can be viewed here.
— Patrick Donegan, Senior Analyst, Heavy Reading.