Are you aware of the security risks of Network Function Virtualization?

Carrier Service Providers (CSP) around the world are eagerly adopting NFV, leveraging on its versatility and cost-effectiveness to build out their next generation telco capabilities. 

What is NFV really and why is it an important domain to discuss from a security perspective? Put simply, NFV is a virtualization of network functions, which in most cases are telco network applications such as mobile gateways, routers, firewall, load balancer… etc., to enable these functions to run as a packaged software programs or virtual network functions (VNFs) on top of commercial-of-the-shelf (COTS) hardware.  

In a typical deployment, VNFs sit on top of a virtual machine (VM), which is the virtualized (software) environment emulating a complete system (O/S, Compute, Storage and Network). 

From a security standpoint, this deployment opens up a host of new security threats which were not present before when network functions run on proprietary hardware called appliances. With both the network functions and host environment now running on virtualized set up, various vulnerabilities from wrongful access to denial of service to malicious malware become an imminent and real threats. 

The point is, adopting NFV as an approach and establishing the infrastructure environment on which it will run on (includes VMs and the NFV infrastructure called NFVI), require a thorough understanding of the security risks associated with this technology.

List below are some of the most common types of threats when deploying NFV infrastructure in a practical network.

  • Topology risks – In virtual networks, new components can be easily created, this opens doors for poor access control, especially when careful planning is not considered. 
  • VNF onboarding risks – Poor implementation and onboarding of VNFs can result in inadequate security control being placed on the VNF. This is in contrast to traditional networks, where control is easily seen and visualized.
  • Containment risks – Various rootkits exist that have targeted the hypervisor and they are capable of breaching several VNFs simultaneously. 
  • Insecure API – An attacker can exploit insecure VNF API to dump the records of personal data from the database to the Internet.
  • Denial of Service Protection Failure – DoS attacks may be directed to virtual networks or VNF’s public interfaces to exhaust network resources and impact service availability. Similarly, a botnet could infect an insecure VM creating a huge volume of traffic to other VNF. 
  • Malicious Insider – A malicious administrator can take the memory or screen dump of a user’s VM session. Since the malicious administrator has the root access to the hypervisor, they can, therefore, extract the user ID, passwords, and SSH keys from the memory dump via the search function on the hypervisor.
  • Security Logs and Alerting Failure – The attacker can generate a huge number of logs on the hypervisor through bogus activities, making it difficult to analyze logs from other VNFs. An attacker can also delete the log completely to hide his activities making it impossible for any incident monitoring.
Picture Source Nokia (developed with references from CVE-2017-18191, 2018-7262 and 2018-1128)

In the next blog, we will discuss how to secure NFVI infrastructure using industry best practices and guidelines. For further reading and references please refer to the following document:

  1. Nokia CloudBand Document
  2. NFVI security Threats and Best Practices
Print Friendly, PDF & Email
Dr. Varin Khera
Lead Security Consultant – Asia Pacific at Nokia Networks | LinkedIn Profile

Dr. Varin Khera is the resident security expert in Nokia Software in the Asia Pacific Region. He has worked with almost every major CSP across the APAC region in his 20 years of being a security practitioner, helping stakeholders develop cyber security practices and build out/ adopt security systems to secure their operations and networks.

In his current role in Nokia Software, Dr. Khera is mainly responsible for providing guidance to CSP stakeholders in addressing their security concerns and requirements. His mandate is to recommend cutting-edge technologies that Nokia offers in the context of establishing a defendable network architecture for customers. He also provides training to customer stakeholders and partners on the use of these technologies.

Dr. Khera hold a bachelor’s degree in information technology from Central Queensland University, a Postgraduate Certificate in Network Computing from Monash University, a Master of Science degree from Assumption University, a Doctor of Information Technology (DIT) from Murdoch University and a Certificate of Executive Leadership from Cornell University together with various other professional certifications. Dr. Khera was awarded the prestigious Asia Pacific Information Security Leadership Awards (ISLA) from ISC2 a world leading information security certification body under the category of distinguished IT Security Practitioner for APAC in 2007.

Leave a Reply

Your email address will not be published. Required fields are marked *