SDN/NFV Position Paper Virtualization Working Group Justin Foster justin_foster@trendmicro.com Kapil Raina kapil.raina@elastica.net Kelvin Ng Kelvin_NG@nyp.edu.sg Cloud Security Alliance, 2015
Agenda Goals White Paper on NFV/SDN (position paper) High level outline Next steps and timelines Cloud Security Alliance, 2015
Goals of Paper SDN/NFV are relatively new technologies Focus of working group initially was on mature technologies (e.g. compute virtualization) Position paper acknowledges these points and creates a more general framework, rather than a detailed approach as taken with the other areas Focus will be heavier on NFV as that is more directly related to enterprises and vendor (that are bulk of CSA audience)
What we Need Your participation Please review structural outline and make comments Feel free to volunteer to write components of the paper This is an industry led effort and should reflect a range of input
Outline of Paper Introduction to paper (1/2 page) What is NFV/SDN? (1 page) What are the benefits? What are the risks? Security framework for NFV (3 pages) Traffic analysis, control plane, CDN, security specific Security framework for SDN (2 pages) Application Plane Control Plane Next steps in creating risk model for NFV/SDN (1 page)
Introduction - NFV Basic overview of how this fits into the CSA working group NFV definition, use cases Use Case 1: Vendor community (how traffic inspection and traffic forwarding can be made easier) Use Case 2: Bad actors (how attacks can be launched against the infrastructure) Use Case 3: End User (what end users can do to secure their NFV infrastructure and leverage multi-vendor analysis) NFV benefits Lower costs, commoditized hardware for rapid deployment, greater management ease NFV security risks Lack of standards, oversight of software changes, software compromise of desktop/mobile world moves to networking
Introduction - SDN SDN Definition and Use Cases SDN focus on carrier networks SDN intersection with NFV SDN architecture (data/control plane) SDN security risks Control Plane (risks to controller compromise including trust of control communications) Data Plane (risks to interception and manipulation) How we will deal with NFV and SDN together in paper
NFV Security Framework Component Function Relevance NFV Security framework Traffic Analysis deep packet inspection, QoE DPI engines can now be placed directly at each egress point Control Plane AAA data, policy enforcement Simplifies some of SSO enforcement Application Optimization/ Acceleration CDN, caching of files Catch infected files and ensure they are not cached Security Specific Firewalls, A/V, IDS, etc Moves traditional boxes and cloud services away from fixed location or vendors; can leverage multi-vendor analysis
SDN Security Framework Component Function Relevance NFV Security framework Control Plane Manage devices Hijacking of networking devices being managed; insecure trust model in network; MITM attacks, etc Application (Data) Plane Deliver network data to devices Data validity and trust; DOS attacks Note: We do not specifically talk about Infrastructure layer (should we?)
Risk Model - Next Steps Ideally we need a risk model that can help detail (in subsequent efforts) a detailed checklist of security steps to protect NFV/SDN infrastructure Model will generally follow: Use case based approach Steps to protect infrastructure Steps to leverage NFV/SDN capability to provide additional security capabilities Auditing mechanisms to verify above Scoring mechanism to help users of model verify how secure they may be for their overall infrastructure How this model relates to other security frameworks (eg. CCM)
Whitepaper Timelines April 24, 2015: Presentation and call for volunteers May 24, 2015: Publication of detailed outline for paper and solicitation for further volunteers June 24, 2015: Initial draft of paper July 30, 2015: Formal draft issued for general review August 30, 2015: Presentation of paper during VMworld
???? Cloud Security Alliance, 2015