Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2017 | Buch

Security of Software-Defined Infrastructures with SDN, NFV, and Cloud Computing Technologies Kapitel lesen Erstes Kapitel lesen

Guide to Security in SDN and NFV

Challenges, Opportunities, and Applications

herausgegeben von: Dr. Shao Ying Zhu, Dr. Sandra Scott-Hayward, Dr. Ludovic Jacquin, Prof. Richard Hill

Verlag: Springer International Publishing

Buchreihe : Computer Communications and Networks

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book highlights the importance of security in the design, development and deployment of systems based on Software-Defined Networking (SDN) and Network Functions Virtualization (NFV), together referred to as SDNFV. Presenting a comprehensive guide to the application of security mechanisms in the context of SDNFV, the content spans fundamental theory, practical solutions, and potential applications in future networks.

Topics and features: introduces the key security challenges of SDN, NFV and Cloud Computing, providing a detailed tutorial on NFV security; discusses the issue of trust in SDN/NFV environments, covering roots of trust services, and proposing a technique to evaluate trust by exploiting remote attestation; reviews a range of specific SDNFV security solutions, including a DDoS detection and remediation framework, and a security policy transition framework for SDN; describes the implementation of a virtual home gateway, and a project that combines dynamic security monitoring with big-data analytics to detect network-wide threats; examines the security implications of SDNFV in evolving and future networks, from network-based threats to Industry 4.0 machines, to the security requirements for 5G; investigates security in the Observe, Orient, Decide and Act (OODA) paradigm, and proposes a monitoring solution for a Named Data Networking (NDN) architecture; includes review questions in each chapter, to test the reader’s understanding of each of the key concepts described.

This informative and practical volume is an essential resource for researchers interested in the potential of SDNFV systems to address a broad range of network security challenges. The work will also be of great benefit to practitioners wishing to design secure next-generation communication networks, or to develop new security-related mechanisms for SDNFV systems.

Inhaltsverzeichnis

Frontmatter

Introduction to Security in SDNFV – Key Concepts

Frontmatter
1. Security of Software-Defined Infrastructures with SDN, NFV, and Cloud Computing Technologies
Abstract
Over the last decade, cloud computing, software-defined networking (SDN), and network functions virtualization (NFV) technologies have been developed to address the inefficiency of IT infrastructures, the complexity of network manual configuration and management, the inability of the Internet to provision services on demand, and the rigidity of telecom service providers. However, clouds, SDN, and NFV bring with them not only their common security issues but also their domain-specific security issues. Furthermore, clouds, SDN, and NFV overlap in both architectures and shared resources. Software-defined infrastructure (SDI) is an approach that overcomes those problems and provides an environment for provisioning rapid and on-demand services. This chapter focuses on existing and emerging security challenges and solutions of cloud, SDN, and NFV and their integrated software-defined infrastructure as well as the security of the underlying virtualization technology. The chapter also reviews and discusses the development of a promising software-defined security (SDSec) approach.
Doan B. Hoang, Sarah Farahmandian
2. NFV Security: Emerging Technologies and Standards
Abstract
This chapter addresses the network function virtualization (NFV) security while reflecting on the work of the ETSI NFV Security Working Group (NFV SEC WG) and the industry view it has formulated in the past 4 years. To this end, the chapter explains the differences between the “generic” cloud and NFV and discusses the security threats as well as new benefits for security provided in the NFV environment. The chapter further explains how the trust is bootstrapped from hardware and established among the execution components, the discussion culminating in the treatment of the subject of remote attestation. The requirements and architecture for lawful interception (LI) in the NFV environment, as well as the security monitoring and management in the NFV environment, are treated in much detail. Finally, a separate section is dedicated to the analysis of the OpenStack security. There is substantial bibliography offered to a reader who wishes to understand the background and minute detail of the subject.
Igor Faynberg, Steve Goeringer
3. SDN and NFV Security: Challenges for Integrated Solutions
Abstract
Network functions virtualization (NFV) and software-defined networking (SDN) improve network capabilities by enabling the deployment and control of network functions using software- instead of hardware-specific middleboxes. This programmability enables the development of new software services designed to meet a growing list of network requirements. Nevertheless, this same flexibility and programmability can facilitate malicious behavior by attackers with partial access to the SDN and NFV management infrastructure. In this chapter, we discuss security challenges that emerge in an SDN/NFV environment and analyze the main proposals aimed to secure SDN and NFV platforms. In addition, we illustrate the similarities with the requirements that secure operating systems address. Inspired by some of the best practices and lessons learned in the design of these systems, like reference monitors, mandatory access control, and policy verification, we argue that such principles can be used to define a standard SDN/NFV security architecture to facilitate the design and management of SDN/NFV applications.
Andrés F. Murillo, Sandra Julieta Rueda, Laura Victoria Morales, Álvaro A. Cárdenas
4. Trust in SDN/NFV Environments
Abstract
The SDN and NFV architectures heavily rely on specific software modules executed at distributed nodes. These modules may act differently from their expected behaviour due to errors or attacks. Remote attestation is a procedure able to reliably report the software state of a node to a third party. It can be used to evaluate the software integrity of a SDN/NFV node and hence its trustworthiness to execute the desired applications. The use of remote attestation in network environments is quite new, and it is raising interest not only in the research community but also in the industry, as demonstrated by its consideration in the ETSI NFV standardisation effort. In this chapter, we present a solution to evaluate trust in SDN/NFV environments by exploiting remote attestation and propose some enhancements with respect to the basic architecture. From the implementation point of view, two approaches are compared for attestation of virtualised instances, and their respective performance is evaluated. Additionally, we discuss how the remote attestation architecture fits in the management and orchestration of SDN/NFV environments.
Antonio Lioy, Tao Su, Adrian L. Shaw, Hamza Attak, Diego R. Lopez, Antonio Pastor

SDNFV Security Challenges and Network Security Solutions

Frontmatter
5. Practical Experience in NFV Security Field: Virtual Home Gateway
Abstract
This chapter describes the experience in secure design during the process of implementation of the virtualization functionalities in a business unit of Telefonica, an integrated global telco operator. The trial was based on one of the first representative use cases of network function virtualization (NFV) technology: virtual home gateway (vHGW), also known as virtual customer premise equipment (vCPE), with real residential broadband customers. This NFV-based model offloads functionalities from physical HGW devices to the network, like network address translation (NAT), dynamic host configuration protocol (DHCP) or IPv6 firewall. This implementation not only allows an increase in operational efficiency, but it also opens a door to new security services opportunities. An introduction to the specific ETSI NFV security standards is provided and used as a reference for the security context. Later, the security design and the implemented model are explained. Also, the findings and solutions relevant in this network architecture to protect the users and the infrastructure are detailed. Finally, we present a study of new security services based on the vHGW architecture.
Antonio Pastor, Jesús Folgueira
6. A Security Policy Transition Framework for Software-Defined Networks
Abstract
Software-defined networking (SDN) controllers are quickly maturing to offer greater abstractions and more intuitive programming for network operators seeking to develop their own network applications. Likewise, security-based research within the SDN community is a growing field with SDN-based security solutions becoming an ever-growing commodity. Yet, while these solutions often detect and block clients who violate network policies, they frequently fail to consider how policy enforcements will be revoked or updated once the flagged client addresses the violation for which they were flagged. As a result, no clear path exists for a client’s re-instantiation to the network beyond having the network operator manually remove the policy enforcement or reset the SDN controller. For the network operator, such requirements are tedious and error prone. Additionally, these efforts cost valuable time that could be better utilized for more complex network tasks. Hence, this chapter discusses a security policy transition framework for reducing wait times and automating the revocation of policy enforcements in SDN environments for clients who are approved to rejoin the network.
Jacob H. Cox Jr., Russell J. Clark, Henry L. Owen III
7. SDNFV-Based DDoS Detection and Remediation in Multi-tenant, Virtualised Infrastructures
Abstract
As ICT resources are increasingly hosted over cloud data centre infrastructures, distributed denial of service (DDoS) attacks are becoming a major concern for cloud service providers and tenants. The lack of physical resource isolation over a cloud environment exposes nontargeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g. internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in.
In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in network functions virtualisation (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the network-wide, logically centralised management of traffic and network services provided by software-defined networking (SDN) for the placement of NFs and to (re)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure.
Abeer Ali, Richard Cziva, Simon Jouët, Dimitrios P. Pezaros
8. SHIELD: Securing Against Intruders and Other Threats Through an NFV-Enabled Environment
Abstract
Organisations are witnessing an unprecedented escalation of cyber-crime attacks and struggle to protect against them. Rethinking security is required to cope with numerous new challenges arising today: the sophistication of new attacks, the increasing weakness of traditional security controls, the explosion of data to be collected and analysed to detect threats and the ongoing transformation of IT – such as virtualisation and cloud computing.
This chapter provides an overview of the motivations and technical work carried out by the EU-funded project SHIELD: securing against intruders and other threats through an NFV-enabled environment. It aims at combining network functions virtualisation (NFV), security-as-a-service (SecaaS), big data analytics and trusted computing (TC) to provide an extensible, adaptable, fast, low-cost and trustworthy cybersecurity solution.
The SHIELD platform leverages NFV to dynamically deploy virtualised security appliance in the network: those virtual network security functions (vNSF) either monitor the network traffic to extract security-relevant metrics or they are actively protecting against threats or attacks. The vNSFs deployment is verified using TC methods to ensure correctness of the NFV infrastructure. The security metrics gathered are feed into a big data storage, which allows multiple security analytics to find out potential attacks threatening the network. The loop is closed with a security controller and dashboard: it presents threats and remediation actions to the operator as well as interacts with the NFV infrastructure to deploy and configure protecting vNSFs.
Hamza Attak, Marco Casassa-Mont, Cristian Dávila, Eleni-Constantina Davri, Carolina Fernandez, Georgios Gardikis, Bernat Gastón, Ludovic Jacquin, Antonio Lioy, Antonis Litke, Nikolaos K. Papadakis, Dimitris Papadopoulos, Jerónimo Núñez, Eleni Trouva

Security Implications of SDNFV in Future Networks

Frontmatter
9. Addressing Industry 4.0 Security by Software-Defined Networking
Abstract
Preceded by three industrial evolutions with the virtue of innovation in basic technologies such as mechanics (first evolution, beginning in the 1780s), electricity (second evolution, beginning from the 1870s), and electronics and computation (third evolution, starting from the 1970s), the vision for the fourth industrial evolution (in German called Industrie 4.0) has been started by the German government in 2011 [1]
Rahamatullah Khondoker, Pedro Larbig, Dirk Scheuermann, Frank Weber, Kpatcha Bayarou
10. Security Requirements for Multi-operator Virtualized Network and Service Orchestration for 5G
Abstract
The fifth generation of mobile networks (5G) will support new business and service models. A particular model of business and technical interest is multi-operator service orchestration, where service chains are created dynamically with coordination across multiple administrative domains. In such a scenario, resource sharing among operators is expected to be enabled by emerging network softwarization technologies such as software-defined networking (SDN) and network functions virtualization (NFV). On top of the inherent security issues of network softwarization, the complex relationships between operators add a unique dimension to the fundamental requirements for 5G networks. It is a key objective for network operators to identify new threats and security issues before deploying novel methods for service orchestration. This chapter elaborates on new security challenges posed by multi-operator service orchestration as defined by the H2020 5G-PPP 5G Exchange project. We revisit current standards and recommendations from ITU-T and ETSI under the scope of SDN and NFV. In addition, we present a method for threat analysis as well as gaps between requirements and current security schemes and standards, opening new research directions.
Mateus Augusto Silva Santos, Alireza Ranjbar, Gergely Biczók, Barbara Martini, Francesco Paolucci
11. Improving Security in Coalition Tactical Environments Using an SDN Approach
Abstract
Coalition tactical environments are composed of different networks of two or more organizations coming together to perform a short-term tactical operation with a well-defined mission. Cybersecurity is an important consideration in coalition operation. It is a complex challenge due to the need for operational effectiveness coupled with limited trust relationships that exist among different coalition partners. New emerging paradigms in networking, such as software-defined networking (SDN), provide a mechanism to deal more effectively with the security challenges in a coalition environment. In this chapter, we provide an overview of tactical coalition environments and discuss how to utilize the principles of SDN to improve security and cyber situational awareness in them. The chapter also provides an approach for cybersecurity awareness using the observe, orient, decide, and act (OODA) paradigm and explores how OODA-based security can be augmented by means of SDN. As part of this discussion, we also discuss how SDN approaches can help in improving the security and operations of non-coalition tactical networks.
Vinod K. Mishra, Dinesh C. Verma, Christopher Williams
12. An SDN and NFV Use Case: NDN Implementation and Security Monitoring
Abstract
Combining NFV fast-service deployment and SDN fine-grained control of data flows allows comprehensive network security monitoring. The DOCTOR architecture (The DOCTOR project (http://​doctor-project.​org) is a collaborative research project partially financed by the French National Research Agency (ANR) under grant <ANR-14-CE28-0001>) allows detecting, assessing, and remediating attacks. DOCTOR is an ANR-funded project designing an NFV platform enabling to securely deploy virtual network functions. The project relies on open-source technologies providing a platform on top of which a Named Data Networking architecture (NDN. Available: https://​named-data.​net/​) is implemented. NDN is an example of an application made possible by SDN and NFV coexistence, since hardware implementation would be too expansive. We show how NDN routers can be implemented and managed as VNFs.
Security monitoring of the DOCTOR architecture is performed at two levels. First, host-level monitoring, provided by CyberCAPTOR, uses an attack-graph approach based on network topology knowledge. It then suggests remediations to cut attack paths. We show how our monitoring tool integrates SDN and NFV specificities and how SDN and NFV make security monitoring more efficient. Then, application-level monitoring relies on the MMT probe. It monitors NDN-specific metrics from inside the VNFs, and a central component can detect attack patterns corresponding to known flaws of the NDN protocol. These attacks are fed to the CyberCAPTOR module to integrate NDN attacks in attack graphs.
Théo Combe, Wissam Mallouli, Thibault Cholez, Guillaume Doyen, Bertrand Mathieu, Edgardo Montes de Oca
Backmatter
Metadaten
Titel
Guide to Security in SDN and NFV
herausgegeben von
Dr. Shao Ying Zhu
Dr. Sandra Scott-Hayward
Dr. Ludovic Jacquin
Prof. Richard Hill
Copyright-Jahr
2017
Electronic ISBN
978-3-319-64653-4
Print ISBN
978-3-319-64652-7
DOI
https://doi.org/10.1007/978-3-319-64653-4