Skip to main content
SpringerLink
Log in

Practical Experience in NFV Security Field: Virtual Home Gateway

  • Chapter
  • First Online:
Guide to Security in SDN and NFV

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

This chapter describes the experience in secure design during the process of implementation of the virtualization functionalities in a business unit of Telefonica, an integrated global telco operator. The trial was based on one of the first representative use cases of network function virtualization (NFV) technology: virtual home gateway (vHGW), also known as virtual customer premise equipment (vCPE), with real residential broadband customers. This NFV-based model offloads functionalities from physical HGW devices to the network, like network address translation (NAT), dynamic host configuration protocol (DHCP) or IPv6 firewall. This implementation not only allows an increase in operational efficiency, but it also opens a door to new security services opportunities. An introduction to the specific ETSI NFV security standards is provided and used as a reference for the security context. Later, the security design and the implemented model are explained. Also, the findings and solutions relevant in this network architecture to protect the users and the infrastructure are detailed. Finally, we present a study of new security services based on the vHGW architecture.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 69.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Operating expense (OPEX) is associated to the concept of the economic cost of running a service, system or product, while capital expense (CAPEX) refers to new assets acquisitions. Both are part of the total cost of ownership (TCO).

  2. 2.

    IP Front End as the name proposed by Telefonica.

  3. 3.

    Broadband Network Gateway is also known as broadband remote access server or BRAS.

  4. 4.

    Network Address Port Translation is a variation of NAT defined in RFC 2663 that extend the notion of translation to transport identifier, such as port.

  5. 5.

    Generic Routing Encapsulation is protocol based on RFC 2784 to create tunnels with low overhead.

  6. 6.

    Element management systems role is focused in managed and configure specific network devices. In our NFV context is associated with the VNF configuration, such as DHCP or IPFE.

  7. 7.

    Operations support system/business support system. First cover the management of the network, such fault management or provisioning. Second include all customer related systems like billing or service orders.

  8. 8.

    Virtual LAN, based on 802.1q protocol and tagging.

  9. 9.

    Virtual private network are based in multiple technologies that allow extend private networks over public ones.

  10. 10.

    Cross-site scripting is a family of well-known attacks in web applications to inject malicious scripts, especially web client side scripts.

  11. 11.

    Trusted Platform Module, a secure cryptoprocessor standardized by Trusted Computing Group (TCG).

  12. 12.

    Lawful interception.

  13. 13.

    Common Vulnerabilities and Exposures is a dictionary of vulnerabilities identified maintained by MITRE corporation.

  14. 14.

    Point-to-point protocol allows multiple implementations. HGW common support includes PPP over Ethernet (PPPoE) or over ATM (PPPoA) and requires an authentication process.

  15. 15.

    Internet Control Message Protocol in IPv6 includes neighbour discovery as the alternative to ARP and others messages equally vulnerable.

  16. 16.

    Man in the middle allows an attacker to be located in the middle of communications.

  17. 17.

    “Network Access Server Port Id” is a radius attribute which identifies the port of the NAS which is authenticating the user. IETF RFC 2869.

  18. 18.

    Diagnostic command used almost since IP network existence. Display each IP node in a route between origin and destination, and the round trip time in each hop. Based on ICMP Time Exceeded Messages.

  19. 19.

    Also known as processor affinity, binds and reserve CPUs to a specific virtual machine.

  20. 20.

    Non-uniform memory access in x86 architecture allows faster memory access to co-located CPUs.

  21. 21.

    QinQ is the informal name for 802.1ad.

  22. 22.

    Digital subscriber line access multiplexer. Network device that allows broadband access in telephone lines, i.e. DSL. Multiple variants exist: ADSL, VDSL, etc.

  23. 23.

    Optical line terminal. Network device endpoint and multiplexing for passive optical network. Commonly known as Fiber access. Multiple variants exists: FTTH, FTTB, FTTN, etc.

  24. 24.

    Application-level gateway NAT devices allow to apply address and port translation to the application layer, such as FTP.

  25. 25.

    Domain generation algorithms used by several botnets families that produce thousands of potential domains where host the botnet controller.

  26. 26.

    Fast Flux is a botnet technique based on DNS for hiding botnet controller with dynamic changes of compromised bots acting as proxy.

References

  1. Palancar RC, da Silva RAL, Chavarría JLF, López DR, Armengol AJE, Tinoco RG (2015) Virtualization of residential customer premise equipment. Lessons learned in Brazil vCPE trial. it-Infor Technol 57(5):285–294. doi:10.1515/itit-2015-0028

    Google Scholar 

  2. ETSI, G (2013) Network Functions Virtualisation (NFV); Use Cases. V1, 1, 2013–10. http://www.etsi.org/deliver/etsi_gs/nfv/001_099/001/01.01.01_60/gs_ nfv001v010101p.pdf

  3. Bernstein, J, Spets, T, Bathrick, G, Pitsoulakis, G (2004) DSL Forum TR-069, CPE WAN Management Protocol. In: Proceedings of DSL forum

    Google Scholar 

  4. ETSI, G (2013) Network Functions Virtualisation (NFV); NFV Security; Problem Statement. V1, 1, 2014–10. http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf

  5. ETSI, G (2015) Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration. V1, 1, 2015–12. http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/009/01.01.01_60/gs_nfv-sec009v010101p.pdf

  6. Czyz, J, Kallitsis, M, Gharaibeh, M, Papadopoulos, C, Bailey, M, Karir, M (2014) Taming the 800 Pound Gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the 2014 conference on Internet Measurement Conference (IMC’14). ACM, New York, pp 435–448

    Google Scholar 

  7. OpenSSL Software foundation, Inc. (1999). https://www.openssl.org/

  8. Meng, W, Duan, R, Lee, W (2013) DNS Changer remediation study. Talk at M3AAWG 27th

    Google Scholar 

  9. National Institute of Standards and Techonologies, National Checklist Program Repository. http://checklists.nist.gov

  10. Ferguson, P, Senie, D (2000) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing, BCP 38, RFC 2827. http://www.rfc-editor.org/info/bcp38

  11. Martini, L, Ed., Rosen, E, El-Aawar, N, Smith, T, Heron, G (2006) Pseudowire setup and maintenance using the Label Distribution Protocol (LDP), RFC 4447, doi:10.17487/RFC4447. http://www.rfc-editor.org/info/rfc4447

Download references

Author information

Authors and Affiliations

  1. Telefónica I+D, Distrito Telefonica, West 1 Building, Ronda de la Comunicación S/N, 28050, Madrid, Spain

    Antonio Pastor & Jesús Folgueira

Authors
  1. Antonio Pastor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jesús Folgueira
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Antonio Pastor .

Editor information

Editors and Affiliations

  1. University of Derby, Derby, United Kingdom

    Shao Ying Zhu

  2. Queen’s University Belfast, Belfast, United Kingdom

    Sandra Scott-Hayward

  3. Hewlett Packard Labs, Bristol, United Kingdom

    Ludovic Jacquin

  4. University of Huddersfield, Huddersfield, United Kingdom

    Richard Hill

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Pastor, A., Folgueira, J. (2017). Practical Experience in NFV Security Field: Virtual Home Gateway. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64653-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64652-7

  • Online ISBN: 978-3-319-64653-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation