Abstract
This chapter describes the experience in secure design during the process of implementation of the virtualization functionalities in a business unit of Telefonica, an integrated global telco operator. The trial was based on one of the first representative use cases of network function virtualization (NFV) technology: virtual home gateway (vHGW), also known as virtual customer premise equipment (vCPE), with real residential broadband customers. This NFV-based model offloads functionalities from physical HGW devices to the network, like network address translation (NAT), dynamic host configuration protocol (DHCP) or IPv6 firewall. This implementation not only allows an increase in operational efficiency, but it also opens a door to new security services opportunities. An introduction to the specific ETSI NFV security standards is provided and used as a reference for the security context. Later, the security design and the implemented model are explained. Also, the findings and solutions relevant in this network architecture to protect the users and the infrastructure are detailed. Finally, we present a study of new security services based on the vHGW architecture.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Operating expense (OPEX) is associated to the concept of the economic cost of running a service, system or product, while capital expense (CAPEX) refers to new assets acquisitions. Both are part of the total cost of ownership (TCO).
- 2.
IP Front End as the name proposed by Telefonica.
- 3.
Broadband Network Gateway is also known as broadband remote access server or BRAS.
- 4.
Network Address Port Translation is a variation of NAT defined in RFC 2663 that extend the notion of translation to transport identifier, such as port.
- 5.
Generic Routing Encapsulation is protocol based on RFC 2784 to create tunnels with low overhead.
- 6.
Element management systems role is focused in managed and configure specific network devices. In our NFV context is associated with the VNF configuration, such as DHCP or IPFE.
- 7.
Operations support system/business support system. First cover the management of the network, such fault management or provisioning. Second include all customer related systems like billing or service orders.
- 8.
Virtual LAN, based on 802.1q protocol and tagging.
- 9.
Virtual private network are based in multiple technologies that allow extend private networks over public ones.
- 10.
Cross-site scripting is a family of well-known attacks in web applications to inject malicious scripts, especially web client side scripts.
- 11.
Trusted Platform Module, a secure cryptoprocessor standardized by Trusted Computing Group (TCG).
- 12.
Lawful interception.
- 13.
Common Vulnerabilities and Exposures is a dictionary of vulnerabilities identified maintained by MITRE corporation.
- 14.
Point-to-point protocol allows multiple implementations. HGW common support includes PPP over Ethernet (PPPoE) or over ATM (PPPoA) and requires an authentication process.
- 15.
Internet Control Message Protocol in IPv6 includes neighbour discovery as the alternative to ARP and others messages equally vulnerable.
- 16.
Man in the middle allows an attacker to be located in the middle of communications.
- 17.
“Network Access Server Port Id” is a radius attribute which identifies the port of the NAS which is authenticating the user. IETF RFC 2869.
- 18.
Diagnostic command used almost since IP network existence. Display each IP node in a route between origin and destination, and the round trip time in each hop. Based on ICMP Time Exceeded Messages.
- 19.
Also known as processor affinity, binds and reserve CPUs to a specific virtual machine.
- 20.
Non-uniform memory access in x86 architecture allows faster memory access to co-located CPUs.
- 21.
QinQ is the informal name for 802.1ad.
- 22.
Digital subscriber line access multiplexer. Network device that allows broadband access in telephone lines, i.e. DSL. Multiple variants exist: ADSL, VDSL, etc.
- 23.
Optical line terminal. Network device endpoint and multiplexing for passive optical network. Commonly known as Fiber access. Multiple variants exists: FTTH, FTTB, FTTN, etc.
- 24.
Application-level gateway NAT devices allow to apply address and port translation to the application layer, such as FTP.
- 25.
Domain generation algorithms used by several botnets families that produce thousands of potential domains where host the botnet controller.
- 26.
Fast Flux is a botnet technique based on DNS for hiding botnet controller with dynamic changes of compromised bots acting as proxy.
References
Palancar RC, da Silva RAL, Chavarría JLF, López DR, Armengol AJE, Tinoco RG (2015) Virtualization of residential customer premise equipment. Lessons learned in Brazil vCPE trial. it-Infor Technol 57(5):285–294. doi:10.1515/itit-2015-0028
ETSI, G (2013) Network Functions Virtualisation (NFV); Use Cases. V1, 1, 2013–10. http://www.etsi.org/deliver/etsi_gs/nfv/001_099/001/01.01.01_60/gs_ nfv001v010101p.pdf
Bernstein, J, Spets, T, Bathrick, G, Pitsoulakis, G (2004) DSL Forum TR-069, CPE WAN Management Protocol. In: Proceedings of DSL forum
ETSI, G (2013) Network Functions Virtualisation (NFV); NFV Security; Problem Statement. V1, 1, 2014–10. http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf
ETSI, G (2015) Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration. V1, 1, 2015–12. http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/009/01.01.01_60/gs_nfv-sec009v010101p.pdf
Czyz, J, Kallitsis, M, Gharaibeh, M, Papadopoulos, C, Bailey, M, Karir, M (2014) Taming the 800 Pound Gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the 2014 conference on Internet Measurement Conference (IMC’14). ACM, New York, pp 435–448
OpenSSL Software foundation, Inc. (1999). https://www.openssl.org/
Meng, W, Duan, R, Lee, W (2013) DNS Changer remediation study. Talk at M3AAWG 27th
National Institute of Standards and Techonologies, National Checklist Program Repository. http://checklists.nist.gov
Ferguson, P, Senie, D (2000) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing, BCP 38, RFC 2827. http://www.rfc-editor.org/info/bcp38
Martini, L, Ed., Rosen, E, El-Aawar, N, Smith, T, Heron, G (2006) Pseudowire setup and maintenance using the Label Distribution Protocol (LDP), RFC 4447, doi:10.17487/RFC4447. http://www.rfc-editor.org/info/rfc4447
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Pastor, A., Folgueira, J. (2017). Practical Experience in NFV Security Field: Virtual Home Gateway. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-64653-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64652-7
Online ISBN: 978-3-319-64653-4
eBook Packages: Computer ScienceComputer Science (R0)