1、 ETSI GR NFV-SEC 009 V1.2.1 (2017-01) Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration Disclaimer The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Spec
2、ification Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP REPORT ETSI ETSI GR NFV-SEC 009 V1.2.1 (2017-01)2 Reference RGR/NFV-SEC009ed121 Keywords administration, regulation, security
3、 ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: h
4、ttp:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceive
5、d difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision
6、 or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeS
7、upportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written autho
8、rization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE
9、 are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GR NFV-SEC 009 V1.2.1 (2017-01)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs
10、terminology 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Abbreviations . 7g34 Use cases for multi-layer administration 9g34.0 Use cases - introduction . 9g34.1 Multi-tenant hosting . 9g34.2 Infrastructure as a service (IaaS) 10g34.3 Secu
11、rity Sensitive Application Functions . 10g34.3.1 Introduction. 10g34.3.2 Applicability of security requirements in the context of Sensitive Application Functions . 11g34.3.3 Notes on the technologies and measures in the context of Sensitive Application Functions 12g34.4 Security Network Monitoring E
12、ssential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carri
13、ed out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Report (GR) has been produced by ETSI Industry Specificati
14、on Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of pro
15、visions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction The Security Problem Statement, ETSI GS NFV-SEC 001 i.1 identifies an issue with multi-layer administration for NFV. Multi-layer administration seeks to provide methods, capabilitie
16、s, procedures and assurances that safeguard Virtual Machines or Containers running on a virtualisation host from interference. The specific problem is that any user or process with root access to the hosting service can normally view and change the memory and processes of any hosted application. Thi
17、s is due to the fact that in the default administrative configuration for the majority of host-based virtualisation systems - whether using hypervisors or Containers - any process or administrator operating at the “base“ level has access to the memory of all applications - including VMs and Containe
18、rs - running on that host. The term inspection is often used to refer to the ability for processes to directly interact with system memory. Further detail is provided in clause 6.1.1. Although this configuration is generally acceptable when the hosted applications and the hosting service operate in
19、the same trust domain, or when the hosted applications are in the same trust context and a subordinate trust domain to the hosting service, there are a number of use cases where the trust relationship from the hosted application to the hosting service does not conform to this model. In these cases,
20、the hosted application may wish to protect a set of its resources from the hosting service. Note that there are also attacks in the opposite direction: from the hosted application against the hosting service. While serious, these are well understood issues and most hosting services already track vul
21、nerabilities in this context and provide defensive measures against these types of attacks. Another type of attack is from one hosted application against another hosted application on the same hosting service. Neither of these “top-down“ attacks are considered explicitly in the present document, how
22、ever, some of the methods and techniques presented here will reduce the incidence of such attacks (e.g. hardware mediated secure enclaves). The focus of the present document, then, is on securing hosted applications against attacks by the hosting service, as well as limiting undesired visibility. No
23、te that multi-layer administration in the context of NFV should not be confused with the similar term “Multi-Layer Security“ (MLS), though certain concepts relevant to MLS may be relevant or referenced in the present document. ETSI ETSI GR NFV-SEC 009 V1.2.1 (2017-01)6 1 Scope The present document a
24、ddresses multi-layer administration use cases and technical approaches, an issue identified in the Security Problem Statement, ETSI GS NFV-SEC 001 i.1. Multi-layer administration seeks to provide methods, capabilities, procedures and assurances - of various strengths based on requirements and availa
25、ble technologies and techniques - that safeguard Virtual Machines or Containers running on a virtualisation host (“hosted applications“) -from interference (of various types) by the host system or platform (“hosting service“). The scope of the present document is generally the system comprising the
26、hosting service, associated hardware (including TPM, GPU, etc.), software and configuration, and the hosted application. Some requirements and measures outside this context are also considered, but not necessarily in equal depth. 2 References 2.1 Normative references Normative references are not app
27、licable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the refe
28、renced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assi
29、st the user with regard to a particular subject area. i.1 ETSI GS NFV-SEC 001: “Network Functions Virtualisation (NFV); NFV Security; Problem Statement“. i.2 ETSI GS NFV-SEC 003: “Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance“. i.3 ETSI TR 103 331: “CYBER; Structu
30、red threat information sharing“. i.4 ETSI TS 102 232: “Lawful Interception (LI); Handover Interface and Service-Specific Details (SSD) for IP delivery“. i.5 ETSI TS 101 331: “Lawful Interception (LI); Requirements of Law Enforcement Agencies“. i.6 ETSI TS 102 656: “Lawful Interception (LI); Retained
31、 Data; Requirements of Law Enforcement Agencies for handling Retained Data“. i.7 ETSI TS 102 657: “Lawful Interception (LI); Retained data handling; Handover interface for the request and delivery of retained data“. i.8 ETSI DGS/NFV-SEC007: “Network Function Virtualisation (NFV); Trust; Report on At
32、testation Technologies and Practices for Secure Deployments“. i.9 NIST Special Publication 800-122: “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)“. NOTE: Available at https:/doi.org/10.6028/NIST.SP.800-122. ETSI ETSI GR NFV-SEC 009 V1.2.1 (2017-01)7 i.10 Direc
33、tive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. NOTE: Available at http:/eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML. i.11
34、 TCG PC: “Client Specific Implementation Specification for Conventional BIOS - Specification Version 1.21 Errata“. i.12 ETSI GS NFV-SEC 004: “Network Functions Virtualisation (NFV); NFV Security; Privacy and Regulation; Report on Lawful Interception Implications“. i.13 Forensics Whitepapers. NOTE: h
35、ttps:/digital-forensics.sans.org/community/whitepapers. i.14 TCG: “Trusted Platform Module Library Specification, Family 2.0“. NOTE: http:/www.trustedcomputinggroup.org/resources/tpm_library_specification. i.15 TCG: “TSS TAB and Resource Manager Specification“. NOTE: http:/www.trustedcomputinggroup.
36、org/resources/tss_tab_and_resource_manager. i.16 NIST FIPS 140-2: “Security Requirements for Cryptographic Modules“. NOTE: http:/csrc.nist.gov/groups/STM/cmvp/standards.html. i.17 TCG: “Virtualized Trusted Platform Architecture Specification“. NOTE: http:/www.trustedcomputinggroup.org/resources/virt
37、ualized_trusted_platform_architecture_specification. i.18 ETSI DGS/NFV-SEC010: “Network Functions Virtualisation (NFV); NFV Security; Report on Retained Data problem statement and requirements“. i.19 ETSI GS NFV 001: “Network Functions Virtualisation (NFV); Use Cases“. 3 Abbreviations For the purpos
38、es of the present document, the following abbreviations apply: AAA Authentication, Authorisation - by injecting known or probable pathological inputs; - by manipulating its environment. ETSI ETSI GR NFV-SEC 009 V1.2.1 (2017-01)20 Both the application itself and the NFVI hold roles in mitigating thes
39、e types of attacks: Passive hostile: this category includes attempts by the hosting service to gain unauthorized access to data or processes being run by the hosted application, or to gain information about those data or processes. A passive attack involves the attacker using only observed inputs, o
40、utputs or memory of the target application or side effects of its operation, but without any direct interaction with it (e.g. adding/changing any inputs or blocking/manipulating any outputs). The NFVI has a primary, perhaps singular, role in detecting and eliminating such attacks because, by definit
41、ion, they cannot be mitigated by the application itself: Accidental: this category includes the possibility that information may leak or be discovered by unauthorized parties who are not specifically looking for information from the hosted application. Where human, they might typically be administra
42、tors of the hosting service or have privileged access to components within or without the hosting service. Other accidental failures might arise from insecure logging techniques, file descriptor leakage or router/switch misconfiguration. It should be noted that not all attacks are directly related t
43、o the hosting service itself, as there may exist side channel attacks and vulnerabilities in the supporting systems. Where possible, these should be considered, and mitigations put in place to reduce impact. They are not considered explicitly within the scope of the present document. Knowing that th
44、ere is activity in the hosted application - that resources are being consumed in a particular manner or matching a particular usage template - or detecting changes in resource usage, over various time scales, may be enough for some attacks to be considered “successful“. 5.0.2 Prevention versus remed
45、iation For some use cases, the amount of effort expended to prevent failures in meeting requirements through various techniques and assurances may outweigh the benefit of meeting the requirements. Equally, balancing the level of preventative measures with rapid monitoring and reporting to allow quic
46、k investigation and rapid remedial action allows sensible and appropriate resources to be applied most efficiently. 5.0.3 Channels for assertions by the hosting service A number of the requirements on the hosting service mean that it makes assertions as to its capabilities and state to other parties
47、 - typically other components in the NFV deployment. Of the three security properties noted above, availability and integrity of data are typically more important than confidentiality - in this case, the priorities are different to the usual - and although information about the ability (or inability
48、) of a hosting service to provide a particular capability or set of capabilities may be of interest to an attacker, the components choosing to site hosted applications on hosts should be taking such information into consideration before selecting a particular hosting service. It should be noted, als
49、o, that hosting services will generally expect - and will need to enforce that - only authorized parties are making requests for such information (for the reasons noted above), so standard techniques should be utilized to ensure that identities are checked. The obvious approach is to encrypt the communication channels and to use cipher suites which support authentication to provide identities which can thence be used to make decisions about authorization. The need for the requesting parties to validate the identity of the h
