1、 ETSI GS NFV-SEC 002 V1.1.1 (2015-08) Network Functions Virtualisation (NFV); NFV Security; Cataloguing security features in management software GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 002 V1.1.1 (2015-08)2 Reference DGS/NFV-SEC002 Keywords NFV, open source, security ETSI 650 Route des Lucioles F-0
2、6921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-sear
3、ch The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between
4、 such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Informatio
5、n on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No
6、 part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the fo
7、regoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for th
8、e benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 002 V1.1.1 (2015-08)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g31 Scope 6g32 References 6g3
9、2.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Introduction 8g35 Identity and access management 9g35.1 General . 9g35.2 PKI tokens 10g35.2.0 General 10g35.2.1 PKI set-up . 10g35.2.2 Token generation 10g35.2
10、.3 Token verification . 11g35.2.4 Token indexing . 11g35.3 UUID tokens 12g35.4 Trusts 12g35.5 Token storage . 13g35.6 Token Transport . 14g35.7 Identity federation 14g35.8 Identity API Access Control . 15g35.9 Password Hashing 15g35.10 Time Synchronization 15g36 Communication Security 15g37 Stored d
11、ata security 16g37.1 Block Storage Encryption 16g37.2 Logical Volume Sanitization 17g38 Firewalling, zoning, and topology hiding. 17g38.1 Security group 17g38.2 Anti-spoofing . 18g38.3 Network Address Translation . 18g38.4 Network isolation . 19g38.5 Firewall-as-a-service 19g39 Availability . 19g310
12、 Logging and monitoring . 20g310.1 Logging 20g310.2 Event notification . 21g311 Compute isolation 22g312 Guidance on the use of OpenStack in NFV 23g313 Recommended OpenStack enhancements in support of NFV 24g3ETSI ETSI GS NFV-SEC 002 V1.1.1 (2015-08)4 Annex A (informative): Authors Essential, or pot
13、entially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No
14、 guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (I
15、SG) Network Functions Virtualisation (NFV). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expres
16、sion of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 002 V1.1.1 (2015-08)6 1 Scope The present document gives a survey of the security features in the open source management software relevant to NFV, in particular O
17、penStack i.1 as the first case study. It addresses the OpenStack modules that provide security services (such as authentication, authorization, confidentiality protection, integrity protection, and logging) together with the full graphs of their respective dependencies down to the ones that implemen
18、t cryptographic protocols and algorithms. It also identifies a set of recommendations on the use of and enhancements to OpenStack as pertinent to NFV. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or n
19、on-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbo
20、x.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references Ref
21、erences are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While
22、any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 OpenSt
23、ack. NOTE: http:/www.openstack.org/. i.2 United States Computer Emergency Readiness Team. NOTE: http:/www.us-cert.gov/. i.3 ETSI GS NFV 003: “Network Functions Virtualisation (NFV); Terminology for Main Concepts in NFV“. i.4 ETSI GS NFV-SEC 001: “Network Functions Virtualisation (NFV); NFV Security;
24、 Problem Statement“. i.5 ETSI GS NFV 004: “Network Functions Virtualisation (NFV); Virtualisation Requirements“. i.6 ETSI GS NFV-MAN 001: “Network Functions Virtualisation (NFV); Management and Orchestration“, (work in progress). i.7 Memcached. NOTE: http:/memcached.org/. ETSI ETSI GS NFV-SEC 002 V1
25、.1.1 (2015-08)7 i.8 OpenID Connect. NOTE: http:/ i.9 IETF Application Bridging for Federated Access Beyond web (ABFAB) Working Group. NOTE: http:/tools.ietf.org/wg/abfab/charters. i.10 IETF RFC 5905 (June 2010): “Network Time Protocol Version 4: Protocol and Algorithms Specification“. NOTE: https:/t
26、ools.ietf.org/html/rfc5905. i.11 IEEE 1588-2008 (July 2008): “IEEE Standard for a Precision Clock Synchronization for Networked Measurement and Control Systems“. i.12 The OpenStack Security Guide. NOTE: http:/docs.openstack.org/sec/. i.13 Trusted Computing Group: Storage Work Group Storage Security
27、Subsystem Class: Opal. NOTE: http:/www.trustedcomputinggroup.org/resources/storage_work_group_storage_security_subsystem_class_opal. i.14 IETF RFC 3164: “The BSD syslog Protocol“. i.15 IETF RFC 5424: “The Syslog Protocol“. i.16 IETF RFC 5280: “Internet X.509 Public Key Infrastructure Certificate and
28、 Certificate Revocation List (CRL) Profile“. i.17 FIPS PUB 186-4: “Digital signature Standard“. i.18 DMTF: “Cloud Auditing Data Federation (CADF)“. NOTE: Available at: http:/www.dmtf.org/standards/cadf. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the ter
29、ms and definitions given in ETSI GS NFV 003 i.3 apply. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in i.3 and the following apply: AMQP Advanced Message Queuing Protocol AH Authentication Header API Application Program Interface ARP Address Resolution Protocol
30、 CADF Cloud Auditing Data Federation CMS Cryptographic Message Syntax DHCP Dynamic Host Configuration Protocol DMTF Distributed Management Task Force ESP Encapsulating Security Payload GRE Generic Route Encapsulation HMAC Hashed Message Authentication Code HTTP HyperText Transfer Protocol IKE Intern
31、et Key Exchange IP Internet Protocol JSON JavaScript Object Notation KVS Key Value Stores ETSI ETSI GS NFV-SEC 002 V1.1.1 (2015-08)8 LDAP Lightweight Directory Access Protocol LUKS Linux Unified Key Setup MAC Media Access Control MAC/IP Media Access Control / Internet Protocol NSS Network Security S
32、ervices NTP Network Time Protocol PEM Privacy Enhanced Mail PKI Public Key Infrastructure PTP Precision Time Protocol RPC Remote Procedure Call SAML Security Assertion Mark-up Language SASL Simple Authentication and Security Layer SED Self Encrypting Drive SQL Structured Query Language SR-IOV Single
33、 Root Input Output Virtualization SSH Secure SHell SSL Secure Socket Layer TCP Transfer Control Protocol URI Uniform Resource Identifier UUID Universally Unique IDentifier VLAN Virtual LAN VM Virtual Machine VNC Virtual Network Computing VPN Virtual Private Network VXLAN Virtual eXtensible Local Are
34、a Network WSGI Web Server Gateway Interface 4 Introduction Building on open source software can help advance certain goals of NFV, such as accelerated time-to-market and improved interoperability. To do so effectively calls for having a knowledge base of the security features and cryptographic algor
35、ithms supported in each relevant code base. In particular, NFV applications are subject to privacy and security regulations. The knowledge base helps shed light on how to best apply the pertinent software and on enhancements necessary to meet the NFV security needs. It is also useful for other reaso
36、ns. Chief among them are: export control of cryptographic software; compliance with procurement processes; follow-up on alerts from US-CERT i.2 and other similar organizations; and determination of the relevant elements for security analytics. Such a knowledge base is of particular importance in the
37、 area of management and orchestration, which plays a critical role in NFV security. The present document addresses OpenStack, a widely adopted cloud operating system, as the first case study. It aims to cover all applicable aspects of information and network security, including: Identity and access
38、management Communication security Stored data security Firewalling, zoning, and topology hiding Availability ETSI ETSI GS NFV-SEC 002 V1.1.1 (2015-08)9 Logging and monitoring Compute isolation NOTE: OpenStack is a set of open source tools for building and managing cloud-computing software platforms
39、for public and privvate clouds. It consists of a group of interrelated projects that control pools of processing, storage, and networking resources throughout a data center e.g. Neutron, Nova, Keystone, Barbican, Swift, Glance, Trove, Cinder, etc. The present document describes the OpenStack modules
40、 that provide security services (e.g. authentication, authorization, confidentiality protection and integrity protection) together with their respective dependencies on cryptographic protocols and algorithms. It also makes a set of recommendations on the use of and enhancements to OpenStack as perti
41、nent to NFV. The case study takes into account the issues identified in ETSI GS NFV-SEC 001 i.4 and the related requirements specified in ETSI GS NFV 004 i.5 and ETSI GS NFV-MAN 001 i.6. 5 Identity and access management 5.1 General Keystone is the component in OpenStack that provides centralized aut
42、hentication and authorization. It is used by all OpenStack components for API access control. Hence, at a high level, a user is authenticated by Keystone first before gaining access to any other service (Keystone may employ an external authentication system). Upon successful authentication, the user
43、 is given a temporary token. From this point on, to get a service, the user includes the token in the service request. The user can receive the service if and only if the token is validated and if the user has the proper roles. Keystone is organized as a set of internal services, including the ident
44、ity service, token service, and catalog service. The identity service handles user authentication and user-data validation. The following constructs are basic to the service: User, which may be a person or a process using an OpenStack service. Project (or tenant), which owns a set of OpenStack resou
45、rces. A project shall be assigned a domain. Group, which is a set of users. A group shall be assigned a domain. A user may be assigned one or multiple groups. Domain, which is a set of users, groups, and projects. Role, which specifies a set of rights and privileges. Roles can be granted at either t
46、he domain or project level. A group may be assigned one or multiple roles on a domain. A user may be assigned one or multiple roles on a project or domain. An example role is admin. A user shall have a role assigned to have access to a resource. The identity service supports basic management of user
47、 data (e.g. create, read, update and delete). It also has the flexibility to use a pluggable authentication or authorization module through a backend. Common backends include Lightweight Directory Access Protocol (LDAP) servers, SQL databases and Key Value Stores (KVS). Keystone uses an SQL backend
48、by default. The identity service is accessible through a REST API. The corresponding API endpoint is, in fact, the entry point to all services. An endpoint is a network-accessible address in the form of a Uniform Resource Identifier (URI). The identity service may support a separate endpoint for adm
49、inistrative purposes. It goes without saying that the transport of all API access transactions needs to be protected. In general, access control is based on configurable policy stored in a JSON file. Other components in OpenStack can further customize the policy according to their respective service contexts. Keystone supports an SQL policy backend. The token service deals with token management and validation. It relies on a database to store tokens and the assoc
