1、 ETSI GS NFV-SEC 009 V1.1.1 (2015-12) Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration Disclaimer This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specificati
2、on Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 009 V1.1.1 (2015-12)2 Reference DGS/NFV-SEC009 Keywords administration, regulation, security ETSI
3、 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/
4、www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived dif
5、ference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or c
6、hange of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.asp
7、x Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETS
8、I. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Mark
9、s of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 009 V1.1.1 (2015-12)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3
10、Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Abbreviations . 7g34 Use cases for multi-layer administration 9g34.0 Use cases - introduction . 9g34.1 Multi-tenant hosting . 9g34.2 Infrastructure as a service (IaaS) 10g34.3 Security Sensitive
11、Application Functions . 10g34.3.1 Introduction. 10g34.3.2 Applicability of security requirements in the context of Sensitive Application Functions . 11g34.3.3 Notes on the technologies and measures in the context of Sensitive Application Functions 12g34.4 Security Network Monitoring Essential, or po
12、tentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. N
13、o guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (
14、ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expre
15、ssion of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction The Security Problem Statement, ETSI GS NFV-SEC 001 i.1 identifies an issue with multi-layer administration for NFV. Multi-layer administration seeks to provide methods,
16、 capabilities, procedures and assurances that safeguard Virtual Machines or Containers running on a virtualisation host from interference. The specific problem is that any user or process with root access to the hosting service can normally view and change the memory and processes of any hosted appl
17、ication. This is due to the fact that in the default administrative configuration for the majority of host-based virtualisation systems - whether using hypervisors or Containers - any process or administrator operating at the “base“ level has access to the memory of all applications - including VMs
18、and Containers - running on that host. The term inspection is often used to refer to the ability for processes to directly interact with system memory. Further detail is provided in clause 6.1.1. Although this configuration is generally acceptable when the hosted applications and the hosting service
19、 operate in the same trust domain, or when the hosted applications are in the same trust context and a subordinate trust domain to the hosting service, there are a number of use cases where the trust relationship from the hosted application to the hosting service does not conform to this model. In t
20、hese cases, the hosted application may wish to protect a set of its resources from the hosting service. Note that there are also attacks in the opposite direction: from the hosted application against the hosting service. While serious, these are well understood issues and most hosting services alrea
21、dy track vulnerabilities in this context and provide defensive measures against these types of attacks. Another type of attack is from one hosted application against another hosted application on the same hosting service. Neither of these “top-down“ attacks are considered explicitly in the present d
22、ocument, however, some of the methods and techniques presented here will reduce the incidence of such attacks (e.g. hardware mediated secure enclaves). The focus of the present document, then, is on securing hosted applications against attacks by the hosting service, as well as limiting undesired vi
23、sibility. Note that multi-layer administration in the context of NFV should not be confused with the similar term “Multi-Layer Security“ (MLS), though certain concepts relevant to MLS may be relevant or referenced in the present document. ETSI ETSI GS NFV-SEC 009 V1.1.1 (2015-12)6 1 Scope The presen
24、t document addresses multi-layer administration use cases and technical approaches, an issue identified in the Security Problem Statement, ETSI GS NFV-SEC 001 i.1. Multi-layer administration seeks to provide methods, capabilities, procedures and assurances - of various strengths based on requirement
25、s and available technologies and techniques - that safeguard Virtual Machines or Containers running on a virtualisation host (“hosted applications“) -from interference (of various types) by the host system or platform (“hosting service“). The scope of the present document is generally the system com
26、prising the hosting service, associated hardware (including TPM, GPU, etc.), software and configuration, and the hosted application. Some requirements and measures outside this context are also considered, but not necessarily in equal depth. 2 References 2.1 Normative references References are eithe
27、r specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which ar
28、e not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary
29、for the application of the present document. 1 ETSI GS NFV 001: “Network Functions Virtualisation (NFV); Use Cases“. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only th
30、e cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced do
31、cuments are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI GS NFV-SEC 001: “Network Functions Virtualisation (NFV); NFV Security; Problem Statement“. i.2 ETSI GS NFV-SEC 003: “Network Functions Virtualisation (NFV
32、); NFV Security; Security and Trust Guidance“. i.3 ETSI TR 103 331: “CYBER; Structured threat information sharing“. i.4 ETSI TS 102 232: “Lawful Interception (LI); Handover Interface and Service-Specific Details (SSD) for IP delivery“. i.5 ETSI TS 101 331: “Lawful Interception (LI); Requirements of
33、Law Enforcement Agencies“. i.6 ETSI TS 102 656: “Lawful Interception (LI); Retained Data; Requirements of Law Enforcement Agencies for handling Retained Data“. i.7 ETSI TS 102 657: “Lawful Interception (LI); Retained data handling; Handover interface for the request and delivery of retained data“. E
34、TSI ETSI GS NFV-SEC 009 V1.1.1 (2015-12)7 i.8 ETSI DGS/NFV-SEC007: “Network Function Virtualisation (NFV); Trust; Report on Attestation Technologies and Practices for Secure Deployments“. i.9 NIST Special Publication 800-122: “Guide to Protecting the Confidentiality of Personally Identifiable Inform
35、ation (PII)“. NOTE: Available at http:/csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf i.10 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such d
36、ata. . NOTE: Available at http:/eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML i.11 TCG PC: “Client Specific Implementation Specification for Conventional BIOS - Specification Version 1.21 Errata“. i.12 ETSI GS NFV-SEC 004: “Network Functions Virtualisation (NFV); NFV Securi
37、ty; Privacy and Regulation; Report on Lawful Interception Implications“. i.13 Forensics Whitepapers. NOTE: https:/digital-forensics.sans.org/community/whitepapers. i.14 TCG: “Trusted Platform Module Library Specification, Family 2.0“. NOTE: http:/www.trustedcomputinggroup.org/resources/tpm_library_s
38、pecification. i.15 TCG: “TSS TAB and Resource Manager Specification“. NOTE: http:/www.trustedcomputinggroup.org/resources/tss_tab_and_resource_manager i.16 NIST FIPS 140-2: “Security Requirements for Cryptographic Modules“. NOTE: http:/csrc.nist.gov/groups/STM/cmvp/standards.html. i.17 TCG: “Virtual
39、ized Trusted Platform Architecture Specification“. NOTE: http:/www.trustedcomputinggroup.org/resources/virtualized_trusted_platform_architecture_specification. i.18 ETSI DGS/NFV-SEC010: “Network Functions Virtualisation (NFV); NFV Security; Report on Retained Data problem statement and requirements“
40、. 3 Abbreviations For the purposes of the present document, the following abbreviations apply: AAA Authentication, Authorisation - by injecting known or probable pathological inputs; - by manipulating its environment. Both the application itself and the NFVI hold roles in mitigating these types of a
41、ttacks. Passive hostile: this category includes attempts by the hosting service to gain unauthorized access to data or processes being run by the hosted application, or to gain information about those data or processes. A passive attack involves the attacker using only observed inputs, outputs or me
42、mory of the target application or side effects of its operation, but without any direct interaction with it (e.g. adding/changing any inputs or blocking/manipulating any outputs). The NFVI has a primary, perhaps singular, role in detecting and eliminating such attacks because, by definition, they ca
43、nnot be mitigated by the application itself. ETSI ETSI GS NFV-SEC 009 V1.1.1 (2015-12)20 Accidental: this category includes the possibility that information may leak or be discovered by unauthorized parties who are not specifically looking for information from the hosted application. Where human, th
44、ey might typically be administrators of the hosting service or have privileged access to components within or without the hosting service. Other accidental failures might arise from insecure logging techniques, file descriptor leakage or router/switch misconfiguration. It should be noted that not al
45、l attacks are directly related to the hosting service itself, as there may exist side channel attacks and vulnerabilities in the supporting systems. Where possible, these should be considered, and mitigations put in place to reduce impact. They are not considered explicitly within the scope of the p
46、resent document. Knowing that there is activity in the hosted application - that resources are being consumed in a particular manner or matching a particular usage template - or detecting changes in resource usage, over various time scales, may be enough for some attacks to be considered “successful
47、“. 5.0.2 Prevention versus remediation For some use cases, the amount of effort expended to prevent failures in meeting requirements through various techniques and assurances may outweigh the benefit of meeting the requirements. Equally, balancing the level of preventative measures with rapid monito
48、ring and reporting to allow quick investigation and rapid remedial action allows sensible and appropriate resources to be applied most efficiently. 5.0.3 Channels for assertions by the hosting service A number of the requirements on the hosting service mean that it makes assertions as to its capabil
49、ities and state to other parties - typically other components in the NFV deployment. Of the three security properties noted above, availability and integrity of data are typically more important than confidentiality - in this case, the priorities are different to the usual - and although information about the ability (or inability) of a hosting service to provide a particular capability or set of capabilities may be of interest to an attacker, the components choosing to site hosted applications on hosts should be taking su
