1、 ETSI GS NFV-SEC 013 V3.1.1 (2017-02) Network Functions Virtualisation (NFV) Release 3; Security; Security Management and Monitoring specification Disclaimer The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and
2、represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 013 V3.1.1 (2017-02)2 Reference DGS/NFV-SEC013 Keywords management, NFV, security ETSI 650 Route des Lucioles F-0692
3、1 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search
4、The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between su
5、ch versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information o
6、n the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notifica
7、tion No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and
8、 the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered
9、 for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 013 V3.1.1 (2017-02)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g31 Scope 6g32 Referen
10、ces 6g32.1 Normative references . 6g32.2 Informative references 7g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 8g34 Security Management Problem Statement . 8g35 Security Monitoring Problem Description . 8g36 Security Management . 9g36.1 Introduction of Security Lifecy
11、cle Management 9g36.2 Gap Analysis for NFV Security . 11g36.2.1 Current Model of Security Management 11g36.2.2 Policy Driven Security Management 12g36.3 High-Level Security Management Framework 13g36.4 Use Cases for Security Management 15g36.4.1 Overview 15g36.4.2 Single Operator Multi-Trust-Domain
12、Use Case . 16g36.4.3 Network Security Use Case 17g36.4.3.1 Introduction . 17g36.4.3.2 Sub-Use Cases along Security Management Lifecycle . 18g36.5 Security Management Requirements 20g36.5.1 Requirements for Multi-Trust-Domain Security Management . 20g36.5.1.1 General Requirements . 20g36.5.1.2 Functi
13、onal Requirements for Security Management of Trust Domain . 21g36.5.1.3 Requirements for Security Management . 21g36.5.2 Requirements for Network Security Management 21g36.5.2.1 System Level Requirements 21g36.5.2.2 Functional Requirements 22g37 Security Monitoring . 23g37.1 Security Monitoring Syst
14、ems . 23g37.1.1 Security Monitoring Classification . 23g37.1.2 Security Monitoring Techniques . 24g37.1.2.1 Overview . 24g37.1.2.2 Passive Security Monitoring . 26g37.1.2.3 Active Security Monitoring . 27g37.1.2.4 Hybrid Security Monitoring 27g37.1.3 Limitations and Issues 27g37.2 Security Monitorin
15、g Use Cases 28g37.2.1 Deployment Scenario: EPC 28g37.2.2 Deployment Scenario: Network Based Malware Detection . 29g37.2.3 Deployment Scenario: Subscriber Signalling . 30g37.2.4 Deployment Scenario: IMS Network Monitoring. 31g37.2.4.1 Overview . 31g37.2.4.2 Security Issues . 31g37.2.4.3 Security Moni
16、toring the IMS Core Network . 32g37.3 Evolving Trends Affecting Security Monitoring 32g37.4 Security Monitoring and Management in Virtualised Networks 33g37.4.1 Security Monitoring As An Infrastructure Capability 33g3ETSI ETSI GS NFV-SEC 013 V3.1.1 (2017-02)4 7.4.2 Data Access in Virtualised Environ
17、ments 34g37.4.3 Non Standard Interfaces 34g37.4.4 Monitoring ETSI-NFV Defined Interfaces . 35g37.5 NFV Security Monitoring Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI
18、Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or m
19、ay become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “
20、will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 013 V3.1.1 (2017-02)
21、6 1 Scope In NFV network, network services and network functions can be deployed dynamically. The present document specifies functional and security requirements for automated, dynamic security policy management and security function lifecycle management, and Security Monitoring of NFV systems. The
22、main objectives of the present document are to: Identify use cases for NFV Security Lifecycle Management across Security Planning, Security Enforcement, and Security Monitoring. Establish NFV Security Lifecycle Management and Security Monitoring requirements and architecture. Ultimate goal of this w
23、ork: Scope of this activity is to study and investigate NFV security monitoring and management use cases and establish security requirements. The present document investigates passive and active monitoring of subscriber and management information flows, where subscriber information includes signalli
24、ng and content. Security Management and Monitoring are key components towards successful deployment of NFV. The requirements and results from the present document will act as catalyst towards rapid deployment of NFV. Goals of the present document: The present document will recommend potential method
25、ologies and placement of security visibility and control elements for fulfilling the requirements identified in the present document. The present document will be useful to VNF and VNFI providers, network operators and research community. Non-goal: The present document does not address Lawful Interc
26、ept (LI). It may be applicable to performance and reliability monitoring for NFV systems. Intended audience: VNF and NFVI providers, Network Operators, Service Providers, NFV Software Communities, SDOs (e.g. 3GPP, ETSI SC TC Cyber), Security experts and Researchers. 2 References 2.1 Normative refere
27、nces References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Ref
28、erenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following reference
29、d documents are necessary for the application of the present document. 1 ETSI GS NFV-SEC 001: “Network Functions Virtualisation (NFV); NFV Security; Problem Statement“. 2 ETSI GS NFV-SEC 003: “Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance“. 3 ETSI GS NFV-SEC 012:
30、“Network Functions Virtualisation (NFV) Release 3; Security; System architecture specification for execution of sensitive NFV components“. ETSI ETSI GS NFV-SEC 013 V3.1.1 (2017-02)7 2.2 Informative references References are either specific (identified by date of publication and/or edition number or
31、version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cann
32、ot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI GS NFV-IFA 013: “Network Functions Virtualisation (NFV); Management and Orchestration; O
33、s-Ma-Nfvo reference point - Interface and Information Model Specification“. i.2 Richard Bejtlich, The Tao of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley Professional, 2004. i.3 Chris Sanders and Jason Smith, Applied Network Security Monitoring, Syngress publications, 2014
34、. i.4 PFQ. NOTE: Available at https:/ i.5 ETSI GS NFV 003: “Network Functions Virtualisation (NFV); Terminology for Main Concepts in NFV“. i.6 ETSI GS NFV 002: “Network Functions Virtualisation (NFV); Architectural Framework“. i.7 GSMA PRD N2020.01: “VoLTE Service Description and Implementation Guid
35、eline“, V1.0, December 2014. i.8 Tomi Raty, Jouko Sankala, and Markus Shivonen: “Network traffic analysing and monitoring locations in the IMS,“ IEEETM31st EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO-SEAA), Porto, Portugal, 30th August - 3rd September, 2005, pp.
36、 362-369. i.9 Paolo De Lutiis and Dario Lombardo: “An innovative way to analyse large ISP data for IMS security and monitoring“ IEEETM13th International Conference on Intelligence in Next Generation Networks (INGN), Bordeaux, France, 26-29 October, 2009, pp. 1-6. i.10 Ari Takanen: “Recommendations f
37、or VoIP and IMS security“ 3GPP Release 8 IMS Implementation Workshop, Sophia Antipolis, 24-25 November, 2010. i.11 D. Wang and Chen Liu: “Model based vulnerability analysis of IMS network,“ Academy Publisher, Journal of Networks, Vol. 4, No. 4, June 2009, pp. 254-262. i.12 ETSI GS NFV-REL 004: “Netw
38、ork Functions Virtualisation (NFV); Assurance; Report on Active Monitoring and Failure Detection“. i.13 ETSI GR NFV-SEC 009: “Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration“. 3 Definitions and abbreviations 3.1 D
39、efinitions For the purposes of the present document, the terms and definitions given in ETSI GS NFV 003 i.5 and the following apply: trust domain: collection of entities that share a set of security policies ETSI ETSI GS NFV-SEC 013 V3.1.1 (2017-02)8 Virtual Security Function (VSF): security enablin
40、g function within the NFV architecture 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI GS NFV 003 i.5 and the following apply: AAA Authentication, Authorization and Accounting ISF Infrastructure Security Function ISM Infrastructure Security Manager NSM NFV
41、 Security Manager PSF Physical Security Function SEM Security Element Manager sNSD security enhanced Network Service Descriptor VSF Virtual Security Function WG Working Group4 Security Management Problem Statement In NFV environment, network services and network functions can be created, updated, an
42、d terminated dynamically across multiple distributed NFVI-PoP. The site distribution and VNF/NS Life Cycle Management drives the demand for automatically aligning security policies with any changes of end-to-end network services in NFV environment. However, security management techniques used for tr
43、aditional, non-NFV deployments will not scale for NFV and may result in inconsistent security policies, inefficient processes and overall higher complexity, if applied in its current form to NFV deployments. With the deployment of NFV technologies, the networks are becoming increasingly flexible con
44、cerning the placement and the number of VNFs that are assigned to a specific network service. Security configuration on all different types of security functions has to be automatically adapted to the changing scenarios to ensure consistent security policies in sync with network service lifecycle ma
45、nagement. To achieve automated security management for NFV deployment, the concept of NFV security lifecycle management is introduced and studied in the present document for the establishment of consistent security policies and uniform enforcement of the policies across both virtualised and legacy n
46、etworks. 5 Security Monitoring Problem Description Operators and Service Providers continually need new tools and techniques to better manage their complex networks, and especially considering its dynamic evolution, including vastly diverse mix of endpoint devices and subscribers, dynamically changi
47、ng content streams, and requirements for a vastly superior robustness and recovery. This natural evolution of the network necessitates a commensurate evolution in the ways future networks could be made more visible, and secure. In traditional, non-virtualised deployments, a network operator correlat
48、es and analyses data collected from the user data plane and management and control planes. These correlated analytics assist the Operators to better manage their network, including ability to track the network usage, subscriber dynamics, content paths, SLAs, and any network threats and anomalies. Ne
49、twork borne attacks like exploitation of vulnerabilities, spreading of malware, exfiltration of data and service disruption can be detected and remediated. Certain collected probes can also provide network and user experience analytics, KPIs, and help address security impacts to the mobile customers, mobile carrier, and the downstream in general public. Any applicable threat remediation and countermeasures can then be deployed. In non-virtualised deployments, many of the interfaces between the functional components a
