Innovation and Digital Transformation for a Sustainable World




               the MANO system, communicate with MANO         In order to deploy network functions in virtualization
               network elements, and launch attacks.          network infrastructure based on virtualization, VNFs should
                                                              be introduced and data connections should be created as
           •   Reducing network availability. Backup data loss,  needed between VNFs under the scheduling of SDN
               inability to recover critical data and business status,  controllers. A standard method is formed by VNF, vRouter,
               will make business unavailable, which may lead to  and vSwitch to dynamically provide network function from
               serious consequences such as service interruption,  SDN controllers. SDN can significantly improve the
               customer loss, and reputation damage for the   flexibility and automation of network functions, while
               enterprise.                                    significantly reducing network operating costs.
                                                              4.4   Management System
           •   Disrupting network isolation. Attackers can use the
               compromised VM as a springboard, bypass traditional  In addition to operation maintenance centre (OMC), the
               network isolation mechanisms, and utilize shared  network  virtualization  architecture  also  adds  SDN
               physical  resources,  network  connections,  or  controllers and NFV orchestrators. The NFV orchestrator is
               management interfaces to further access and attack  responsible for the allocation, scheduling, and lifecycle
               other VMs;                                     management of infrastructure and resources, while the SDN
                                                              controller is responsible for network topology and virtual
           •   Reducing real-time performance. Attackers use VMs  data link management.
               to  maliciously deplete  host  resources,  thereby
               affecting the real-time performance of other VMs on  5.  NETWORK VIRTUALIZATION SECURITY
               the host, such as causing service response delays,                 MEASURES
               reduced data transmission rates, or application crashes,
               which is particularly fatal for businesses with high  5.1  Virtualization Network Infrastructure Security
               real-time requirements.
                                                              5.1.1  Hardware
                  4.  NETWORK VIRTUALIZATION
                            ARCHITECTURE                      The hardware in network virtualization should be deployed
                                                              in a secure environment. For example, the houses where the
           4.1   Network virtualization architecture          hardware deployed should be equipped with waterproof,
                                                              seismic, and access control mechanisms. The physical
           By analyzing the components and architecture of network  interface on the hardware should be configured with access
           virtualization,  it  mainly  consists  of  three  parts:  control mechanisms to implement authentication and
           virtualization network Infrastructure, virtual network  authorization  access.  Administrators  should  through
           function, and management system, as shown in Figure 2.  authentication and authorization when logging into the
                                                              device. If using a password, the complexity of the password
                                                              should  be  ensured.  The  communication  between
                                                              management systems and devices should be protected to
                                                              ensure confidentiality and integrity. The host server should
                                                              also support secure boot to ensure the integrity.

                                                              5.1.2  Virtualization Engine

                                                              The virtualization engine should support detection and
                                                              prevention of VM escape and container engine escape. At
              Figure 2- Network virtualization components and  the same time, security reinforcement measures should be
                              architecture                    taken for the host operating system, VMMs, and container
                                                              engines, such as correctly configuring ports and services,
           4.2   Virtualization Network Infrastructure        closing unnecessary ports and services, scanning for
                                                              vulnerabilities, and detecting viruses. The virtualization
           The virtualization network infrastructure consists of virtual  engine should also support resource isolation, such as
           machine managers (VMMs), host operating systems, and  isolating the vCPU, vMemory, and vI/O resources used by
           hardware resources including bare metal, switches, routers,  different VMs. All access should be authenticated and
           storage devices, etc. VMMs extract hardware resources to  authorized,  such  as  mutual  access  between  VMs,
           form upper level virtual computing, storage, and network  virtualization  engine  access  to  VMs/containers,  or
           resources. Typical VMMs include VM management      administrator access to VMs.
           programs and container engines.
                                                              5.1.3  Network Connection
           4.3   Virtual Network Function






                                                          – 243 –