Page 288 - Kaleidoscope Academic Conference Proceedings 2024
P. 288

2024 ITU Kaleidoscope Academic Conference




           For network boundary protection, security devices such as  to  new  secure  VNFs.  Meanwhile,  security  error
           anti DDoS, firewall, IDS/IPS can be deployed at the  configuration control should be supported, and the entry
           network boundary of virtualization network infrastructure  whitelist at each subnet level can be used to limit the
           to perform network detection and defense, thereby  explosion radius. In addition, virtualization network
           protecting communication between internal and external  function should also use security protocols to protect
           systems. The physical server should also support traffic  communication  with  other  VNFs  or  management
           separation and transmit management services, signaling  components, and establish disaster recovery mechanisms.
           services, and data services through different interfaces,
           effectively reducing interference and risks between  5.2.5  Manage Security
           different services. In addition, regular security audits and
           vulnerability scans are required to promptly identify and fix  VNF should support authentication and authorization of
           potential security vulnerabilities.                access for internal operations and maintenance personnel.
                                                              The SDN controller should support the protection of
           5.2   Virtual Network Function Security            confidentiality and integrity of data transmitted in both
                                                              south and north directions. The SDN controller should
           5.2.1  VM Security                                 check whether the policy is effective for the switch, and
                                                              achieve policy synchronization between the SDN controller
           The customer's operating system should be reinforced with  and the switch. If the policy is not synchronized, the SDN
           security measures, such as closing unnecessary ports and  controller will find the policy. The availability of software
           services, scanning for vulnerabilities, virus detection, and  defined networks should not be affected by security attacks
           resource isolation. The integrity and confidentiality of the  related to configuration options or time, such as the
           VM's image should be protected, and secure storage should  duration of reconfiguration.
           be carried out to prevent unauthorized access. When
           migrating VMs, security policies should be synchronized to  5.3  Virtual Network Management Security
           ensure their continuity and availability. In addition, all
           access to the VM should be authenticated and authorized.  5.3.1  SDN Controller Security

           5.2.2  Container Security                          The SDN controller should be able to detect (D) DoS
                                                              attacks from both southbound and northbound interfaces,
           As for container security, it is crucial to ensure resource  and will take appropriate security measures to deal with (D)
           isolation between containers and between containers and  DoS attacks. At the same time, the integrity and
           host operating systems. The secure storage of image  confidentiality of the SDN controller software should be
           warehouses and container images is an important aspect of  protected. The platform where SDN controller software
           ensuring container security. Measures should be taken to  installed should undergo security reinforcement, such as
           protect  the  integrity  and  confidentiality  of  image  correctly  configuring  ports  and  services,  closing
           warehouses and container images, and secure storage  unnecessary ports and services, scanning for vulnerabilities,
           should be carried out to prevent unauthorized access. At the  and detecting viruses. In addition, the SDN controller
           same time, all access to containers should be authenticated  should also support detection and resolution of policy
           and  authorized  to  achieve  fine-grained  permission  conflicts, authentication and authorization of access to
           management for container operations.               southbound and northbound interfaces, etc.

           5.2.3  Data Security                               5.3.2  NFV Orchestrator Security

           We should provide full lifecycle security protection for  MANO  is  responsible  for  the  management  and
           VNF data, including at least secure storage, allowing only  orchestration of virtual resources and should support
           authenticated and authorized access, and thoroughly  reinforcement detection to ensure that unnecessary ports
           removing residual data. VNF should support authentication  and services in the system are closed. In addition, regular
           and authorization of access to others, as well as encryption  vulnerability scanning and virus detection are also essential.
           and integrity protection of transmitted data. In addition,  At the same time, MANO should also implement strict
           VNF should be backed up and stored in another data center.  access control policies, authenticate and authorize all
           VNF can authenticate other entities based on PKI and use  requests to access MANO and other elements in the system,
           TLS protocol to protect data during transmission.  ensuring that only authorized users can access and operate
                                                              related resources, and significantly improving the security
           5.2.4  Network Security                            of the entire system.

           VNF traffic can be monitored and analyzed using    6.  NETWORK VIRTUALIZATION SECURITY USE
           technologies such as artificial intelligence and big data.               CASES
           When an attack is detected, corresponding security
           measures should be taken, such as blocking all traffic from  6.1  SD-WAN
           malicious VNFs and migrating traffic from malicious VNFs





                                                          – 244 –
   283   284   285   286   287   288   289   290   291   292   293