Page 288 - Kaleidoscope Academic Conference Proceedings 2024
P. 288
2024 ITU Kaleidoscope Academic Conference
For network boundary protection, security devices such as to new secure VNFs. Meanwhile, security error
anti DDoS, firewall, IDS/IPS can be deployed at the configuration control should be supported, and the entry
network boundary of virtualization network infrastructure whitelist at each subnet level can be used to limit the
to perform network detection and defense, thereby explosion radius. In addition, virtualization network
protecting communication between internal and external function should also use security protocols to protect
systems. The physical server should also support traffic communication with other VNFs or management
separation and transmit management services, signaling components, and establish disaster recovery mechanisms.
services, and data services through different interfaces,
effectively reducing interference and risks between 5.2.5 Manage Security
different services. In addition, regular security audits and
vulnerability scans are required to promptly identify and fix VNF should support authentication and authorization of
potential security vulnerabilities. access for internal operations and maintenance personnel.
The SDN controller should support the protection of
5.2 Virtual Network Function Security confidentiality and integrity of data transmitted in both
south and north directions. The SDN controller should
5.2.1 VM Security check whether the policy is effective for the switch, and
achieve policy synchronization between the SDN controller
The customer's operating system should be reinforced with and the switch. If the policy is not synchronized, the SDN
security measures, such as closing unnecessary ports and controller will find the policy. The availability of software
services, scanning for vulnerabilities, virus detection, and defined networks should not be affected by security attacks
resource isolation. The integrity and confidentiality of the related to configuration options or time, such as the
VM's image should be protected, and secure storage should duration of reconfiguration.
be carried out to prevent unauthorized access. When
migrating VMs, security policies should be synchronized to 5.3 Virtual Network Management Security
ensure their continuity and availability. In addition, all
access to the VM should be authenticated and authorized. 5.3.1 SDN Controller Security
5.2.2 Container Security The SDN controller should be able to detect (D) DoS
attacks from both southbound and northbound interfaces,
As for container security, it is crucial to ensure resource and will take appropriate security measures to deal with (D)
isolation between containers and between containers and DoS attacks. At the same time, the integrity and
host operating systems. The secure storage of image confidentiality of the SDN controller software should be
warehouses and container images is an important aspect of protected. The platform where SDN controller software
ensuring container security. Measures should be taken to installed should undergo security reinforcement, such as
protect the integrity and confidentiality of image correctly configuring ports and services, closing
warehouses and container images, and secure storage unnecessary ports and services, scanning for vulnerabilities,
should be carried out to prevent unauthorized access. At the and detecting viruses. In addition, the SDN controller
same time, all access to containers should be authenticated should also support detection and resolution of policy
and authorized to achieve fine-grained permission conflicts, authentication and authorization of access to
management for container operations. southbound and northbound interfaces, etc.
5.2.3 Data Security 5.3.2 NFV Orchestrator Security
We should provide full lifecycle security protection for MANO is responsible for the management and
VNF data, including at least secure storage, allowing only orchestration of virtual resources and should support
authenticated and authorized access, and thoroughly reinforcement detection to ensure that unnecessary ports
removing residual data. VNF should support authentication and services in the system are closed. In addition, regular
and authorization of access to others, as well as encryption vulnerability scanning and virus detection are also essential.
and integrity protection of transmitted data. In addition, At the same time, MANO should also implement strict
VNF should be backed up and stored in another data center. access control policies, authenticate and authorize all
VNF can authenticate other entities based on PKI and use requests to access MANO and other elements in the system,
TLS protocol to protect data during transmission. ensuring that only authorized users can access and operate
related resources, and significantly improving the security
5.2.4 Network Security of the entire system.
VNF traffic can be monitored and analyzed using 6. NETWORK VIRTUALIZATION SECURITY USE
technologies such as artificial intelligence and big data. CASES
When an attack is detected, corresponding security
measures should be taken, such as blocking all traffic from 6.1 SD-WAN
malicious VNFs and migrating traffic from malicious VNFs
– 244 –