NFV threats

NFV threats

NFV threats are located at intersection of virtualization and general networking threats and, therefore, can be mitigated by hardening both virtualization and networking protection.

Enabling NFV in a cloud environment brings the following threats:

  • Intellectual Property related threats. VNFs may come from different vendors that should take measures to protect the proprietary code in VNFs against each other and a cloud operator (Information disclosure).

  • VNF images can be altered or replaced by a compromised one (Tampering). To mitigate the tampering threat, provide integrity verification for VNF images.

  • Because of dynamic nature of NFV, network traffic loops may occur. For example, when a VNF’s output goes to directly or through intermediaries to its input. This may lead to the DoS amplification attacks. Detect loops during topology validation or when forwarding messages.

  • The resources of the virtualisation infrastructure (storage, network connections, memory, CPU, operating system resources) can be exhausted by an attacker causing a DoS attack. To mitigate the DoS attack caused by overconsumption of of the virtualisation infrastructure resources, enable monitoring for degraded performance and anomalies in resource allocation.

  • When using the IOMMU technology (for example, Intel VT-d) to provide the direct access from a network adapter to a VM’s memory, one VM can access another VM’s memory, prevents VM from starting, alter a hypervisor or take the whole host down. To mitigate these threats (information disclosure, DoS, tampering), verify that your network card uses shared IOMMU implemented in the I/O chipset as a part of the SR-IOV standard.

  • The cloned VNF image may contain confidential information such as private keys, certificates, passwords and tokens. Once one of the images is compromised, all clones are. To mitigate information disclosure threat, use secure key management and a unique key pair for every cloned image. Employ operator-controlled certification authorities (CAs) for internal services such as management, orchestration, and operation within NFVI.

  • Diagnostic, debugging, and monitoring interfaces enabled in a VNF for remote support can be exploited by attackers. To prevent unauthorized access using VNFs, provide authorization to control if a VNF can turn into a maintenance mode, what diagnostics functions are allowed, and who can run them.