Académique Documents
Professionnel Documents
Culture Documents
Contents
1. Introduction
1.1 Scope
1.2 Outline
2.2 Regulations
3.2 S
ecurity zones and traffic separation
in cloud-based telco networks
12
13
13
14
Page 2
networks.nokia.com
4.
14
15
16
16
16
17
17
18
5.
19
21
23
23
24
8. Abbreviations
26
9. References
27
Page 3
networks.nokia.com
1. Introduction
1.1 Scope
In todays societies, communication networks and access to the
Internet is considered to be a critical part of infrastructure, which has
to be available all the time and must be resilient to malicious attacks.
Recent events, such as the US governments National Security Agency
collecting data from communication networks on any person, and
security incidents such as password theft from cloud storage, have
increased scrutiny on the security of communication networks and
how they protect the privacy of individuals. The EU1 asserts that,
For cyberspace to remain open and free, the same norms, principles
and values that the EU upholds offline, should also apply online.
Fundamental rights, democracy and the rule of law need to be
protected in cyberspace.
With the advent of the ETSI Network Function Virtualization (NFV)
industry specification group, it became very obvious that in the
future, many network functions and network elements will be
implemented as cloud based solutions. This multiplies the intrinsic
security risks of IP based communication networks with the new
security risks of cloud infrastructures.
This means that in future we expect that operators will take any
necessary step to avoid security breaches and also install techniques
to measure the state of security and to indicate this to their
customers to allay their concerns.
1.2 Outline
In this document we first describe the main drivers behind the
increased need for improved security measures. Based on that, we
describe a concept for an end-to-end automated security resilience,
update and transparency system, which helps operators comply with
forthcoming security regulations, threats and increased customer
expectations. Then we describe how the specific security risks, which
arise from employing cloud infrastructure technologies and, especially,
from Software Defined Networking (SDN) technologies, can be dealt
with and minimized.
Last but not least, we briefly outline how future security can become a
built-in feature of an orchestrated network.
Finally, Nokia Networks abilities to build and deliver secure networks
will also be highlighted.
Page 4
networks.nokia.com
2.2 Regulations
Regulators are exercising their right of governance on Mobile
Broadband (MBB) networks, since it is a key critical infrastructure.
The EU has proposed a cyber-security strategy outlining its vision in
the domain and clarifies roles, responsibilities and defines actions
required to protect citizens rights8.
In the US, cyber security is seen as a serious economic and national
security threat and the US President has established a Cyber
Security Office within the National Security Staff with a cybersecurity coordinator9.
In Asia, some governments have established national cyber security
policies10. Regulators are also specifying minimal requirements of
compliance that are verifiable before a network element can be used
in the mobile broadband network of any carrier. To safeguard the
privacy of their citizens, some governments are proposing legislation
Page 5
networks.nokia.com
Page 6
networks.nokia.com
Page 7
networks.nokia.com
Page 8
networks.nokia.com
Page 9
networks.nokia.com
Page 10
networks.nokia.com
Page 11
networks.nokia.com
Page 12
networks.nokia.com
Page 13
networks.nokia.com
Page 14
networks.nokia.com
Page 15
networks.nokia.com
Page 16
networks.nokia.com
Page 17
networks.nokia.com
Page 18
networks.nokia.com
OSS/BSS
> FCAPS
Management
> App management
Network Orchestrator
EMS
Virtualized Security
Functions to protect NFV
Service Orchestrator
Security
Orchestrator
VNF specic
Security
IMS
Secured
Telco Cloud
Hypervisor
TAS
MME
S/P-GW Registers
Virtualized
security
IaaS API
Or other i/f
Virtualized
Security
Physical
Security
Page 19
R0
G 201
B 255
R 104
G 113
B 122
R 168
G 187
B 192
R 216
G 217
B 218
networks.nokia.com
Page 20
networks.nokia.com
Fig. 4. End to end view with ubiquitous cloud deployment and usage
Security (and privacy) needs will be common, since the threats will
either be the same or show a large overlap, mainly due to the fact that
all these environments are in the cloud, connected via IP networks.
The necessary security capabilities can only be realized and enforced
with institutionalized policies, internally and with business partners,
with hardened security products, persistent data collection and realtime cognitive analysis and action engines.
In the mobile broadband network, security data collection would be
multi-dimensional (from devices, people networks to service entities)
and the associated cognitive engine would be part of the Business
& Operations cloud. The security practices would interact over APIs
Page 21
networks.nokia.com
API
External S&P
Information
Exchange
engine
Reporting
engine
API
External Business
Partners, PDE
Action
engine
Common virtual
repository
People
Devices
Netwrok
Storage
Servers
Applications
Content
R0
G 201
B 255
R 104
G 113
B 122
R 168
G 187
B 192
R 216
G 217
B 218
Page 22
networks.nokia.com
Page 23
networks.nokia.com
Page 24
networks.nokia.com
Page 25
networks.nokia.com
8 Abbreviations
API
DDoS
DoS
ETSI
EU
FWaaS
GOT
HSS
HTTP
ICMP
IDS
IP
IPS
ISG
IPsec
MBB
MPLS
NEP
NFV
NSA
NTP
PLT
SDN
SLA
SSH
SSL
SWIP
TLS
vFW
vNF
VNF
VM
VPNaaS
SDN
SSL
WWW
Page 26
networks.nokia.com
9 References
1. Cyber security Strategy of the European Union: An Open,
Safe and Secure Cyberspace, Joint Communication to the
European parliament, The Council, The European Economic
and Social Committee and The Committee for the Regions;
European Commission, February 7, 2013. http://ec.europa.eu/
digital-agenda/en/news/eu-cybersecurity-plan-protect-openinternet-and-online-freedom-and-opportunity-cyber-security
2.
Before the Gunfire, Cyberattacks, The New York Times,
August 12, 2008; http://www.nytimes.com/2008/08/13/
technology/13cyber.html
3. Wicked Innovation, Robert Lemos, Security Dark Reading,
January 2011.
4.
Digital Certificates, Paul Roberts, Security Dark Reading,
November 2012.
5. Hacking crisis costs EMC reputation in security, Jim Finkle,
June 8, 2011, http://www.reuters.com/article/2011/06/08/usemc-security-idUSTRE7576E920110608
6. Verizon 2012 Data BREACH Investigations Report, Verizon,
http://www.verion.com/enterprise
7. Risk and Responsibility in a Hyperconnected World, World
Economic Forum in collaboration with McKinsey & Company;
January 2014.
8. Cyber security Strategy of the European Union: An Open,
Safe and Secure Cyberspace, Joint Communication to the
European parliament, The Council, The European Economic
and Social Committee and The Committee for the Regions;
European Commission, February 7, 2013. http://ec.europa.eu/
digital-agenda/en/news/eu-cybersecurity-plan-protect-openinternet-and-online-freedom-and-opportunity-cyber-security
9. CyberSecurity, http://www.whitehouse.gov/cybersecurity
10. The Botnet Chronicles A Journey to Infamy, Rick Ferguson,
Trend Micro, November 2010; http://countermeasures.
trendmicro.eu/wp-content/uploads/2012/02/the_botnet_
chronicles_-_a_journey_to_infamy__nov_2010_.pdf
11.
Brazils Rousseff targets internet companies after NSA spying,
www.reuters.com; September 12, 2013..
12. Network Function Virtualization (NFV) Management and
Orchestration, ETSI, France, 2014
13.
Refer to specifications from Open Networking Foundation,
http://www.opennetworking.org
14. How to Secure an API - Tips for REST + JSON Developers,,
https://stormpath.com/blog/how-secure-api-tips-rest-jsondevelopers/
15. NSN NFV Orchestrator technical solution description, Nokia,
December 2013
Page 27
networks.nokia.com
Public
Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their
respective owners.
Nokia
Nokia Solutions and Networks Oy
P.O. Box 1
FI-02022
Finland
Visiting address:
Karaportti 3,
ESPOO,
Finland
Switchboard +358 71 400 4000
Product code C401-01087-WP-201409-1-EN
Nokia Solutions and Networks 2014
Page 28
networks.nokia.com