1、 NFV SECURITY IN 5G Challenges and Best Practices FEBRUARY 2022 NFV SECURITY IN 5G February 2022 1 ABOUT ENISA The European Union Agency for Cybersecurity,ENISA,is the Unions agency dedicated to achieving a high common level of cybersecurity across Europe.Established in 2004 and strengthened by the

2、EU Cybersecurity Act,the European Union Agency for Cybersecurity contributes to EU cyber policy,enhances the trustworthiness of ICT products,services and processes with cybersecurity certification schemes,cooperates with Member States and EU bodies,and helps Europe prepare for the cyber challenges o

3、f tomorrow.Through knowledge sharing,capacity building and awareness raising,the Agency works together with its key stakeholders to strengthen trust in the connected economy,to boost resilience of the Unions infrastructure and,ultimately,to keep Europes society and citizens digitally secure.More inf

4、ormation about ENISA and its work can be found here:www.enisa.europa.eu.CONTACT For contacting the authors please use resilienceenisa.europa.eu.For media enquiries about this paper,please use pressenisa.europa.eu.EDITORS Evgenia Nikolouzou,Goran Milenkovic,Georgia Bafoutsou and Slawomir Bryska(ENISA

5、)CONTRIBUTORS Mohamad Hajj,Claire Loiseaux ACKNOWLEDGEMENTS We are grateful for the review and valuable input received from:the experts in the ECASEC Expert Group(formerly known as Article 13a Expert Group),which comprises national telecom regulatory authorities(NRAs)from all EU and EFTA countries,f

6、rom the experts from national authorities in the NIS Cooperation group,and particularly those experts contributing to the NIS CG work stream on 5G cybersecurity,from the ETSI ISG NFV Security WG that is developing specifications and reports for the virtualization of network functions,with focus on t

7、he management and orchestration of virtualized resources.LEGAL NOTICE This publication represents the views and interpretations of ENISA,unless stated otherwise.It does not endorse a regulatory obligation of ENISA or of ENISA bodies pursuant to the Regulation(EU)No 2019/881.ENISA has the right to al

8、ter,update or remove the publication or any of its contents.It is intended for information purposes only and it must be accessible free of charge.All references to it or its use as a whole or partially must contain ENISA as its source.Third-party sources are quoted as appropriate.ENISA is not respon

9、sible or liable for the content of the external sources including external websites referenced in this publication.Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication.NFV SECURITY IN 5G February 2022 2 ENISA

10、 maintains its intellectual property rights in relation to this publication.COPYRIGHT NOTICE European Union Agency for Cybersecurity(ENISA),2022 This publication is licenced under CC-BY 4.0“Unless otherwise noted,the reuse of this document is authorised under the Creative Commons Attribution 4.0 Int

11、ernational(CC BY 4.0)licence(https:/creativecommons.org/licenses/by/4.0/).This means that reuse is allowed,provided that appropriate credit is given and any changes are indicated”.ISBN 978-92-9204-557-9,DOI 10.2824/166009,Catalogue Number TP-06-22-045-EN-N NFV SECURITY IN 5G February 2022 3 TABLE OF

12、 CONTENTS 1.INTRODUCTION 7 1.1 OBJECTIVES 7 1.2 SCOPE 8 1.3 TARGET AUDIENCE 9 1.4 METHODOLOGY 10 1.5 STRUCTURE OF THE REPORT 10 2.5G NFV SECURITY FRAMEWORK 12 2.1 5G END-TO-END ARCHITECTURE 12 2.2 NFV ARCHITECTURE 16 2.3 NFV WITH SDN ROLES 20 2.4 5G NFV STAKEHOLDERS 22 2.5 NFV SECURITY OPPORTUNITIES

13、 24 2.6 NFV KEY TECHNOLOGIES 25 2.7 NFV DEPLOYMENT MODELS 31 3.5G NFV:ASSETS,CHALLENGES,VULNERABILITES AND ATTACK SCENARIOS 36 3.1 ASSETS 36 3.2 SECURITY CHALLENGES 37 3.3 NFV VULNERABILITIES 52 3.4 NFV ATTACKS SCENARIOS 53 4.5G NFV SECURITY BEST PRACTICES 55 4.1 CATEGORISATION OF SECURITY MEASURES

14、55 4.2 SECURITY REQUIREMENTS AND MEASURES OF THE EECC 62 4.3 OTHER RELEVANT SECURITY HARDENING GUIDANCE 63 NFV SECURITY IN 5G February 2022 4 4.4 RATIONALE BETWEEN CHALLENGES CATEGORIES-VULNERABILITIES CATEGORIESATTACKS-AFFECTED ASSETS AND BEST PRACTICES 64 5.OPEN AND FUTURE SECURITY CHALLENGES 68 6

15、.CONCLUSION 70 LIST OF ABBREVIATIONS 72 REFERENCES 77 A ANNEX:ROLES AND RESPONSIBILITIES 84 B ANNEX:ASSETS MAPS 86 C ANNEX:VULNERABILITY TAXONOMY 91 D ANNEX:ATTACK TAXONOMY 98 E ANNEX:BEST PRACTICES REGISTER 105 F ANNEX:MAPPING OF CHALLENGES,VULNERABILITIES,ATTACK SCENARIOS,AFFECTED ASSETS AND BEST

16、PRACTICES 125 G ANNEX:REFERENCES FOR CHALLENGES 148 H ANNEX:NFV MANO PLATFORMS 152 I ANNEX:NFV STANDARDISATION,OPEN-SOURCE AND ACADEMIA/INDUSTRY INITIATIVES 156 NFV SECURITY IN 5G February 2022 5 EXECUTIVE SUMMARY The advent of 5G wireless communications constitutes a new era of network connection t

17、hat will not only expand technical capabilities but will also revolutionise many aspects of commerce and personal lives by driving an exponential increase in the number of connected devices in various sectors of the economy.5G is an altogether different network technology that will introduce a virtu

18、alised,cloud-based architecture,enabling highly specialised functions and security for different network applications.This 5G revolution will also expand the attack surface for cyberthreats thus necessitating the introduction of the principles of security-by-design from the early stages of the desig

19、n and deployment of 5G networks.Towards this technological revolution,the European Commission and the Member States,with the support of ENISA,developed a single EU Coordinated Risk Assessment on Cybersecurity in 5G Networks,following on the European Commissions Recommendation on the cybersecurity of

20、 5G networks.Subsequently,the NIS Cooperation Group published the EU toolbox of risk mitigating measures.The objectives of this toolbox are to identify a possible common set of measures that are capable of mitigating the main cybersecurity risks of 5G networks that were identified in the EU report o

21、n coordinated risk assessment,and to provide guidance for the selection of measures that should be prioritised in mitigation plans at national and at Union level.One of the technical measures,TM04,calls on relevant authorities in EU Member States to ensure that Mobile Network Operators follow securi

22、ty best practices for network function virtualisation(NFV).Network Function Virtualisation(NFV)has made a huge impact in a very short time since the use of virtualisation technologies brings various benefits such as agility,flexibility and cost efficiency.At the same time,the introduction of NFV in

23、5G networks also introduces new challenges and risks.NFV changes the network security environment due to resource pools based on cloud computing and open network architecture.Thanks to the agility and the Orchestration and Management(O&M)efficiency of NFV networks,attacked networks can potentially b

24、e abandoned and resources recycled,enabling disasters to be quickly isolated,a response thats impossible in traditional networks.Network functions,network links,and even entire networks can be rapidly redeployed,enabling fast recovery from disasters.At the same time,though,security challenges have b

25、ecome more diverse.In this report the relevant challenges,vulnerabilities and attacks pertaining to NFV within the 5G network are explored and security controls and best practices are put forward to address these challenges,taking into account the particularities of this highly complex,heterogeneous

26、 and volatile environment.Accordingly,this ENISA study provides the following main information:The 5G NFV security framework,Potential 5G NFV deployment models,Main stakeholders involved in the 5G NFV ecosystem with their roles and responsibilities,Challenges,vulnerabilities,assets and attack taxono

27、mies for 5G NFV,Best practices to improve the cybersecurity posture of 5G NFV,NFV SECURITY IN 5G February 2022 6 Full mapping of challenges,vulnerabilities,assets,attack scenarios and best practices,NFV Standardisation,Open-Source and initiatives from academia and industry.Specifically,in this repor

28、t sixty security challenges grouped into 7 categories have been identified and explored.These drive the report to the next steps:vulnerabilities,attack scenarios,their impact on the 5G NFV assets and 55 best practices classified under Technical,Policy and Organisational categories.The main challenge

29、s explored in this report have shown that:Resource virtualisation:the virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software.If the virtualisation layer is

30、 breached,all network functions come under direct attack with disastrous consequences.Resource sharing:a single physical server may run several different tenants virtual resources(e.g.virtual machines(VMs)or containers),and a single tenants virtual resource might be distributed across several physic

31、al servers.Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks,data residue and attacks.Use of open source:there will be increasing use of open-source software.This introduces a new set of security challenges in terms of keeping a consistent and c

32、oherent approach to security-by-design and the prevention of deliberate security flaws.Multi-vendor environment:in such an environment is it difficult to coordinate security policies and determine responsibility for security problems and requires more effective network security monitoring capabiliti

33、es.Supply chain:introduces risks such as malicious software and hardware,counterfeit components,poor designs,manufacturing processes and maintenance procedures.This may result in negative consequences,such as data and intellectual property theft,loss of confidence in the integrity of the 5G network,

34、or exploitation to cause system and network failure.Lawful Interception(LI)functionality:placing LI functions within the virtualised environment exposes them to a variety of security and visibility risks.NFV SECURITY IN 5G February 2022 7 1.INTRODUCTION Fifth Generation(5G)networks aim at providing

35、value-added services with advanced performance such as low-latency communications,high reliability,high data rates and capacity to support an increasing number of connected devices.5G aims to provide a flexible platform to integrate vertical industries and a wide range of services and applications s

36、uch as autonomous driving,robotics,augmented and virtual reality,remote healthcare,and more.For such services and use cases,security technology and architecture must be natively integrated into the overall hybrid and virtual architecture to appropriate internal and external security services.Previou

37、s iterations,such as GSM/CMDA(2G)and HSPA/eVDO(3G,)were designed to connect people to people predominantly through voice and text,while LTE/LTE-A(4G)was designed to connect people to the Internet.5G expands upon this evolution through ubiquitous connectivity of things to people,services,the Internet

38、 and things.To meet the requirements for scale,throughput,latency,and reliability,5G architecture has adopted Network Function Virtualisation(NFV)and software-Defined Networking(SDN)to streamline network and service deployment,operations and management.Operators,service providers and other verticals

39、(e.g.Connected Cars,IOT,eHealth,Industry 4.0)can leverage SDN/NFV to provide flexible and cost-effective service without compromising the end users quality of service(QoS).NFV and SDN open the door to flexible networks and rapid creation of services.This both offers opportunities for security and in

40、troduces additional security challenges and complexities in some cases.With the rapid proliferation of 5G networks,operators have started the deployment of NFV.While several standardisation bodies(e.g.ETSI,3GPP,NGMN and GSMA)have started looking into the many security issues introduced by NFV,additi

41、onal work is needed with greater involvement of the security community including vendors,operators,universities and regulators.This report will focus on various security challenges and opportunities introduced by NFV in 5G.We will present current security challenges,vulnerabilities and attacks perta

42、ining to NFV within the 5G network and put forward security controls and best practices to address these challenges taking into account the particularities of this highly complex,heterogeneous and volatile environment.1.1 OBJECTIVES This ENISA study aims at underlining and analysing the security cha

43、llenges related to 5G NFV.The main objectives are to identify challenges and best practices to ensure the security of 5G NFV,while mapping the relevant security challenges,vulnerabilities,attacks scenarios,assets and best practices.Note:5G NFV in this report means the NFV as applicable to 5G.This st

44、udy indicates how challenges and vulnerabilities can be exploited through cyberthreats and how this exploitation can be mitigated through security controls and best practices.The following objectives have been set:NFV SECURITY IN 5G February 2022 8 identify 5G NFV sensitive assets,identify potential

45、 and main cyber challenges,vulnerabilities and attack scenarios targeting 5G NFV,map identified challenges,vulnerabilities and attack scenarios to assets,identify relevant security measures and best practices,and map them to the security challenges.Identified challenges,vulnerabilities,attack scenar

46、ios and best practices are consolidated from various publicly available resources including:main 5G standardisation documents and telecommunication best practices(3GPP,ETSI,NIST,FFT,FCC and GSMA),EU-funded research projects(5GPPP),industrial white papers,research articles,guidance and recommendation

47、s for organisations such as CIS and CSA,interviews and contributions from 5G security experts and Member States 1.2 SCOPE Towards this technological revolution,the European Commission and the Member States(MS),with the support of ENISA,developed a single EU Coordinated Risk Assessment on Cybersecuri

48、ty in 5G Networks1,following on the European Commissions Recommendation on the cybersecurity of 5G networks2(published on 26 March,2019).This coordinated risk assessment is based on individual national risk assessments and identifies the main threats and threat actors,the most sensitive assets,the m

49、ain vulnerabilities and the main risks.To complement this report and as a further input for the toolbox,ENISA carried out a dedicated threat landscape mapping,consisting of a detailed analysis of certain technical aspects,in particular the identification of network assets and of threats affecting th

50、ese.Subsequently,on 29 January 2020,the NIS Cooperation Group published the EU toolbox of risk mitigating measures3.The objectives of this toolbox are to identify a possible common set of measures that are capable of mitigating the main cybersecurity risks of 5G networks as have been identified in t

51、he EU coordinated risk assessment report,and to provide guidance for the selection of measures,which should be prioritised in mitigation plans at national and at Union level.The toolbox identifies two groups of measures MS can take:strategic and technical measures.In addition,it identifies a number

52、of supporting actions that can assist,enable or support the implementation of strategic and technical measures.One of the technical measures,TM04,calls on relevant authorities in EU Member States to ensure that mobile network operators follow best practices in security for network function virtualis

53、ation(NFV).To support implementation of this technical measure,the Toolbox also defines the supporting action SA01,calling for reviews or the development of guidelines and best practices on network security,and identifying ENISA and the relevant authorities in MSs as relevant actors for these regard

54、s.NFV Security in 5G is one of the key issues that needs to be 1 https:/ec.europa.eu/digital-single-market/en/news/eu-wide-coordinated-risk-assessment-5g-networks-security 2 https:/ec.europa.eu/newsroom/dae/document.cfm?doc_id=58154 3 https:/ec.europa.eu/digital-single-market/en/news/cybersecurity-5

55、g-networks-eu-toolbox-risk-mitigating-measures NFV SECURITY IN 5G February 2022 9 addressed comprehensively in order to take advantage of the business opportunities arising from 5G Networks.This ENISA study outlines best practices for the security of 5G NFV.It is building on several previous ENISA s

56、tudies on 5G45 and virtualisation6 and mainly focuses on 5G NFV.The purpose of the report is to explain the security challenges associated with NFV in 5G and make practical best practices and recommendations for addressing those challenges when planning for,implementing and maintaining NFV.Within NF

57、V,a Network Function is implemented in a virtualised form of NF or cloud Native NF.In this report the term VNF Virtual Network Function is used to designate both virtualised NF and cloud Native NF.The VNF is defined in this report as a software implementation of a Network Function,capable of running

58、 on the Cloud Infrastructure.VNFs are built from one or more VNF components(VNFC)and,in most cases,the VNFC is hosted on a single VM or container.Virtualised NF and Cloud Native NF are similar in that they both virtualise network functions to build an agile 5G NFV infrastructure.Both use an underlyi

59、ng physical server to readily expand and adapt whenever and wherever the user needs to deploy network capabilities.The difference mainly lies in how those network functions are abstracted from the underlying physical server infrastructure.Virtualised NF uses a hypervisor to provide a single layer of

60、 abstraction that enables networking and network security functions to run as dedicated appliances(e.g.routers,firewalls,etc.)in the form of virtual machines(VMs),which can quickly be deployed on generic hardware.Cloud native NF reduces each discrete network and network security function into a micr

61、oservice,packaged in its own container,and deployed on generic hardware resources on a cloud platform.Consequently,some aspects of NFV may vary among technologies(e.g.VM,container),but the most security challenges and best practices in this report are intended to apply to most or all NFV technologie

62、s,unless otherwise specified.1.3 TARGET AUDIENCE The main purpose of this report is to provide knowledge and information on 5G NFV challenges and best practices to the relevant community.This information may be useful to a variety of target groups.Non-technical stakeholders such as policy-makers,reg

63、ulators and law enforcement:this target group may find this report useful for understanding the emerging challenges,vulnerabilities,threats and respective practices and measures for mitigation.Experts working in the telecommunication sector,such as operators,vendors,and service providers:this target

64、 group may find this report useful for carrying out detailed threat analyses and risk assessments in accordance with their particular needs and mandate(e.g.to protect a specific number of components based on asset impact analysis,respond to specific vulnerabilities with customised mitigation measure

65、s among others).4 https:/www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks 5 https:/www.enisa.europa.eu/publications/5g-supplement-security-measures-under-eecc 6 https:/www.enisa.europa.eu/publications/security-aspects-of-virtualization NFV SECURITY IN 5G February 2022 1

66、0 Businesses,consultants and product developers:this target group can draw valuable conclusions from the developed analysis and material for their offerings(products,services).This can take the form of demonstrating how vulnerabilities have been eliminated by using developed defences,use of the mate

67、rial within customer projects,or use of the material as a benchmark for defining cybersecurity protection policies for such infrastructures(e.g.for the development of verticals).Moreover,the developed material can be used in developing security audits for 5G NFV infrastructures.Experts in research a

68、nd innovation:the material presented provides a detailed view of security issues for 5G NFV.This target group may use this material as a basis for gap analysis,as material to evaluate the impact of research and as a source for innovative actions with regard to its further development and implementat

69、ion.Finally,this target group may use this material as a useful resource for numerous academic activities,such as teaching,research,support of scholars,etc.1.4 METHODOLOGY ENISA has developed this study by following a four-step methodological approach.Figure 1:Methodology (1)Project scope definition

70、:the first step consisted in establishing the scope of the project and identifying the main topics to be considered during the study.(2)Desktop research and identification of expert groups:extensive research of relevant documents to gather as much information as possible about 5G NFV security challe

71、nges and best practices.The identified documents and standards were used as references for the development of this report.During this step,subject matter experts were also invited to validate scope and provide feedback.(3)Analysis of collected material and report development:all the information coll

72、ected,whether through desktop research or directly from the experts identified,was thoroughly analysed.(4)Review and report validation:ENISA shared the draft of the report with its relevant stakeholder communities and reference groups for review.Taking the feedback from the stakeholders into account

73、,the proposed final version of the report was issued.1.5 STRUCTURE OF THE REPORT The study is structured as follows.1.Chapter 1-Introduction:provides introductory information on the objectives,scope,target audience,methodology followed and the structure of this study.2.Chapter 2-5G NFV security fram

74、ework:describes the architecture of 5G from the core to the far edge with a focus on the roles of NFV and SDN.It explores the main opportunities in NFV when it comes to security and illustrates some deployment models with varying risks that may be considered in a virtualised environment.3.Chapter 3

75、5G NFV:Assets,challenges,vulnerabilities and attack scenarios:lists sensitive assets that need to be protected.It identifies the main security NFV SECURITY IN 5G February 2022 11 challenges to be resolved.Moreover,it illustrates the list of potential vulnerabilities related to NFV challenges and sor

76、ts the main attacks into categories and their impacts.4.Chapter 4 5G NFV security best practices:presents a brief description of the security measures and best practices to mitigate and solve the challenges identified.It describes the high-level interrelations at the category level between the categ

77、ories of challenges,categories of vulnerabilities,attacks,affected assets and best practices.5.Chapter 5-Open and future security challenges:provides some of the research challenges and future directions for NFV security.The full details,taxonomies and coverage mappings are provided in the annexes a

78、s follows.A.Annex A Roles and Responsibilities:presents the various administrative roles and responsibilities belonging to 5G stakeholders.B.Annex B Assets Maps:provides mind maps of the assets already described in Chapter 3.C.Annex C-Vulnerability Taxonomy:presents a description of the various NFV

79、vulnerabilities illustrated in Chapter 3 that can be exploited to perform attacks impacting the confidentiality,integrity and availability of NFV systems.D.Annex D-Attack Taxonomy:provides for each attack listed in Chapter 3.E.Annex E-Best practices register:provides a full description of best pract

80、ices from Chapter 4 with references.F.Annex F-Mapping of challenges,vulnerabilities,attacks scenarios,affected assets and best practices:illustrates the detailed mapping of security challenges to vulnerabilities,attacks scenarios,affected assets and best practices.G.Annex G-Challenges references:lis

81、ts the documents used as references for the development of security challenges in Chapter 3.H.Annex H NFV MANO Platforms:details the main MANO(management and orchestration)platforms for both VMs and/or containers.I.Annex I NFV standardisation,open source and academic or industrial initiatives:provid

82、es the main NFV standardisation,open-source and initiatives by academia and industry.NFV SECURITY IN 5G February 2022 12 2.5G NFV SECURITY FRAMEWORK 2.1 5G END-TO-END ARCHITECTURE Figure 2 presents an NFV/SDN-enabled 5G architecture.It illustrates the various components from the core to the far edge

83、.As defined by the 3rd Generation Partnership Project(3GPP),the 5G network is a Service-Based Architecture(SBA)which is a set of interconnected network functions(NFs)that deliver the control plane functionality and common data repositories of a 5G network 1,2,3,4.Supporting an SBA brings new require

84、ments for the control,coordination and orchestration of disaggregated network functions that are distributed across the network.These network functions are virtualised or containerised microservices that can support the 5G core,the Radio Access Network(RAN),and the MEC(Multi-access Edge Computing).C

85、loud RAN(CRAN),Virtualised RAN(VRAN)and Open RAN(ORAN)are all concepts that have emerged in the last few years to run baseband functions on commodity server hardware,based on the principles of Network Functions Virtualisation(NFV).The MEC takes advantage of the existing NFV infrastructure to provide

86、 services characterised by low latency,proximity,location awareness,high bandwidth and real-time insight into radio network information.In order to support CRAN/ORAN/VRAN and MEC,operators will deploy small datacentres at the edge.These infrastructures will make it possible to deploy applications an

87、d VNFs at the edge without investing additional resources.The MEC(edge)platform at each datacentre will allow third party applications to activate traffic offloading at the edge while also enabling access to other information provided by the operator.The core network is the central part of the 5G in

88、frastructure.It enables all functions related to multi-access technologies.Its main purpose is to deliver services over all kinds of networks(wireless,fixed,converged).The target of SDN is to use programmable software-driven devices to control the behaviour of the infrastructure.With SDN,user servic

89、es can be delivered faster,and the efficiency of network resources increases.SDN is based on three principles:1.decoupling of control from traffic forwarding and processing,2.logically centralised control,3.programmability of network services.A fully virtualised 5G network could bring significant be

90、nefits of harmonisation:one single uniform hardware platform across the core network,RAN and edge.This could simplify the management of the complete network,reducing operations and maintenance costs.The following two sections give more details on the co-dependent technologies of NFV and SDN.Where NF

91、V is in charge of dynamically creating and managing the network functions and provisioning various network services,SDN provides the capabilities to manage and orchestrate the virtual networks among these services.While both SDN and NFV make networking architectures more flexible and dynamic,they pe

92、rform different roles.NFV SECURITY IN 5G February 2022 13 2.1.1 Service based architecture Compared to previous generations the 3GPP 5G system architecture is service based(SBA)(Figure 3)2,3,4.That means wherever suitable the architectural elements are defined as network functions that offer their s

93、ervices via interfaces of a common framework to any network functions that are permitted to make use of these provided services.The SBA specifies flat peer to peer relationships between Network Functions(NFs)via the HTTP/2-based Service Based Interface(SBI).Network Repository Functions(NRF)allow eve

94、ry network function to discover the services offered by other network functions.This architectural model,which further adopts principles like modularity,reusability and self-containment of network functions,is chosen to enable deployments to take advantage of the latest virtualisation and software t

95、echnologies 5.Instead of specifying network entities,a more modular design is achieved by specifying a set of NFs which allows stronger decoupling between logical and physical architecture,facilitating the virtualisation of the different NFs running on generic computer hardware.Furthermore,NFs can b

96、e physically implemented in different ways(e.g.all of them in a single physical node,distributed across multiple nodes or running on a cloud platform).NFV SECURITY IN 5G February 2022 14 With the split of control plane and user plane,NFs responsible of the control plane are different from those resp

97、onsible of the user plane allowing independent scalability and evolution(e.g.allocating more capacity to the control plane without affecting the user plane).Moreover,it allows flexible deployments,e.g.centralised location for control plane or distributed(remote)location for user plane.2.1.2 5G Netwo

98、rk Functions The 5G core is a mesh of interconnected services as shown in Figure 3.In addition,the 5G system architecture introduces several security-related 5G network functions 2,3,4,6 as shown in Figure 4.Table 1 gives a brief explanation of each network function.Table 1:5G network functions Netw

99、ork Function Description User Plane User Plane Function(UPF)The User Plane Function deals with the user plane communication in the 5GC,acting as a gateway between the RAN and the external Data Network(DN)(e.g.Internet).The main functionalities are:packet routing and forwarding,downlink packet buffer

100、ing and downlink data notification triggering,QoS handling and traffic measurements.Control Plane Access and Mobility Management Function(AMF)The Access and Mobility Management Function is a control plane function in charge of handling the control signalling between the UE and the 5GC.The main funct

101、ionalities are:registration management,connection management to establish the control plane signalling with the UE,mobility management(e.g.idle mode UE reachability),control and execution of paging and support of infra-system and inter-system mobility.Session Management Function(SMF)The Session Mana

102、gement Function is a control plane function in charge of the following main functionalities:session establishment,modification and release,UE IP address allocation and management,control of policy enforcement and QoS and configuration of traffic steering at UPF to route traffic to proper destination

103、.Policy Control Function(PCF)The Policy Control Function provides policy rules(e.g.authorised QoS for each service data flow)to the network functions in charge of enforcing them(e.g.SMF).Application Function(AF)The Application Function allows interacting with the applications making use of the netwo

104、rk.This can be used for applications that require dynamic policy control,e.g.for dynamically modifying the bit rate to be provided.Based on interactions with these applications,policy requirements are provided to the PCF.Unified Data Management(UDM)The function of Unified Data Management is to provi

105、de the handling of user identification,subscription management,access authorisation based on subscription data(e.g.roaming restrictions),and generation of authentication credentials.It uses subscription data that may be stored in the UDR(Unified Data Repository).Network Exposure Function(NEF)The Net

106、work Exposure Function is used to expose services of the 5G core towards other networks(e.g.third party providers,verticals,etc.).This allows the fast creation of new services making use of the 5G core.Network Repository Function(NRF)The Network Repository,with the profile of the available NF instan

107、ces(id,PLMN ID,network slice identifiers,capacity information,etc.)and their supported services,allows an NF to discover the services offered by the other NFs of the core network.This provides a lot of flexibility for defining the interactions between NFs and allows that any NF can directly interact

108、 with another one.Security-related Network Function Authentication Server Function(AUSF)The AUSF provides the UE authentication service.AUSF shall handle authentication requests for both,3GPP access and non-3GPP access.The AUSF shall provide SUPI to the VPLMN(core network or serving network)only aft

109、er authentication confirmation if authentication request with SUCI was sent by VPLMN.The AUSF shall inform the UDM that a successful or unsuccessful authentication of a subscriber has occurred.Authentication Credential Repository and Processing Function(ARPF)The ARPF is a functional element of the U

110、DM(Unified Data Management),responsible for generating 5G HE AV(5G Home Environment Authentication Vectors)based on the subscribers shared secret key.It selects an authentication method based on subscriber identity and configured policy and computes the authentication data and keying materials.NFV S

111、ECURITY IN 5G February 2022 15 Network Function Description Inter-PLMN UP Security(IPUPS)The 5G System architecture introduces Inter-PLMN UP Security(IPUPS)at the perimeter of the PLMN for protecting user plane messages.The IPUPS is a functionality of the UPF that enforces GTP-U security on the N9 i

112、nterface between UPFs of the visited and home PLMNs.Security Context Management Function(SCMF)The SCMF retrieves the key from the SEAF,which is used to derive further keys.Subscription Identifier De-concealing Function(SIDF)The SIDF is a functional element of the UDM(Unified Data Management),respons

113、ible for decrypting a SUCI(Subscription Concealed Identifier)to reveal the subscribers SUPI(Subscription Permanent Identifier).Security Anchor Function(SEAF)The SEAF forms,as an outcome of the primary authentication,the unified,common anchor key KSEAF for all the access scenarios.The unified anchor

114、key KSEAF can be used by the UE and the serving network to protect the subsequent communication7.Security Edge Protection Proxy(SEPP)The 5G System architecture introduces a Security Edge Protection Proxy(SEPP)as an entity sitting at the perimeter of the PLMN for protecting control plane messages.The

115、 SEPP enforces inter-PLMN security on the N32 interface.The SEPP shall act as a non-transparent proxy node.Security Policy Control Function(SPCF)The SPCF provides policies related to the security of network functions such as AMF,SMF and UE.Network Slice Selection Function(NSSF)The NSSF supports the

116、selection of the Network Slice instance(s)serving a UE.It offers services to the AMF and NSSF in a different PLMN via the Nnssf service-based interface(see 3GPP TS 23.501 3 and 3GPP TS 23.502 4).Figure 4:Security-related 5G network functions8 7https:/ 8 https:/ NFV SECURITY IN 5G February 2022 16 2.

117、1.3 Support of network slicing A distinct key feature of the 5G system architecture is network slicing.Within the scope of the 3GPP 5G system architecture a network slice refers to the set of 3GPP defined features and functionalities that together form a complete Public Land Mobile Network(PLMN)for

118、providing services to UEs.Network slicing allows for controlled composition of a PLMN from the specified network functions with their specific,provided services that are required for a specific usage scenario.Each PLMNs is customised by instantiating only the features,capabilities and services requi

119、red to satisfy the subset of the served users/UEs or related business customer needs 5.With 5G,NFs can be individually instantiated for each network slice and placed where appropriate.In this way,multiple network slices can be created,each one composed of a collection of control plane and user plane

120、 NFs customised to the needs of the slice.For example,one network slice can include the NFs to support mobile broadband services with full mobility support,and another one to support non-mobile,latency-critical industry applications.2.1.4 Support of multi-access edge computing(MEC)MEC uses the wirel

121、ess access network to provide services and cloud computing functions required by telecom users,and to construct a carrier class service environment with high performance,low latency and high bandwidth to improve the communication experience of mobile users.Edge computing is an evolution of cloud com

122、puting that brings application hosting from centralised datacentres down to the network edge,close to the consumers and the data generated by applications.The main advantages are the computation offloading,distributed content delivery and caching,and low latency services.In order to profit from the

123、advantages provided by edge computing in 5G,the technology needs to support connecting the 5G core to a local area data network(LADN)where the applications are implemented and the UPF must be able to perform the local routing of certain traffic to the LADN.In terms of physical deployment of MEC host

124、s,there are multiple options available based on various operational,performance or security related requirements.The following list gives an outline of some of the feasible options for the physical location of MEC:1.MEC and the local UPF collocated with the base station,2.MEC collocated with a trans

125、mission node,possibly with a local UPF,3.MEC and the local UPF collocated with a network aggregation point,4.MEC collocated with the core network functions(i.e.in the same datacentre).The options presented above show that MEC can be flexibly deployed in different locations from near the base station

126、 to the central data network.Common for all deployments is the UPF which is deployed and used to steer the traffic towards the targeted MEC applications and towards the network.2.2 NFV ARCHITECTURE The virtualisation of network elements,NFV,is a concept that virtualises the main elements of a networ

127、k.In this sense,instead of having a dedicated hardware element to provide a function of the network,software running on general hardware is used.In this way,entire classes of network node functions can be set up as building blocks that can be connected to create overall telecommunications networks.E

128、xamples of the virtualised functions that can be provided include virtualised load balancers,firewalls,intrusion detection devices,WAN accelerators,routers,access control and billing.NFV SECURITY IN 5G February 2022 17 As a standard specification,ETSI focuses on high-level architecture,development g

129、uidelines,and interoperability enabled by open interfaces.ETSI describes the high-level NFV functional architectural framework and the design of virtualised network functions and of the supporting infrastructure.It identifies three main working domains in NFV:1.Virtualised network function is the so

130、ftware implementation of a network function which can run over the NFVI.2.NFV infrastructure(NFVI)includes the diversity of physical resources and how these can be virtualised.NFVI supports the execution of the VNFs.3.NFV management and orchestration(MANO)covers the orchestration and lifecycle manag

131、ement of physical and/or software resources that support the virtualisation of the infrastructure,and the lifecycle management of VNFs.The initial release of the ETSI NFV specification was predominantly dependent on hypervisor-based virtual machines(VMs)for virtualisation.Most of the specifications

132、in ETSI NFV continue serving that purpose when being applied to the cloud native NFV.Nevertheless,an adaption is needed in some areas because of the differences between the VM based and cloud native solutions.Thus,the ETSI NFV group has published containerised VNF specifications enabling containeris

133、ed VNFs to be managed in an NFV framework.The ETSI NFV group has published ETSI GS NFV-IFA 0409,which specifies the requirements for service interfaces and is an object model for operating system(OS)container management and orchestration.These specifications provide a baseline for the integration of

134、 OS container management and orchestration into the NFV framework.ETSI GS NFV-IFA 040 also specifies requirements on the list of services to be offered by architectural elements providing the Container Infrastructure Service Management(CISM)and Container Image Registry(CIR)functions described in ETS

135、I GR NFV-IFA 02910 and on the interfaces for exposing these services to NFV-MANO and other consuming entities.The CISM is responsible for maintaining the containerised workloads and manages the OS container,computation storage,network resources and their configuration.The CIR is responsible for stor

136、ing and maintaining information on OS container software images.ETSI GS NFV-IFA 040 is supplemented by the NFV Release 4 specifications ETSI GS NFV-IFA 01011 and ETSI GS NFV-IFA 01112.These provide enhancements for the specification of the management and orchestration functional requirements,and ext

137、ensions to the VNF package and VNF descriptor specifications respectively.The considerably high level NFV architecture for 5G is in line with the ETSI NFV reference architecture 7,the NFV-MANO architectural framework 8,the ETSI NFV Adaptation to the Cloud Native Architecture 9 10,and the ENISA 5G th

138、reat landscape 6(section 3.7)(Figure 5).Table 2 describes the main NFV 7 and MANO 8 components of this architecture.In Figure 5,the main NFV components covering both VM-based and cloud native(container based)are highlighted.In this report,it is assumed that the VIM supports the CISM to be able to ma

139、nage both VMs and containers virtualisation technologies.As explained in ETSI GR NFV-IFA 029,there are multiple options to integrate the CISM within the NFV MANO.Only option#1(CISM embedded in the VIM)is highlighted for reasons of simplicity since the aim is to give a big picture of the NFV 9 https:

140、/docbox.etsi.org/isg/nfv/open/Publications_pdf/Specs-Reports/NFV-IFA%20040v4.2.1%20-%20GS%20-%20OS%20Container%20MANO%20service%20interfaces.pdf 10 https:/www.etsi.org/deliver/etsi_gr/NFV-IFA/001_099/029/03.03.01_60/gr_NFV-IFA029v030301p.pdf 11 https:/www.etsi.org/deliver/etsi_gs/NFV-IFA/001_099/010

141、/04.01.01_60/gs_NFV-IFA010v040101p.pdf 12 https:/www.etsi.org/deliver/etsi_gs/NFV-IFA/001_099/011/04.02.01_60/gs_NFV-IFA011v040201p.pdf NFV SECURITY IN 5G February 2022 18 architecture without going into the details of all these options already explained in ETSI GR NFV-IFA 029.More details about the

142、 5G NFV architecture can be found in 6,7,8,9,10,11,12,13,14,15,16.More details about the different MANO solutions are given in Annexes H and I.Table 2:NFV and MANO main components Security-related Network Function Description NFV(Network Functions Virtualisation)Common components between VM-based an

143、d cloud native NFV(network functions virtualisation)NFV Infrastructure(NFVI):The NFVI consists of all the hardware and software components that are contained within the environment in which VNFs are deployed.It provides virtualised computing,storage,and networking.One of the advantages of NFV is tha

144、t the NFV-Infrastructure can be located across several physical locations,allowing operators to typically place their centres at the most convenient locations.The network providing connectivity between these locations is part of the NFV-Infrastructure.Operations Support System/Business Support Syste

145、m(OSS/BSS):includes the collection of applications that a service provider uses to operate its business.While OSS deals with network management,fault management,configuration management and service management,BSS deals with customer management,product management,order management and billing.Element

146、Management System(EMS):is responsible for the configuration,fault management,accounting and collection of performance measurement results for the network functions provided by the VNF.An example of management function is fault,configuration,accounting,performance and security management(FCAPS).Hardw

147、are Resources:in NFV,the physical hardware resources include computing,storage and networks that provide processing,storage and connectivity to VNFs through the virtualisation layer(Host OS,Hypervisor,CIS).Virtualised Network Function(VNF):an implementation of an NF that can be deployed on a network

148、 function virtualisation infrastructure(NFVI).VNFs are built from one or more VNF components(VNFC)and,in most cases,the VNFC is hosted on a single VM or container.NFV SECURITY IN 5G February 2022 19 Security-related Network Function Description Virtualised Network Function Component(VNFC):is an inte

149、rnal component of a VNF that provides a VNF provider with a defined sub-set of that VNFs functionality.Its main characteristic is that a single instance of this component maps 1:1 against a single instance of an atomic deployable unit.An instance of an atomic deployable unit is represented by a sing

150、le VM for hypervisor-based virtualisation or represented by one or a set of OS containers for CIS(Container Infrastructure Service)based virtualisation.Virtualisation layer:it consists of two sub layers:a host OS and hypervisor(for VMs)and CIS(for containers).Cloud native components within NFV Conta

151、iner Infrastructure Service(CIS):the cloud-native equivalent of hypervisor is container infrastructure service(CIS),which provides all the runtime infrastructural dependencies for one or more container virtualisation technologies.It can run on top of a bare metal or hypervisor-based virtualisation.I

152、t is used to create,destroy and manage containers on top of an operating system.Container:is a virtualisation container using a shared operating system(OS)kernel of its host.Containers can host a VNF component(VNFC)for instance.VM-based components within NFV Hypervisor:is a piece of software which p

153、artitions the underlying physical resources and creates virtual machines,and isolates the VMs from each other.It is running either directly on top of the hardware(bare metal hypervisor type 1)or running on top of a hosting operating system(hosted hypervisor type 2).The abstraction of resources compr

154、ises all those entities inside a computer or server which are accessible,such as processor,memory/storage,NICs.The hypervisor enables the portability of VMs to different Hardware.Virtual Machine(VM):has all the ingredients(processor,memory/storage,interfaces/ports)of a physical computer or server an

155、d is generated by a hypervisor,which partitions the underlying physical resources and allocates them to VMs.Virtual machines can host a VNF component(VNFC)for instance.NFV MANO(Management and Orchestration)Common components between VM-based and cloud native NFV MANO Network Function Virtualisation O

156、rchestrator(NFVO):is responsible for coordinating the VNFM and VIM according to the requirements of the OSS/BSS to orchestrate a specific service such as a firewall or to detect intrusions.It implements resource and service orchestration in the network.NFVO is split up into resource orchestrator(RO)

157、and network service orchestrator(NSO).First,RO collects the current information regarding possible physical and virtual resources of NFVI through the VIM.Second,NSO applies a complete lifecycle management of multiple network services.In this way,NFVO keeps updating the information about the availabl

158、e VNFs running on top of NFVI.As a result,NFVO can initiate multiple network services.As part of the lifecycle management,NFVO can also terminate a network service whenever a service request is no longer being received for that specific service.In several solutions,NFVO and VNFM are integrated into

159、MANO.Open Source MANO(OSM)13,Open Networking Automation Platform(ONAP)14,OpenBaton15,Cloudify16,SONATA17,and Katana Slice Manager18 are considered as the leading integrated solutions for MANO.Note that OSM can also perform management and orchestration tasks on PNFs.VNF Manager(VNFM):is responsible f

160、or managing the lifecycle of VNFs.VNFM operations include:o instantiation of VNFs o scaling of VNFs o updating and/or upgrading o VNFs Termination of VNFs.VM-based components within NFV MANO Virtual Infrastructure Manager(VIM):is the management system for NFVI.It is responsible for controlling and m

161、anaging the interaction of a VNF with the underlying computing,storage and networking resources and their virtualisation.It performs resource management tasks such as inventory of hypervisors,allocation of VMs onto hypervisors or increasing resources to VMs.Moreover,it performs operations on the vis

162、ibility of the NFVI,analysis of data on the performance of the 13 Open Source MANO(OSM),“OSM Open Source NFV Management and Orchestration(MANO)software stack aligned with ETSI NFV,”April 2021,https:/osm.etsi.org 14 ONAP,“ONAP Open Networking Automation Platform,”April 2021,https:/www.onap.org/15 Ope

163、nBaton,“OpenBaton An extensible and customizable NFV MANO-compliant framework,”April 2021,http:/openbaton.org 16 Cloudify,“Cloudify Multi Cloud Orchestration,”April 2021,https:/cloudify.co/17 SONATA,“Sonata agile development.testing and orchestration of services in 5g virtualized networks,”April 202

164、1,https:/www.sonata-nfv.eu 18 Katana Wiki Home,“MediaNetworks Laboratory,”April 2021,https:/ NFV SECURITY IN 5G February 2022 20 Security-related Network Function Description infrastructure and collection of information for capacity planning,monitoring and optimisation.Consequently,VIM can supervise

165、 the allocation of NFVI resources to the available VNFs.OpenStack19 and OpenVIM20(for VNFs)are possible solutions for VIM.Cloud native components within NFV MANO Container Infrastructure Service Management(CISM):is a functional block that manages one or more container infrastructure services.The CIS

166、M provides mechanisms for lifecycle management of the managed container infrastructure objects,which are hosting application components as services or functions.It is a cloud-native equivalent of virtualised infrastructure manager(VIM).CISM is responsible for controlling and managing the NFVI comput

167、e,storage and network resources,as well as scheduling the microservice containers in the cloud.CISM also collects performance measurements in the infrastructure including container level and makes the data available for other functional blocks for monitoring purposes.Other responsibilities of CISM i

168、nclude virtual networking control and management,as well as the southbound integration with various network controllers to achieve the physical network control and management capabilities.Kubernetes21(for cloud native NFs)is a possible solution for CISM.Multiple options can be envisioned for mapping

169、 the CISM functionality to NFV-MANO as outlined in ETSI GR NFV-IFA 029 and ETSI GS NFV-IFA 040.Each option has it is pros and cons.Such options include:o Option#1:CISM embedded in the VIM,o Option#2:CISM distributed across VNFM and VIM,o Option#3:CISM as a stand-alone functional block,o Option#4:CIS

170、M-only replacing VIM and VNFM,o Option#5:CISM embedded into VNF with support for shared container service,o Option#6:CISM embedded into VNF without support for shared container service.Other NFV Security Managers(SM)NFV SM is a function that applies security policy to a virtualised network based on

171、both predefined default policy and active analysis of information provided through security monitoring.It is responsible for enforcing security policy for VNFs and for instructing NFV-MANO to take VNF specific or system wide security actions 17,18.The security manager is a logical subcomponent of a

172、CSPs overall network security management and monitoring systems.A CSP security management platform may require one or more security managers(SMs)depending on the security isolation and role separation required between different trust domains.In cooperation with MANO blocks dedicated to managing the

173、virtualised network,the policy driven SM is specialised to manage the security on a network service over its entire lifecycle.It covers the following functionalities:Security Policy Planning designs and optimises security policies for specific targets of protection(work services);Security Policy Enf

174、orcement&Validation automates the deployment and supports the lifecycle management of security functions as defined in the design phase,then configures security policies on the security functions.In addition,during the lifetime of a network service,the validation and re-configuration or remediation

175、of associated security policies is supported,also in an automated manner.2.3 NFV WITH SDN ROLES Besides the NFV technology,management and deployment of 5G technology is simplified by the adoption of complementary technologies enabling flexible usage of deployed hardware and fast provisioning of new

176、functions and services,namely the SDN.The core similarity between software-defined networking(SDN)and network functions virtualisation(NFV)is that they both use network abstraction.SDN seeks to separate network control functions from network forwarding functions,while NFV seeks to abstract network f

177、orwarding and other networking functions from the hardware on which it runs.19 OpenStack,“OpenStack The Most Widely Deployed Open Source Cloud Software in the World,”April 2021,https:/www.openstack.org/20 OpenVIM,“Telefnica NFV reference lab,”April 2021,https:/ 21 Kubernetes,“Kubernetes Production-G

178、rade Container Orchestration,”April 2021,https:/kubernetes.io NFV SECURITY IN 5G February 2022 21 Thus,both depend heavily on virtualisation to enable network design and infrastructure to be abstracted in software and then implemented by underlying software across hardware platforms and devices 19.W

179、hen SDN executes on an NFV infrastructure,SDN forwards data packets from one network device to another.At the same time,SDNs networking control functions for routing,policy definition and applications run in a VM or container somewhere on the network.Thus,NFV provides basic networking functions,whil

180、e SDN controls and orchestrates them for specific uses.SDN further allows configuration and behaviour to be programmatically defined and modified 19.SDN and NFV differ in how they separate functions and abstract resources.SDN abstracts physical networking resources switches,routers and so on and mov

181、es decision making to a virtual network control plane.In this approach,the control plane decides where to send traffic,while the hardware continues to direct and handle the traffic.NFV aims to virtualise all physical network resources beneath a hypervisor,which allows the network to grow without the

182、 addition of more devices 19.While both SDN and NFV make networking architectures more flexible and dynamic,they perform different roles in defining those architectures and the infrastructure they support 19.A whole overview of the NFV/SDN architecture is shown Figure 6.This architecture takes into

183、account SDN and NFV technologies.On one hand,the framework presents a layered structure:infrastructure,control and application layers,in the same way as SDN architecture.Moreover,it takes advantage of the NFV concept to allow the easy implementation and management of network functions,without the ne

184、ed to increase the hardware devices 20,21.Figure 6:Integrating SDN Controller into the reference NFV architecture The SDN controller centralises the control plane functionalities and provides an abstract view of all the connectivity-related components it manages.The SDN Controller sets up and manage

185、s the underlying networking resources to provide the required connectivity for communicating the VNFs.Managed by the VIM,this controller may change infrastructure behaviour on-demand according to VIM specifications,adapted from the requests of tenants.NFV SECURITY IN 5G February 2022 22 In the infra

186、structure layer,we have the current mobile infrastructure of the network operator providing support to a wide range of wireless and cellular technologies such as WiFi,LTE,UTMS,GSM,among others.On top of the hardware layer,there is a virtualisation layer to enable the virtualisation of hardware devic

187、es.The resources could be in different locations and datacentres and this takes three components into account:networking:these devices incorporate mobile technologies and OpenFlow protocol;storage:this element can include object storage or block storage(Swift and Cinder OpenStack)or another novel te

188、chnique;computing:this includes high volume servers.The control layer is in charge of monitoring,analysis,management and orchestration of devices.It consists of four modules:monitoring,analyser,network OS and NFV MANO.Monitoring Module:this module is able to provide the complete low-level overview o

189、f the managed systems by means of gathering metrics coming from different network devices.Analyser Module:this module could give a deep analysis of the data in order to determine the behaviour that suits the network.This module also can infer the recommended behaviour of the network.The techniques u

190、sed in the analysis can include data mining,learning algorithms and pattern recognition,among others.Network OS:this uses the OpenFlow or similar protocols to send instructions to the infrastructure layer elements.Its functionality is similar to an operating system(OS)in computing.NFV MANO:this modu

191、le determines and organises the actions to be executed in the system,the orchestration,the management of the resources and the control functions.SDN/NFV control layer can adapt the network resources depending on the actual situation of the network and dynamically respond to failures or degradation o

192、f network performance.On the top of the architecture is located the application layer,which consists of two basic modules:Communication Interface:this module enables an open API for programmers to facilitate the development of new services.Network Functions:this module presents a scalable structure

193、to create customised network functions or control applications.2.4 5G NFV STAKEHOLDERS Table 3 illustrates the actors that hold stakes in the 5G NFV markets,forming different clusters who would be active in 5G ecosystems.First,the stakeholders from the traditional 5G industry are those who provide c

194、onnectivity solutions,equipment,SW and cloud providers.They are the actors who take part in developing,delivering and providing 5G services.Second,policy makers and standard setting organisations have defined 5G as we know it today.Third,vertical industries are important stakeholders providing diffe

195、rent services to third parties.22,23,24,25,26 were used as references for the development of this chapter.The 5G NFV network architecture implies the introduction of new processes,activities and operations thus defining new technical roles(e.g.administrators,integrators)and responsibilities involved

196、 in the operation,administration and maintenance of the 5G NFV.The operation,administration and maintenance of 5G NFV infrastructure requires much effort and particular skill profiles need to be employed.Listings of the roles,responsibilities and the corresponding technical processes and activities

197、are provided in Annex A.Each role can belong to multiple stakeholders.NFV SECURITY IN 5G February 2022 23 Table 3:5G NFV stakeholders 5G stakeholders Description Mobile Network Operator(MNO)The MNO operates its mobile network infrastructure to provide connectivity and network services to end-users.N

198、etwork Equipment Vendors These vendors provide the network infrastructure including servers to run SDN controllers,switches,routers,gateways,radio hardware,etc.In addition,they are in charge of:providing capability and procedures to securely configure the network device;providing a process for users

199、,including security researchers,to submit bug reports(e.g.using an issue tracker or a mailing list);testing according to 3GPP test plans and this testing should include security tests of the device and its interfaces;setting up a vulnerability management process of monitoring,identifying,evaluating,

200、treating and reporting on security vulnerabilities in the network device including firmware;maintenance of the firmware that includes providing patches for bugs and vulnerabilities.NFs Vendors They develop and provides NFs(e.g.VNF,PNF).In addition,they are in charge of:providing capability and proce

201、dures to securely configure NFs;providing a process for users,including security researchers,to submit bug reports(e.g.using an issue tracker or a mailing list);testing according to 3GPP test plans and this testing should include security tests of NFs and its interfaces;setting up a vulnerability ma

202、nagement process for monitoring,identifying,evaluating,treating and reporting on security vulnerabilities;maintenance of NFs that includes providing patches for bugs and vulnerabilities.Virtualisation Hardware Infrastructure Providers They provide the virtualised infrastructure comprising computing

203、resources(e.g.from computing platforms)and storage nodes.In addition,they are in charge of:setting up a vulnerability management process for monitoring,identifying,evaluating,treating and reporting on security vulnerabilities in the virtualisation hardware infrastructure;setting up a patch developme

204、nt,testing and delivery processes;maintenance of the hardware infrastructure that includes providing patches for bugs and vulnerabilities;providing a process for users,including security researchers,to submit bug reports(e.g.using an issue tracker or a mailing list).Vendors of Security Hardware Modu

205、les They provide the security hardware technologies used within servers such as trusted platform modules(TPM),trusted execution environment(TEE),hardware security modules(HSM)and secure enclaves in CPUs.In addition,they are in charge of:setting up a vulnerability management process for monitoring,id

206、entifying,evaluating,treating and reporting on security vulnerabilities;setting up a patch development,testing and delivery processes;maintenance that includes providing patches for bugs and vulnerabilities;providing a process for users,including security researchers,to submit bug reports(e.g.using

207、an issue tracker or a mailing list);certification according to a recognised scheme such as Common Criteria22.22 https:/moncriteriaportal.org NFV SECURITY IN 5G February 2022 24 5G stakeholders Description Virtualisation Software Infrastructure Providers They provide the virtualised infrastructure se

208、rvices that designs,builds,and operates virtualisation infrastructure(s).The infrastructure comprises software for compute nodes such as hypervisors,host operating systems and CISs.In addition,they are in charge of:setting up a vulnerability management process for monitoring,identifying,evaluating,t

209、reating and reporting on security vulnerabilities in the virtualisation software infrastructure;setting up a patch development,testing and delivery processes;maintenance of the software infrastructure that includes providing patches for bugs and vulnerabilities;providing a process for users,includin

210、g security researchers,to submit bug reports(e.g.using an issue tracker or a mailing list).Mobile Virtual Network Operators(MVNO)MVNOs work with MNOs to offer their telecom services by acquiring the required network capacity for customers.Cloud Providers They provide computation and storage resource

211、s to third parties.Over-The-Top(OTT)Content And Service Providers These providers offer different applications and services to end users based on their demands and quality requirements.Communications Service Providers(CSPs)Communications Service Providers(CSPs)include service providers such as Mobil

212、e Network Operators(MNO)and Mobile Virtual Network Operators(MVNO).Law Enforcement Organisations and Governmental Agencies They should have access to control and sometimes intercept user data in 5G networks in the regulated framework of Lawful Interception.Regulators and Policymakers Government regu

213、lators or regulatory agencies include bodies such as the Federal Communications Commission(US),European Commission(EU),etc.Standardisation Bodies These include international associations,alliances with a geographical,thematic or sectorial focus,such as the International Telecommunication Union,GSMA,

214、3GPP,etc.Vertical Markets These provide various services to third parties that exploit resources(network and cloud)specifically from operators and cloud service providers.End Users or Subscribers These users have a subscription and can therefore access virtualised services.When they access a service

215、,they directly or indirectly generate a data flow within the control plan,then the user plan.Their communications are transported by the user plan.2.5 NFV SECURITY OPPORTUNITIES Despite potential challenges due to the use of recent technologies such as NFV and SDN in 5G networks,these same technolog

216、ies also open new opportunities.The main opportunities for NFV to improve the 5G security and trustworthiness are provided in Table 4(22,27).Table 4:NFV security opportunities NFV security opportunities Description Increased automation This is provided by the management and orchestration(MANO)layer.

217、NFV MANO provides the opportunity to automate the creation,reconfiguration and scaling in and out of network functions,and to do it in real time on the fly,based on workload needs.The automation feature provided by NFV MANO allows the security controls and mitigations to be automated.For instance,th

218、e logging of security events,monitoring,detection,prevention,verification of integrity,patch management and others can be instantiated and provided as a service to network functions and applications.Security zoning and segmentation In the 5G network,multi-tenancy drives the need for the logical sepa

219、ration of virtual resources among tenants.Through orchestration,certain VNFs can be deployed on separate VMs or containers and compute nodes,and they can be further segregated by using separate networks.In addition,the use of security zones allows VNFs to be deployed on or migrated to hosts that sat

220、isfy security-pertinent criteria such as location and level of hardening(for example,some hosts may employ the trusted computing technology).NFV SECURITY IN 5G February 2022 25 NFV security opportunities Description Distributed security services The NFV allows for the dynamic distribution not only o

221、f the instantiated VNFs throughout the virtualised infrastructure at the edge,at the core or at the RAN,but also for security.5G network services are deployed across multiple administrative domains.NFV admins can instantiate new monitoring instances,reconfigure or modify the existing ones at the rig

222、ht location in the network according to available resources or security contexts.Patch management NFV eases the deployment of security updates.An upgraded instance of the VNF can be launched and tested while the previous instance remains active.Services and customers can then be migrated to the upgr

223、aded instance over a period of time(shorter or longer as dictated by operational needs).The older instance with the un-patched security flaw can be retired once the process is complete.Incident response NFV opens up the possibility to automate and improve the incident response.This automated inciden

224、t response provides rapid and flexible re-configuration of virtual resources.In addition,it eases the decommissioning and re-commissioning of VNFs.If a VNF is compromised(for example,through unauthorised access via a back door),an uncompromised version can be instantiated to replace it and the compr

225、omised version can be decommissioned and a copy of it made for forensic analysis.Programmability Programmability offers the flexibility and dynamicity needed to have adaptable security mechanisms such as logging,policy monitoring,and verification mechanisms.Centralised control and traffic steering I

226、n SDN,forwarding elements are directly connected to and controlled by controller software(e.g.Ryu23 or OpenDaylight24).This centralisation of the control plane enables a defence system to rapidly respond to network changes from a central controller through updating the forwarding rules of the entire

227、 network infrastructure,e.g.suspicious traffic can be dynamically detected and re-directed to security appliances.Network slicing Network slicing is released by virtualisation using SDN,NFV and cloud computing technologies.The E2E multi-domain and multi-tenancy support in 5G network slicing promises

228、 to enable vertical industries with a diverse set of performance,service and security requirements.Network slicing will give operators capabilities of creating different level of services for different verticals,enabling them to customise their operations.2.6 NFV KEY TECHNOLOGIES This section presen

229、ts an overview on different virtualisation,containerisation and MANO technologies 28 currently being used in 5G to run and orchestrate multiple VNFs at the core,edge and RAN.It examines the differences between using virtual machines(VMs)vs containers vs unikernel vs cloud native microservices in the

230、 context of 5G.2.6.1 Virtualisation 2.6.1.1 Hypervisor Hypervisor-based virtualisation provides isolated environments on top of a shared pool of resources 29,30.Hypervisor is a software layer that abstracts the underlying physical resources and provides virtual machines with the full functionalities

231、 of a real system.Moreover,a hypervisor is responsible for resource allocation to the VM as well as being responsible for monitoring and managing VMs through coordination with the primary OS of the underlying hardware.There are two types of hypervisors known as Type 1 and Type 2.Based on Type I Bare

232、 Metal Hypervisor:a type 1 hypervisor runs directly on the host machines physical hardware,and its referred to as a bare-metal or native hypervisor.The type I hypervisor doesnt have to load an underlying OS.It does not need any host OS because the communication to hardware resources is direct with f

233、ull visibility of hardware resources 30.Based on Type II-Hosted Hypervisor:a type 2 hypervisor is typically installed on top of an existing OS.It is sometimes called a hosted hypervisor because it relies on 23 https:/ryu-sdn.org 24 https:/www.opendaylight.org NFV SECURITY IN 5G February 2022 26 the

234、host machines pre-existing OS to manage calls to CPU,memory,storage and network resources.The bare-metal hypervisors(type I)are a more secure option.Unlike the hosted hypervisor,they do not depend on the underlying OS.Table 5 summarises the features of Type I and Type II hypervisors 31.Table 5:Featu

235、res of type I and type II hypervisors Criteria Type I Type II AKA Bare metal Hosted Definition Runs directly on server hardware Runs on top of the supported OS Scalability Better scalability Not so much,because of its reliance on the underlying OS System independence Has direct access to hardware al

236、ong with VMs,its hosts Is not allowed to directly access the host hardware and its resources Performance Provides better hardware resource utilisation Provides less hardware resource utilisation.Security More secure as it is a hardware-based hypervisor Less secure as it is a software-based hyperviso

237、r.Any problem in the OS may affect the entire system including the protected hypervisor.Setup or installation In many such hypervisors,setup is hard and hardware support is needed.In many such hypervisors,setup is easy as there is already an OS.Examples VMware vSphere,Microsoft Hyper-V,KVM,Xen Hyper

238、visor,Oracle VM,Citrix Hypervisor Oracle VM VirtualBox,VMware Workstation Pro and VMware Fusion,QEMU,Parallels Desktop,KVM25 2.6.1.2 Virtual machines A VM is a type of virtualisation that splits bare metal servers into multiple independent instances with separate operating systems inside.The operati

239、ng system,applications and services are all bundled into a single image that is accessed via a hypervisor,built on virtualised hardware.Such virtualisation allows us to move away from the approach of running one application or service per physical server and achieve better utilisation of capacity.Th

240、e sizing of the VM will depend on the resources available and the characteristics of the application that is going to be executed on this machine.Within the VM,it is possible to run different OS depending on the necessities or requirements of the application running on top of it.A VM consists of sev

241、eral files that are stored on a storage device.The key files are the configuration file,virtual disk file,NVRAM setting file and log file 28.Some of the most interesting functions that VMs enable are Snapshots26,Migration27 and Failover28 32.2.6.2 Cloud native 25 Kernel-based Virtual Machine(KVM)has

242、 qualities of both a hosted and a bare-metal virtualisation hypervisor.It can turn the Linux kernel itself into a hypervisor so the VMs have direct access to the physical hardware.26 Snapshots:A snapshot is a state of a VM,and generally its storage devices,at an exact point in time.A snapshot enable

243、s the VMs state at the time of the snapshot to be restored later,effectively undoing any changes that occurred afterwards.This capability is useful as a backup technique,for example,prior to performing a risky operation.27 Migration:The snapshots can be moved to another host machine with its own hyp

244、ervisor;when the VM is temporarily stopped,snapshotted,moved,and then resumed on the new host,this is known as migration.If the older snapshots are kept in synchronisation regularly,this operation can be quite fast,and allow the VM to provide uninterrupted service while its prior physical host is,fo

245、r example,taken down for physical maintenance.28 Failover:Similar to the migration mechanism,failover allows the VM to continue operations if the host fails.Generally,it occurs if the migration has stopped working.However,in this case,the VM continues operation from the last-known coherent state,rat

246、her than the current state,based on whatever materials the backup server was last provided with.NFV SECURITY IN 5G February 2022 27 Cloud-native is an approach to building and running applications that fully exploits the benefits of the cloud computing model.Applications are cloud-native network fun

247、ctions.5G NFs,as a cloud native NF,is designed using the following important cloud-native principles.2.6.2.1 Containerisation OS-level virtualisation represents the containerisation model,which envisages that only the applications and their dependencies are integrated into a container.Each container

248、 shares the host OS kernel operating on bare metal,as well as its binaries and libraries so the applications run quickly and reliably from one computing environment to another29.As a result,containers are exceptionally lightweight and fast to start.Containers allow for more efficient implementation

249、of microservices principles due to their elasticity and ease of provisioning.Containers are more commonly adopted by cloud-native applications,as each service component becomes a separate element in a microservices architecture.Many types of containerisation technologies are available,for instance:D

250、ocker containers:this is a popular open-source project based on Linux containers.Docker is written in GO and developed by Dotcloud.Docker is basically a container engine(ETSI CIS)which uses the Linux kernel features like namespaces and control groups to create containers on top of an operating syste

251、m and automates application deployment on the container.Java containers:these types of software packages enable standalone functioning of Java applications or parts of them.Examples:Springboot,Jetty,Tomcat.LXD containers:represent Linux containers software technology that is very similar to various

252、Linux distributions.These are integrated with the OpenNebula EDGE platform.OpenVZ containers30:Open Virtuozzo is a dedicated container-based virtualisation technology specially created for Linux operating systems.RKT containers:rocket containers and RKT container engine were developed by CoreOS for

253、the majority of Linux distributions in a cloud-native environment.This type of container is composed of a pod(like in the Kubernetes model and concept)with one or more applications inside.Hyper-V containers:they constitute a different type of container because they create their own copy of the Windo

254、ws OS kernel and are completely isolated,having incorporated both kernel space and user modes.They can be easily associated with a VM.2.6.2.2 Microservices A 5G NF,as a cloud native NF,is composed of cloud-native network functions components that combine to enable 5G-specific features.The basic comp

255、onents of a cloud native NF are microservices,which can be executed independently in separate containers,be deployed independently,and be re-composed when creating a new cloud native NF.These microservice-based cloud native NFs are highly scalable and can enable the deployment of new features quickl

256、y.A microservices architecture develops a single application as a suite of small services,each of which run their own process and communicate with lightweight mechanisms.Applications designed from the beginning as a microservice may have the innovation needed for the new telecom service environment.

257、The microservices architecture requires a high degree of orchestration.Moreover,consideration must be given to whether decomposing into a microservice can actually be counterproductive.29 https:/ 30 https:/openvz.org/NFV SECURITY IN 5G February 2022 28 Because microservicing supports cloud-native ar

258、chitecture,it can create problems with latency,which is the death knell for 5G applications and services.While mobile operators stand to benefit tremendously from fully deployed 5G networks,the reality is that there are a number of foundational issues that must be addressed to ensure those networks

259、provide the speed,latency and reliability that 5G applications demand.As is generally true in technology,a hybrid approach to developing VM,container and microservices technologies is likely the best pragmatic path forward for operators31.By combining the main principles containerisation and microse

260、rvices operators can build a 5G network with cloud-native network functions.2.6.3 Hybrid virtualisation and containerisation With the development of cloud native technology,the telco infrastructure is on a path to leveraging the container-based architecture.But until then,solutions will incorporate

261、a mixture of VMs and containers.In virtualised legacy networks like the EPC and 5G Non-Standalone(NSA)core,network functions that create real-time services and manage the user plane traffic typically run on VMs,which is appropriate for supporting services that do not have strict latency requirements

262、 or network configurations.Meanwhile,operators use containers for broadband services that need scalability or services that are not susceptible to failures.Therefore,to support interworking with existing networks,the 5G network requires virtualisation and cloud native technology that can support bot

263、h VMs and containers at the same time.Typical VMs,containers and hybrid architectures are depicted in Figure 7.31 https:/ NFV SECURITY IN 5G February 2022 29 2.6.4 Unikernels Unikernel is an alternative to both VMs and containers for lightweight virtualisation of resources.It can embed only one appl

264、ication and a limited set of its dependencies which,differently from containers,also includes the libraries for hardware resource management 33.It emerged due to the idea that the majority of the functions running either in the cloud or at the edge do not require many of the services inherent to OSs

265、,and thus those services can be excluded.Unikernels are single-purpose appliances that are specialised at compile time into standalone kernels32.They are constructed with the minimal necessary libraries,modularly,compiled together with the application code into an image(no division between kernel an

266、d user spaces)that can be run on top of a hypervisor or directly on a hardware layer.Different library OSs(e.g.IncludeOS,UKL,MirageOS,OSv,Rumprun,runtime.js)can be used to develop unikernels,with slightly different security profiles,programming languages(some of them aiming to avoid programming dire

267、ctly in C),and legacy compatibility.Among other advantages,unikernels improve security over other virtualisation paradigms since(i)they have no other functions or ports apart from the specific application they were built for,thus the attack surface is minimal,and(ii)they achieve a degree of isolatio

268、n similar to VMs and much higher than containers,since the latter share a common kernel.Besides,due to their specialisation,unikernels come with the benefit of faster boot times and lower image sizes than containers,as well as a similar degree of memory consumption when running.Still,unikernels have

269、 some drawbacks that come mainly from their immaturity.The most critical one is related to the high development times as(i)kernel functionalities have to be carefully selected and configured for the specific application,(ii)there is a lack of tools designed for debugging unikernels,and(iii)to be upd

270、ated they have to be shut down,updated,recompiled and instantiated,a set of operations that is not possible to run on the fly.The nature of unikernels33 make them suitable for deploying stateless,high-response,low-latency VNFs located at Edge nodes.General algorithms(pression,encryption,data 32 A.Ma

271、dhavapeddy et al.,Unikernels:Library Operating Systems for the Cloud,ACM SIGPLAN Notices,vol.48,no.4.2013,pp.46172.33 http:/unikernel.org/projects/NFV SECURITY IN 5G February 2022 30 aggregation)and specific functions for vehicular edge computing(VEC),edge computing for smart cities and augmented re

272、ality(AR)34 are use cases in which unikernels can be of utility.The UNICORE project35,which aims at providing a toolchain for facilitating the development of secure,portable,scalable,lightweight and high performance unikernels,foresees their potential application in 5G-RAN,vCPE and serverless comput

273、ing,among other fields.As current virtualised infrastructure managers(VIMs)support unikernels,some H2020 5G-PPP projects(such as 5G-MEDIA36,5GCity37,Superfluidity38,5G-Complete39,etc.)are using them jointly with VMs and containers within their 5G deployments,being leveraged in tandem with conforming

274、 services thus benefiting from their respective advantages.2.6.5 VMs vs containers vs unikernels Operators have been deploying VNFs for several years to replace hardware-based appliances.Operators deploy network functions virtualisation(NFV)in one of three ways:on virtual machines(VMs)with hyperviso

275、rs;in containers;or using a hybrid approach.VMs have their own operating system(OS),while containers share an OS.As such,containers are more efficient because they dont require multiple operating systems per host.However,containers present several challenges for telecom-grade environments.The first

276、challenge is that sharing the OS creates the potential for applications and their containers to interfere with each other or create resource contention.For mobile operators in particular,this approach creates difficulties in both the control and data planes for a 5G environment,where latency,efficie

277、ncy,security and a high level of distribution are needed.Unikernels,as a third option,primarily target the drawbacks of legacy VMs by compressing the kernel and shared libraries to the bare minimum while maintaining compatibility with the traditional cloud virtualisation stacks(hypervisors,controlle

278、rs,MANO).Differently from containers,which have a shared kernel,each unikernel has its own kernel.This allows better isolation than containers.Table 6 provides a comparison of virtualisation technologies.In addition,Figure 8 illustrates the main differences between the architecture of VMs,containers

279、 and unikernels 33.Table 6:Virtualisation technologies comparison Feature Virtual Machines Containers Unikernels Isolation Strong Weak Strong Image size Large Small Small Instantiation(boot time)Slow Fast Fast Memory consumption(resource overhead)High Low Medium Toolset Strong Strong Weak Figure 8:C

280、omparison of the architecture of VMs,containers and unikernels 34 R.Morabito,V.Cozzolino,A.Y.Ding,N.Beijar and J.Ott,Consolidate IoT EDGE Computing with Lightweight Virtualization,in IEEE Network,vol.32,no.1,pp.102-111,Jan.-Feb.2018.35 http:/unicore-project.eu 36 http:/www.5gmedia.eu 37 https:/www.5

281、gcity.eu 38 http:/superfluidity.eu 39 https:/5gcomplete.eu NFV SECURITY IN 5G February 2022 31 2.7 NFV DEPLOYMENT MODELS In a virtualised environment the underlying hardware,as well as the virtual dynamic network where the NFVs reside,may be shared by multiple tenants and there are a number of diffe

282、rent deployment scenarios with varying risks.Such shared resources may expose security risks on several different levels and the severity of the risk may depend on the nature of such tenants.Below are the main NFV deployment models with varying risks that may be considered in a virtualised environme

283、nt.Main references used to develop this section are:32,23,34,35.2.7.1 Single operator environment The same operator owns,operates and controls completely the VNFs,the virtualisation layer and the hardware and the premises in which they are located(see Figure 9).In this model,the operator is only exp

284、osed to its own network elements and functions.In this model,the operator must cater for most of the risks,since it has to implement security measures to protect the different layer of NFV including VNFs,virtual resources,and physical infrastructure.The operator must also implement robust Identity,c

285、redential and access management policies to protect its assets and prevent attacks such as man-in-the-middle,whereby an attacker(e.g.a malicious or compromised tenant)can illegitimately access the offered service.Malicious insiders in the operators system administration represent a further risk of c

286、ompromising the operators reputation and exposing security risks to the tenant,which may receive compromised services that may violate its data.In this model,the tenant has no control over the infrastructure.Tenant data are stored within the operator infrastructure and,thus,it is of paramount import

287、ance that strong security measures necessary to protect these data are applied.Such measures include the prevention of data loss and strong isolation when data belonging to different tenants share the same server(or resources).Data breaches can also happen when a malicious tenant violates someones d

288、ata.With this model,consumers usually access the services offered through web browsers,thus the operator must not overlook vulnerabilities in the software offered and in the protocols used(e.g.HTTP)in order to protect its network from attacks.A typical category of attack is the abuse and nefarious u

289、se of services performed,for example,by a consumer who executes a malware injection or DoS attack on the operators server,profiting from the services offered.Figure 9:Single operator environment model NFV SECURITY IN 5G February 2022 32 2.7.2 Operator hosting virtual network operators This is based

290、on the single operator environment model.In this model,the network operator hosts other virtual network operators within the same facility.It would probably isolate each virtual operator on separate hardware.However,in theory,the VMs or containers of different virtual network operators could run alo

291、ngside each other over the same virtualisation layer(see Figure 10).In this model,the operator is exposed to its own network elements and functions,as well as the network elements and functions of the other virtual operators.Figure 10:Operator hosting virtual network operators model 2.7.3 Third part

292、y hosting A third-party cloud provider operates the computer hardware,infrastructure network and the virtualisation layer on which VNFs are running.The premises,including cable chambers,patch panels,etc.,are physically secured by the third-party cloud provider.There are three scenarios in this model

293、(see Figure 11):scenario 1 separate cloud for a single operator:in this scenario,the platform runs the VNFs of a single operator;scenario 2 community cloud for multiple operators:in this scenario,the platform runs the VNFs of multiple operators;scenario 3 public cloud for operators and other service

294、 providers:in this scenario,the platform runs operators VNFs or other non-network related services.In all scenarios,the operators are always accountable and responsible for the protection of VNFs and data.In all scenarios,the operator is exposed to its own network elements and functions as well as t

295、o the third-party hosting service that may not be accountable and that may be able to transparently gather information emitted from the network infrastructure.In scenario 2,the operator may also be exposed to network traffic from other operators.In scenario 3,the operator may also be exposed to netw

296、ork traffic from other operators as well as NFV SECURITY IN 5G February 2022 33 traffic from other services that may have lesser security and/or integrity requirements than the operator.In this model,the operator must avoid software VNF vulnerabilities to prevent an attacker from making a nefarious

297、use of services.For its part,the cloud provider must avoid software flaws in the operating system,in the virtual resources and servers offered to the operator(s)while guaranteeing them access to the platform through secure APIs to prevent malware Injections.Due to weak isolation among resources of t

298、he platform assigned to different VNFs belonging to diverse operators or to the non-network services of other service providers,attacks such as side channel or VM or container data theft may occur.At the same time,applications or non-network related services from other service providers that are not

299、 necessarily all trusted may run on the same platform in different VMs or containers,so the operator can be damaged by an attacker that manages to exploit a lack of isolation between a vulnerable VM or container and other VMs or containers or the host machine,thus having illegitimate access to other

300、 VNFs belonging to other operators or the cloud providers platform.NFV SECURITY IN 5G February 2022 34 2.7.4 Operator hosting third party service providers In this model,the operator leaves to the service provider the task of deploying its own applications,thus executing arbitrary software on the op

301、erator infrastructure(see Figure 12).In this case the operator is in charge of protecting its assets,which include data and servers underlying virtual resources offered as MEC services.For the operator,potential threats can be caused in the following situations:(i)elevated privileges are given to a

302、service provider on storage access(data breach risks),(ii)the service provider is able to control the infrastructure offered by the operator through insecure APIs(insecure APIs risks)and execute arbitrary code(higher risk of hijacking of the elements of the infrastructure by malicious service provid

303、ers),and(iii)a service provider could run malicious code through the operating system of its VM,thus penetrating the operators infrastructure,or could,intentionally or accidentally,fail in updating its VM,thus exposing it to attacks.2.7.5 Summary The different deployment models described above are s

304、ummarised in Table 7.It shows the actor(s)involved on the management and operation at each layer of the NFV system for each deployment model.The column Location states the location where the infrastructure is deployed.The column Cloud Type identifies which NFV deployment scenarios are similar to the

305、 common deployment models used in cloud computing.The right-most column Suitable for also provides the suitability of each deployment model for the core,MEC and/or RAN.Table 7:Virtualisation technologies comparison Deployment model Hardware Virtualisation layer(Host OS,Hypervisor,CIS)VNFs/Applicatio

306、ns MANO Location Cloud Type Suitable for Single operator environment Operator Operator Operator Operator On premise Private Cloud Core Operator hosting virtual network operators Operator Operator Operator,Virtual Operator(s)Operator,Virtual Operator(s)On premise Private Cloud Core,MEC,RAN Third part

307、y hosting scenario 1 Cloud Provider Cloud Provider Operator Cloud Provider,Operator Vendor Locations Hybrid Cloud Core,MEC,RAN Third party hosting scenario 2 Cloud Provider Cloud Provider Operators Cloud Provider,Operators Vendor Locations Community Cloud MEC,RAN NFV SECURITY IN 5G February 2022 35

308、Deployment model Hardware Virtualisation layer(Host OS,Hypervisor,CIS)VNFs/Applications MANO Location Cloud Type Suitable for Third party hosting scenario 3 Cloud Provider Cloud Provider Operators,Service Providers Cloud Provider,Operators,Service Providers Vendor Locations Public Cloud MEC Operator

309、 hosting third party service providers Operator Operator Operator,Service Providers Operator,Service Providers On Premise Edge Cloud MEC NFV SECURITY IN 5G February 2022 36 3.5G NFV:ASSETS,CHALLENGES,VULNERABILITIES AND ATTACK SCENARIOS In this chapter,we identify and describe 5G NFV assets,challeng

310、es,vulnerabilities and attack scenarios.This initial step will guide us to identify the best practices and provide recommendations.3.1 ASSETS To address NFV challenges in a 5G ecosystem,it is essential to identify the assets of such a complex ecosystem.The main asset categories introduced in this re

311、port are inspired from the ENISA Threat Landscape for 5G Networks 6(December 2020),36(November 2019)and derived from the 5G NFV architecture described at the beginning of this report.These main categories include components and entities from network products,management and orchestration,data,process

312、es and environment.A complete diagram of the asset mind maps is present in Annex B.Figure 13:5G NFV asset categories An assessment of the asset categories in maintaining security-related protection properties in terms of CIA(confidentiality,integrity and availability)for each category is provided in

313、 Annex A.The critical asset categories of 5G NFV to be protected are as follows(see Figure 13).NFV SECURITY IN 5G February 2022 37 The NFV network components category includes NFV components network planes,functions,and elements.These divide into multiple asset groups such as core functions,virtuali

314、sation infrastructure,network function virtualisation(NFV),physical infrastructure,security,software-defined networking(SDN),Multi-Edge Computing(MEC),among others.The NFV MANO network components category includes the management of network functions(NFVO,VIM,VNFM),network slicing,operations support

315、system,network/element(EMS/NMS)and SDN Controller.MANO is the most vital part of the 5G infrastructure since it is responsible for controlling the entire set of network functions,their virtualisation and the entire related software lifecycle.The NFV Data category includes users,applications,VNFs,NS,

316、system,network,SDN,configuration and security-related data.The NFV processes and environment category includes processes and facilities related to MNOs and vendors.3.2 SECURITY CHALLENGES While NFV opens the door for flexible networks and rapid service creation,these offer both security opportunitie

317、s while also introducing additional security challenges and complexities.The 5G networks would essentially promote the use of NFV technologies.NFV,like many new technologies,presents new security challenges and these extend many of the security challenges applicable to NFV to 5G networks.Thus,it is

318、important to address the security challenges appropriately and to focus on instilling stronger security and privacy settings in 5G NFV systems.In this chapter,we identify and describe the security challenges that the 5G NFV may face.Documents used as references for the development of this chapter ar

319、e provided in Annex G.The challenges have been grouped into categories to make them more understandable.The resulting list consists of seven categories(see Figure 14).Figure 14:Categories of security challenges Each category is provided in one section.Each section starts with an overview of the chal

320、lenge category followed by a table describing the associated challenges.A high-level mapping table showing the relationship at the category level between challenge categories,vulnerabilities,attacks,affected assets and best practices is provided in section 4.4.A detailed mapping is provided in Annex

321、 F.3.2.1 Virtualisation or containerisation NFV SECURITY IN 5G February 2022 38 Cloud,virtualisation,containerisation,edge computing and SDN play additional roles in the era of 5G.The scale,elasticity,agility,responsiveness and rich software functionality required for 5G applications and microservic

322、es can only be achieved in the cloud.Today NFV is carried out on VMs and containers,and theyll continue to be utilised in a 5G environment.As with any new technology,the benefits may also present potential security challenges if proper security measures are not considered.NFV enables network slicing

323、 by replacing network functions on appliances such as routers,load balancers and firewalls with instances of virtualised software that run on commodity hardware.Virtual network functions and/or cloud-native network functions are used to run these functions as packaged software which also means a muc

324、h wider attack area.Moreover,SDNs enable programmable network controls and abstract the underlying infrastructure from the apps and network services.Centralised and controllable,SDNs provide the agility required to adapt to the evolving needs of 5G microservices.However,SDNs are susceptible to attac

325、ks such as forwarding device attacks,control pane threats,API vulnerabilities,counterfeit traffic flows and more.In the edge and far edge,operators are introducing VNFs which causes a new set of security challenges.VMs or containers may require elevated privileges to support certain network function

326、s that could cause security vulnerabilities for the host system as well as peer VMs or containers.Due to the unique characteristic of the NFV environment,different network functions can be created and terminated dynamically on different and distributed entities.The NFV approach allows for the dynami

327、c distribution of the instantiated VNFs throughout the virtualised infrastructure at the edge,at the core or at the operators datacentre.In the same way,monitoring can also be distributed and take place at different locations in the operators network covering different parts of the network.Dynamic d

328、istribution of NFV architectures pose major security challenges that need to be considered.A unique aspect of co-residency in NFV is that,in an NFV stack,co-residency can happen between more layers,such as between VNFs and the virtualisation layer or between the virtualisation layer and physical hos

329、ts.The co-residency of VNFs on the same physical host can occur due to placement or migration,which is known to lead to side-channel or resource depletion attacks due to the shared physical resources such as CPU,memory,or cache.The co-residency of VNFs on the host can also occur when different tenan

330、ts employ the same host to run similar network functions,such as virtual firewall or virtual IDS.The fact that multiple tenants are sharing both virtual and physical resources in the same NFV stack poses additional security challenges.Table 8 illustrates the main security challenges raised by the vi

331、rtualisation or containerisation technologies.Table 8:Main security challenges facing virtualisation or containerisation ID Challenge title Challenge description CH-V1 Challenges within the runtime software Virtualisation of network functions will increase the networks vulnerability to attackers due

332、 to the increased reliance on software.A NFV software component may contain potential software vulnerabilities or it can be a malware itself.In virtualised implementations all VNFs are implemented using a common software platform such as OpenStack,Kubernetes.While vendors may produce tweaked variant

333、s,the code core will be largely identical.Similarly,host OS,hypervisor,CIS and VNFs software will be identical or from a limited set of variants.What this means is that if an attacker is able to identify a software vulnerability in one VNF,that vulnerability will likely exist in many other VNFs making the attackers job much easier and increases the risk of a cascading security failure in the netwo