By Luke Hinds, principal software engineer, NFV Partner Engineering in the Office of Technology at Red Hat
NFV Security has recently become a hot topic and was a key theme discussed at the recent OPNFV Summit in Berlin. A survey, which was conducted for OPNFV by Heavy Reading and released at the Summit, stated security is the top technology OPNFV “should investigate.” Summit keynote speaker, Mikko Hypponen of F-Secure, delivered a presentation on the importance of security. He highlighted the grave consequences that can result from a lack of consideration and planning on securing key infrastructure (which alongside Energy, also includes Telecoms). I also gave an OPNFV Security Working Group presentation.
As security continues to be a key area to investigate, now would be an apt time to highlight the work of the OPNFV Security Group and invite interested parties to join us.
The OPNFV Security Working group, was formed to improve OPNFV security through development, architecture, documentation, secure code review, vulnerability management, and upstream collaboration with other security groups. The group also provides an ‘umbrella’ organization to encourage development of security-centric functions within the OPNFV ecosystem.
Within the OPNFV, the three project work areas include:
Core Infrastructure Initiative (CII) Badge Program
The Core Infrastructure Initiative (CII) Badge Program is a program under the Linux Foundation for open source communities to self-audit their current security posture. This involves many steps, such as insuring a secure release process, secure tooling, and vulnerability handling.
CI / CD Security Scanning
Security Scanning is a project to insure security compliance and perform vulnerability checks as part of an automated CI / CD NFV platform delivery process. The project makes use of the existing NIST SCAP format and OpenSCAP tools to perform deep scanning of NFVi nodes to insure they are hardened and free of known CVE reported vulnerabilities.
Currently the project will perform security checks of the Linux Host OS and OpenStack deployment on the NFVi nodes with the profile of ‘compute’ and ‘control.’ Each check will verify a system meets defined security standards, such as DISA STIG or FedRamp. Plans are underway to extend the checks to SDN controllers and include GPG signing of reports.
Inspector is a project to ensure the existing audit framework for the critical components in OPNFV are extensive enough and compliant to industry standards and foreseeable business use cases.
We welcome questions about the security group and also encourage interested parties to get involved. In fact, out OPNFV Security Group motto is: “It’s not what Security can do for you, but what you can do for Security.” We welcome contributions from across the ecosystem (from vendors, to network operators, and more), to join us and help make NFV a secure, robust environment. A great first step is to join our weekly Wednesday meeting, 14:00 UTC, over IRC on freenode, channel #opnfv-sec.
For more details of the OPNFV Security Group, please visit the group’s wiki page.
About the author of this post
Luke Hinds is a principal software engineer, working in NFV Partner Engineering in the Office of Technology at Red Hat. He has a fifteen year career as a security architect & engineer mainly focused on topics such as Telco Cloud, LTE Radio Transport, SS7 and Mobile Broadband security. He started his career in electronics as a server repair technician for Texas Instruments. He lives in a small town in Wiltshire, UK with his wife and two daughters.