ETSI GS NFV-SEC 006-2016 Network Functions Virtualisation (NFV) Security Guide Report on Security Aspects and Regulatory Concerns (V1 1 1)《网络功能虚拟化(NFV) 安全指南 关于安全方面和监管问题的报告(V1 1 1)》.pdf

《ETSI GS NFV-SEC 006-2016 Network Functions Virtualisation (NFV) Security Guide Report on Security Aspects and Regulatory Concerns (V1 1 1)《网络功能虚拟化(NFV) 安全指南 关于安全方面和监管问题的报告(V1 1 1)》.pdf》由会员分享，可在线阅读，更多相关《ETSI GS NFV-SEC 006-2016 Network Functions Virtualisation (NFV) Security Guide Report on Security Aspects and Regulatory Concerns (V1 1 1)《网络功能虚拟化(NFV) 安全指南 关于安全方面和监管问题的报告(V1 1 1)》.pdf（29页珍藏版）》请在麦多课文档分享上搜索。

1、 ETSI GS NFV-SEC 006 V1.1.1 (2016-04) Network Functions Virtualisation (NFV); Security Guide; Report on Security Aspects and Regulatory Concerns Disclaimer The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and re

2、presents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)2 Reference DGS/NFV-SEC006 Keywords NFV, regulation, security ETSI 650 Route des Lucioles F-06921

3、Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search Th

4、e present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such

5、 versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on

6、the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notificati

7、on No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and t

8、he foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered f

9、or the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g31 Scope 6g32 Reference

10、s 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Security design guide . 8g34.1 Overview and introduction . 8g34.2 Risk, risk analysis, and risk management . 9g34.3 Design for assurance 10g34.4 Secure by

11、 default 12g34.5 Domain of Attack model 12g34.6 Regulatory and conformance issues . 13g34.7 Interoperability considerations . 13g34.7.1 Syntactic interoperability 13g34.7.2 Semantic interoperability 13g34.7.3 Electrical and mechanical interoperability 14g34.7.4 Radio communication interoperability 1

12、4g3Annex A (informative): Pro forma of Security and Regulatory Concerns for use in ETSI ISG NFV GSs . 15g3A.1 Risk analysis and assessment . 15g3A.2 Countermeasure deployment 16g3A.2.1 Identity management 16g3A.2.2 Integrity protection and verification . 16g3A.2.3 Confidentiality 16g3A.2.4 Availabil

13、ity and resilience 16g3A.2.5 Trust framework . 16g3A.3 Regulatory conformance 17g3A.3.0 Introduction 17g3A.3.1 Data protection and Privacy . 17g3A.3.2 Retention of Data 22g3A.3.3 Lawful Interception 22g3A.3.4 Export control of cryptographic material . 22g3A.3.5 Others . 23g3Annex B (informative): Su

14、mmary of attack vectors as applied in NFV 24g3B.1 Interception attacks. 24g3B.2 Manipulation attacks 24g3B.3 Identity based attacks . 24g3Annex C (informative): Cryptographic measures for NFV protection . 25g3C.1 Cardinality of relationships 25g3C.2 Algorithm selection and key size . 25g3Annex D (in

15、formative): Bibliography . 27g3ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)4 Annex E (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:

16、/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essenti

17、al to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“,

18、 “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)6 1 Scope The pres

19、ent document is a guide to developers of NFV related documents and applications in means to address the security aspects and regulatory concerns as they impact the security of deployed networks that conform with these documents and applications. The present document contains detailed descriptions of

20、 security concerns, attacks, as well as an overview of regulatory concerns and how they can be treated in system design to give the highest level of assurance that the resultant system is secure and complies with current regulation and best practice. The present document is intended for use by devel

21、opers of NFV documents and the guidance is given in a manner that assists non-experts in security and regulation to prepare such documents. In addition to the guidance and explanatory text the present document contains, in annex A, a pro forma template for use in ETSI ISG NFV documents to capture th

22、e security concerns and mitigations that apply. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the

23、latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of pub

24、lication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number

25、) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee t

26、heir long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TS 102 165-1: “Telecommunications and Internet converged Services and Protocols for Advanced Networkin

27、g (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. i.2 ISO/IEC 15408-2: “Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements“. i.3 ISO/IEC 15408-1: “Information technology

28、 - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model“. i.4 Privacy Impact Assessment Handbook (2009). NOTE: Available at http:/www.piawatch.eu/node/48. i.5 ETSI TR 103 309: “CYBER; Secure by Default - platform security technology“. i.6 Directive 2014/

29、53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC. ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)7 i.7 Directive 2014/30/EU of the E

30、uropean Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to electromagnetic compatibility (recast) (Text with EEA relevance). i.8 Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the r

31、equirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (Text with EEA relevance). NOTE: Available at http:/eur-lex.europa.eu/ i.9 ETSI GS NFV-SEC 004: “Network Functions Virtualisation (NFV); NFV Security; Privacy and Regu

32、lation; Report on Lawful Interception Implication“. i.10 ETSI GS NFV-SEC 010: “Network Functions Virtualisation (NFV); NFV Security; Report on Retained Data problem statement and requirements“. i.11 ETSI GS NFV-SEC 003: “Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidan

33、ce“. i.12 UK Information Commissioners Office: Conducting Privacy Impact Assessments Code of Practice. NOTE: Available at https:/ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf. i.13 ETSI ETR 332:“Security Techniques Advisory Group (STAG); Security requirements capture“. i

34、.14 ETSI ES 202 383: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method and proforma for defining Security Targets“. i.15 ETSI ES 202 382: “Telecommunications and Internet converged Services and Protocols for Advanced Net

35、working (TISPAN); Security Design Guide; Method and proforma for defining Protection Profiles“. i.16 Domains of Attack list and descriptions. NOTE: Available at http:/www.mitre.org. Please consult this website for detailed descriptions of each attack: http:/capec.mitre.org/data/graphs/3000.html. i.1

36、7 IEC 60906-2: “IEC system of plugs and socket-outlets for household and similar purposes - Part 2: Plugs and socket-outlets 15 A 125 V a.c. and 20 A 125 V a.c.“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI TS 102

37、165-1 i.1 apply. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TS 102 165-1 i.1 and the following apply: PP Protection Profile TVRA Threat Vulnerability Risk Analysis ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)8 4 Security design guide 4.1 Overview and int

38、roduction Security cannot be an afterthought, and has to be considered throughout the planning/development/deployment/runtime lifecycle. Unfortunately, effective security design is not trivial and there is a constant tension between functionality and security that inherently couples the two. A signi

39、ficant danger is that in progressing functionality it will become harder and harder to provide deeply rooted security in system designs. As with design of any type there are a number of ways to approach security in system design. The primary starting point in much of security is to identify an attac

40、k and pair it with a means to thwart the attack, such that a tuple of issue, mitigation will exist across the system. Figure 1: Illustration of a threat tree to identify forms of threat in systems Whilst an understanding of threat trees (see figure 1) is useful it is not sufficient and has to be map

41、ped to a wider understanding of countermeasures. For example the tuple masquerade, authentication suggest that if the authentication element is implemented properly it will counter masquerade, but the pre-requisites of authentication include identity management and credential management. If authenti

42、cation is a cryptographic process further issues arise that include the viability of the authentication algorithms over time (and associated cryptographic strength), the means to distribute credentials (the pairing of identity and the cryptographically significant data used to assert it), and so for

43、th. In the regulatory domain the mind-map shown in figure 2 identifies some of the relationships between protection technology and attack types, and the relationship between privacy and regulation is highlighted. The latter is important as regulation exists to protect the obligation or right to priv

44、acy as identified in a number of acts and laws, however there are a number of exceptions to the right to privacy identified by the same broad set of acts and laws that generally give rights for law enforcement to have reasonable rights to protect the wider population sometimes with a short term risk

45、 to the individual. Such exceptions include the need to provide for Lawful Interception, and to retain data in the network in support of law enforcement. ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)9 Figure 2: Mind-map illustrating complexity of privacy and privacy protection In designing a secure syst

46、em an understanding of the impact of attack has to be developed. For example, when two functions share a host, a Denial of Service attack on one may affect the other. The mitigation may be to not co-host high-priority functions with low-priority functions. 4.2 Risk, risk analysis, and risk managemen

47、t Designing for the effective security of a system cannot be done without a reasonable understanding of risk, there are a large number ways of modelling security in systems that look variously at the process (Identify, Mitigate, Monitor as a continuous loop), and at the interactions of assets. The m

48、odel given in ETSI TS 102 165-1 i.1 and copied below makes a number of assumptions including: systems are compositions of a set of assets; assets may have inherent vulnerabilities; a vulnerability when discovered with a viable threat becomes a weakness; exploitation of a weakness leads to something

49、unwanted in the system (unwanted incident); and, threat agents are used to enact threats and many threat agents may work together to exploit a weakness. ETSI ETSI GS NFV-SEC 006 V1.1.1 (2016-04)10 Figure 3: Generic security TVRA model from ETSI TS 102 165-1 i.1 There are a number of questions that arise from the generic model shown in figure 3 and these include: What are the assets of my system? How do I determine the vulnerabilities and when they become exploitable weaknesses? How do I protect my system? The