NFV CyberGuard Solution
Traditional telecom networks are based on closed operating system infrastructures that can be effectively protected from hacking and other attacks. Using SDN and NFV technologies for next generation network infrastructures offers benefits like openness, remote programmability, agility and other advantages of IT-like networks. However, the similarity to IT networks that makes SDN/NFV networks advantageous for communications service providers (CSPs) also makes them vulnerable to the full range of cyberattacks that target IT networks. As network technology moves from single-purpose devices to compute elements with network functions provided as virtualized services (VNF) and which use open protocols like Linux, OpenStack, OpenFlow, the infrastructure becomes exposed to cyber threats.
The NFV infrastructure (NFVI) planes must be protected from advanced persistent threats (APTs) such as flooding and direct denial of service (DDoS); from threats to hypervisor/vSwitch appliances on the control plane; and from malware, remote access threats and specific attacks on the application (VMs) plane. In addition, MitB, open source and spoofing attacks pose threats to all open network layers. On open networks, these and other advanced persistent threats (APTs) bypass existing security solutions that use log file data from security appliances on the core network to analyze security breaches. APTs can hide undetected in a network and on endpoints for months, stealthily capturing and reporting on data passing through the network, which leaves the network open to penetration by undetected attackers.
NFV cyber security solution, NFV CyberGuard, consists of three building blocks:
- T-Sense agents that are embedded in the CloudMetro virtualization platform or other NFV white box, and additional security probes which collect data.
- Big data analytics for aggregation and analysis of metadata and identification of anomalies.
- SDN controller of the EdgeGenie Orchestrator, which takes immediate network-wide action to neutralize threats.
In the collection stage, embedded agents running on the CloudMetro virtualization platform, together with other security probes, extract metadata and content, gather information about wire speed and hardware acceleration and perform full session reconstruction. All data is maintained in the NFV CyberGuard real-time database of expected network behavior. For CSPs and small-medium-businesses (SMBs) using third-party L2 switches, Celare provides an NFV CyberGuard plug-in that filters flows entering the CSPs TVE virtualization engine and controls the L2 switch to block flows from penetrating the network when threats or malware are detected.
For aggregating the data, big data platform is being used for long-term recording, indexing the data and analyze it to definitively identify and characterize threats and for forensics capabilities. The collected data is filtered, re-aggregated, correlated, and investigated using powerful analysis tools such as information discovery, graph database, and event processing and rule engines.
Network anomalies and threats are detected by monitoring sensors. The sensors leverage predictions and algorithms to pinpoint suspicious activity, and cyber protection policies are applied across the entire network, to the edge, for full network visibility.
Once anomalies are identified, characterized and located, the NFV CyberGuard agent instantaneously activates EdgeGenie Orchestrator, Celare advanced SDN/NFV network management and orchestration system, to take immediate network-wide action to neutralize threats before they cause damage. NFV CyberGuard provides centralized control and orchestration for actions such as remotely change the IP/MPLS control plane or altering routing to shut off flows, service VNFs, and devices. Networks bypasses are established and deployed to reroute and redirect data flows.