Abstract
ExSEC aims at evaluating a set of new components, architectural designs and APIs, related to improving and assuring the security and resilience of network- and application-services deployed in distributed and hosted virtualised infrastructures and targeting different vertical sectors, before porting these to the emerging industrial 5G networks and cloud service providers. ExSEC addresses explicitly the security and robustness of cloud-native solutions. The ExSEC framework consists of an innovative security orchestrator and a number of new security enablers offering visibility and control of the security and robustness of the verticaltenant network- and application-services. ExSEC can integrate with the northbound interface of the 5GINFIRE OSM orchestrator by means of a new MANO-NBI enabler and with the 5GINFIRE portal by means of a new security dashboard. A number of new security monitoring managers and agents/probes and security element managers are developed as virtual functions and integrated into the 5GINFIRE VxF repository.
Introduction
In order to protect their network- and application-services, developers and/or end-useroperators include virtualized instances of security appliances into their design and/or deployment. Unfortunately, this approach often results in security being managed by people with not enough skills or specific expertise and is not able to cope with dynamic threats arising during the whole service life-cycle. To overcome the above limitations, this proposal aims at shifting the responsibility for security, privacy, and trustworthiness from developers or endusers to service-providers, by leveraging descriptive security-context-models and their usage by a semi-autonomous security-management and -orchestration logic, resulting into theenriching and assuring of the design and operation of network- and application-services with security features/functions.
As a result, a novel security-by-design orchestration framework is proposed to support the easy definition/specification of different security requirements/expectations and to assure these during all phases of the ervice-/experimentation-life-cycle, paving the way towards offering Assured-Security-as-a-Service business models. The proposed solution is flexible to support different vertical sector experimental requirements and can be deployed in different 5GINFIRE testbeds (e.g., 5TONIC [2], 5G Media Vertical [3]). To support this direction, we instrument our novel security orchestrator (SO) service component and several extensible security enablers/agents in order to integrate these into current 5GINFIRE experimental infrastructure/facilities (see Figure 1). The SO leverages the dynamic configuration and programmability features of supported security resources. Through the new security dashboard, 5GINFIRE experimenters (developers, SecOps) can enhance the current experiments with security-related expectations/requirements, in both deployment and operations phases, by means of deployment constraints (DC) and run-time policies (RP). DCs are defined on behalf of application developers (e.g., component A service port is 80 and is required to be deployed inside Europe), while RPs are defined by SecOps in form of security policies, e.g. in form of a set of expressions (event-condition-action rules); e.g. when a malicious source is detected, block future access and notify the security- and systemsadministrators/ experimenters.
The ExSEC SO can integrate with the 5GINFIRE supported-APIs (5GINFIRE Portal [3] and OSM APIs/SDK [4]). It provides visualization of the service graph, security enrichment and a context metadata model.
In addition, the experiment provides a smart proxy agent that includes a policy engine and a context broker.
For the evaluation of the experiment additional virtual functions are provided that demonstrate the feasibility and the potential of the ExSEC framework in a use-case based in the media domain utilizing media components of the TNO 5G Media Vertical test-bed.
Objectives and Expected Results
The main objective of the experiment is to validate the feasibility, deployment and operations of an Assured-Security-as-a-Service solution (ExSEC) that addresses security gaps in anorganization’s use of cloud services (5G network services, application services, direct cloud-tocloud access) and provides a central location for policy and governance concurrently across multiple cloud services – for users and devices- and granular visibility information and control over user activities and sensitive data. The objective of the ExSEC experiment is to cover the whole life-cycle of a cloud service, i.e., from the design phase (users are developers, security and risk managers, experimenters) over the deployment and operations ones (users are SecOps) until the retirement, by means of security service build-, deployment- and operationsexperiments.
A further objective of the experiment is to validate the integration of the ExSEC framework with the current 5GINFIRE facilities (as 5G network service cloud providers) and the media capabilities of the 5G Media Vertical testbed (video streaming capabilities). ExSEC provides an application that is deployed at the 5G Media Vertical testbed and incorporates the specific media capabilities offered by 5G Media Vertical and which allows to evaluate how the ExSEC solution governs the consoles of the 5GINFIRE facility/testbed providers and extends visibility and governance to services running in these clouds.
Expected Results
As validation of the developed technology, an assured-security IoT/media application-service from the healthcare vertical domain (Remote Patient Monitoring) is deployed and instrumented for assured security in the cloud service provider environment.
In the first deployment phase TNOs own video aggregation component (VAF) is utilized, where multiple video feeds are combined in a dashboard and a specific feed can be selected for hipriority live streaming.
In an envisioned second deployment phase, the patients’ vital health parameters (e.g., heart rate) as well as video stream of different health exercises are securely-collected on the patients’ smart phones (emulated user equipment (UE) provided by 5G Media Vertical testbed). The component that implements this functionality is a micro-service called Patient Service, composed of the data collector and the patient data application functions. It provides a web GUI service to the end-user client system (web browser) to access vital health parameters and surveillance video of patients and see aggregated information thereof, according to the access-rights attached to their specific user-role (patient, clinician, general practitioner, etc.).
In both deployments, the collected video/data is stored and given access to through a set of secured APIs. The integration of the (emulated) user equipment and 5G connectivity via Open5GCore as well as the utilization of the video streaming capabilities emphasize the domain specifics offered by the TNO 5G Media Vertical testbed.
The experiment scenario demonstrates how our proposed ExSEC SO framework supports security monitoring/visibility and threat protection through policy enforcement close to the attack sources in a typical cloud-native NFVI/MANO environment.
By utilizing the service provided by our ExSEC SO, experimenters can extend their experiments/applications to include available security functions/services using supported security-metadata that will be interpreted and enforced not only at the build and deployment phase (deployment constraints) but also during the operations phase (run-time policies).
The results obtained in one of the testing rounds are plotted in the next figure to showcase the operation of the migration approach. The plots are directly generated from the network analyser Wireshark, using the pcap trace file saved in both MD and vMDs. vMD1 belongs to the source virtualization domain, while vMD2 belongs to the destination domain. As can be seen in the results, MD sends continuous monitoring data to the initial vMD1, considering a previous registration with MD manager. The vehicle maintains more time within the 11p RSU1 coverage due to initially it is stopped. Then it moves and reaches a point where the messages start to be received by 11p RSU2, so a migration event is generated and the data flow is moved to vMD2. As can be seen in the plot, no data losses are recorded. In fact, in all the tests performed, no data losses have been perceived due to the migration solution.
Experiment Implementation
The ExSEC experiment validates the feasibility, deployment and operations of an Assured-Security-as-a-Service solution (ExSEC) that addresses security gaps in an organization’s use of cloud services (5G network services, application services, and direct cloud-to-cloud access). Together with the ExSEC Framework components a validation use case is deployed at the 5G Media Vertical testbed.
Use Case Scenario
Our use case to validate the developed technology is an assured-security IoT/media application-service from the healthcare vertical domain (remote patient monitoring). The patients’ vital health parameters (e.g., heart rate) as well as video stream of different health exercises are securely-collected on the patients’ smart phones (emulated user equipment (UE) provided by 5G Media Vertical testbed), – stored and – given access to through a set of secured APIs. The component that implements this functionality is a micro-service called patient service, composed of the data collector and the patient data application functions. It provides a web GUI service to the end-user client system (web browser) to access vital health parameters and surveillance video of patients and see aggregated information thereof, according to the access-rights attached to their specific user-role (patient, clinician, general practitioner, etc.). The integration of the (emulated) user equipment and 5G connectivity via
Open5GCore as well as the utilization of the video streaming capabilities emphasize the domain specifics offered by the TNO 5G Media Vertical testbed.
The selected typical scenario is illustrated in Figure 3 and can be described as following.
A. The patient service provider enhances his/her service function chain via the security dashboard and deploys the enhanced service function chain via the 5GINFIRE OSM at the central nodes.
B. Two users (user A and user B) connect to the patient service via the Open5GCore network deployed at the edge nodes (5G Media Vertical Testbed) via (emulated) user equipment (smart phone) with the ability to record/stream video.
1. Malicious activities of user B are detected and signaled to the security orchestrator(SO)
2. A: The SO instructs the OSM to create a dedicated honeypot zone for traffic from user B for further analysis and B: the SO instructs the security element manager to redirect traffic from user B to the dedicated honeypot zone
3. A: The OSM creates the dedicated honeypot zone and B: the security element manager updates the forwarding rules to direct user B traffic to the selected honeypot zone
Inside the dedicated honeypot zone multiple intrusion detection and attack analysis VxF can be deployed e.g. for legal evidence collection and advanced logging as well as attack mitigation.
