Fig 4 - uploaded by Antonio Lioy
Content may be subject to copyright.
![The vTPM architecture [10].](profile/Antonio-Lioy/publication/300253745/figure/fig4/AS:423870139244546@1478069924131/The-vTPM-architecture-10.png)
Source publication
![Fig. 4. The vTPM architecture [10].](profile/Antonio-Lioy/publication/300253745/figure/fig4/AS:423870139244546@1478069924131/The-vTPM-architecture-10_Q320.jpg)
![Fig. 5. Solution architecture in [11].](profile/Antonio-Lioy/publication/300253745/figure/fig5/AS:423870139244547@1478069924169/Solution-architecture-in-11_Q320.jpg)
SDN and NFV are modern techniques to implement networking infrastructures and can be used also to implement other advanced functionalities, such as the protection architecture designed by the SECURED project. This paper discusses a couple of techniques – trustworthy network infrastructure monitoring and remote attestation of virtual machines – usef...
Context in source publication
Context 1
... first approach to solve this problem is to emulate the whole functionality of a physical TPM by using a custom software module. In this way, this module can be used to attest multiple VMs with just one hardware TPM. This is the vTPM [10] approach (Fig. 4) where each VM has a client side TPM driver, which VMs send their TPM commands to. A server side TPM driver is running in a special VM on top of the hypervisor; this server-side driver collects the data from the client-side driver, and sends them to the vTPM manager. The vTPM manager is in charge of creating vTPM instances and ...
Similar publications
Cloud computing offers an attractive platform to provide resources on-demand, but currently fails to meet the corresponding latency requirements for a wide range of Internet of Things (IoT) applications. In recent years efforts have been made to distribute the cloud closer to the user environment, but they were typically limited to the fixed networ...
Industry 4.0 was proposed by Germany, which will bring a revolution in manufacturing. How does China’s manufacturing sector deal with this revolution? The key is to identify problems and provide solutions. Based on the analysis of statistical data and the qualitative analysis, the paper carries out an in-depth analysis of current situation of China...
Hybrid modelling is an experimental methodology that integrates information from physical and numerical modelling components running in parallel with the aim of achieving a more realistic and accurate representation of a complex system. Interfacing physical and numerical models requires an efficient, reliable and fast data coupling method that enab...
The evolution of Software-Defined Networking (SDN) has so far been predominantly geared towards defining and refining the abstractions on the forwarding and control planes. However, despite a maturing south-bound interface and a range of proposed network operating systems, the network management application layer is yet to be specified and standard...
Citations
... Traffic can be filtered by limiting MAC addresses by use of port security feature [22]. Use of trusted platform module Identity provisioning hardware with public key cryptography and tampering detection [23]. Patch level Up-to-date security patches are important for eliminating potential attacks to the network [19]. ...
... Application of Trusted Computing mechanisms to the softwarised network environment, comprising both SDN and NFV, has been discussed in the work by Jacquin, Lioy, Lopez et al. [29], which propose NFV Remote Attestation for the NFVI, individual VNFs and the MANO sub-systems. More specifically, the authors discuss the challenges in Virtual Machine attestation (to be applied on VNFs), as the TPMbased integrity verification design does not easily translate to a virtualised domain by keeping the same security assurance than a physical domain. ...
Network Functions Virtualisation (NFV) is a novel paradigm for softwarisation of network functions that allows an operator to leverage large scale virtualisation to enhance availability and flexibility of typical network and security services offered to end users. Virtual Network Functions are proposed as an alternative to traditional hardware appliances, with the aim of reducing maintenance and upgrade costs and enhance the provisioning and on-demand placement of network functions. Although promising, this paradigm introduces relevant challenges in the field of security, as the attack surface of a virtualised architecture is larger than a traditional hardware-based network platform. In fact, not only it is affected by both generic threats of virtualisation and networking domains, it also introduces new threats due to the combination of these domains. In this work, we propose the design of a centralized monitoring and reporting solution to assess the trustworthiness of a NFV infrastructure, named Trust Monitor. Moreover, we present an open-source prototype for the proposed solution, which is tailored for the Security-as-a-Service use case and integrated with a reference NFV framework.
... Network virtualization must guarantee isolation to minimize security risks, as well as safeguard stability and convergence time. The advantages of NFV (such as cost and performance) also introduce new security challenges that are essential to consider for developing and ensuring accountability at each layer of security; domain isolation (improved confidentiality) and remote attestation (verification) [135]. Isolation can enhance Fault-tolerance, security, and privacy while attestation is necessary for verifying trust status of NFV platform [136], [137]. ...
Network operators are under pressure to offer efficient network-based services while keeping service deployment costs to a minimum. Network Functions Virtualization (NFV) can potentially revolutionize network-based services bringing low deployment costs for network operators. NFV has been introduced to ultimately extend the non-proprietary and open-standardbased model to network and service deployments, significant improvements to today’s proprietary locked implementations. Notwithstanding the continuous efforts of both academia and industry to support the NFV paradigm, the current NFV solutions offered are still in its infancy. In this survey, we provide a detailed background of NFV to establish a comprehensive understanding of the subject, ranging from the basics to more advanced topics. Moreover, we offer a comprehensive overview of the NFV main concepts, standardization efforts, benefits of NFV and discuss the NFV architecture as defined by the European Telecommunications Standardization Institute (ETSI). Furthermore, we discuss NFV applicability and current open source projects. We then highlight NFV requirements, design considerations, and developmental architectural impairments and barriers to commercial NFV deployments. Finally, we conclude enumerating future directions for NFV development.
... The establishment of trust in the NFV environment, as envisioned by the ETSI NFV ISG, has been already discussed in scientific literature. Jacquin et al. [7] have discussed the problem of trust in modern network infrastructures, with respect to both SDN and NFV. The authors propose the inclusion of a TC-compliant verifier in the SDN management infrastructure that could interact with both the SDN controller and the SDN network elements to retrieve their network flow tables and exchange attestation data. ...
... Moreover, OpenCIT implements an additional step for attestation of Linux hosts, allowing a customization of the list of files and directories to be measured during the boot process. Such capability, named Trust Policy, enables remote integrity verification at application level, similarly to the Linux Integrity Measurement Architecture proposed by Jacquin et al. [7]. Both executables and configuration files are extended into the chain of trust of the host platform into a specific PCR by a component of the Trust Agent. ...
... The technology used to implement the Trust Monitor and the integrity attestation framework was developed in SECURED [6] as an extension of the Open Attestation (OAT) framework. ...
This demo showcases some of the capabilities foreseen for the security infrastructure designed by the H2020 SHIELD project. SHIELD exploits NFV for adaptive monitoring of an IT infrastructure and for feeding the data to an analytics engine to detect attacks in real time. An intelligent reaction system is then activated to reconfigure the SDN/NFV infrastructure so that the attacks are thwarted. The SDN/NFV infrastructure itself is protected from attacks thanks to trusted computing techniques, that permit to quickly identify misbehaving nodes. The proposed demo will present detection and reaction to a DDoS attack (by on-the-fly deployment of new virtual network security functions and/or change of network paths), as well as detection of software attacks against virtual network functions (executed in Docker containers) and unauthorized modification of the SDN switching tables and NFV configurations.
... Trusted computing group (TCG) has provided TPM specifications and recommended to use TPM module to store passwords, cryptographic keys, certificates and other sensitive information. TPM contains platform configuration registers (PCRs) which can be used to store cryptographic hash measurements of the system's critical components [15], [16]. There are in total 24 PCRs in most TPM modules starting from 0 till 23. Figure 2 depicts these PCR registers and their association with the system's components. ...
In Telco cloud environment, virtual network functions (VNFs) can be shipped in the form of virtual machine images and hosted over commodity hardware. It is likely that these VNF images will contain highly sensitive data and mission critical network operations. For this reason, these VNF images are prone to malicious tampering during shipping and even after uploaded to the cloud image database. Furthermore, due to various applications, there is a requirement from mobile network operators to seal VNFs on specific platforms which satisfy certain hardware and software configurations. This requires cloud service providers to introduce some mechanisms to verify VNF image integrity and host sealing before the instantiation of VNFs. In this paper, we present a proof of concept demonstrated with the help of an experimental setup to solve the above-mentioned problems. We also evaluate the performance of the envisioned setup and present some insights on its usability.
For various reasons, the cloud computing paradigm is unable to meet certain requirements (e.g. low latency and jitter, context awareness, mobility support) that are crucial for several applications (e.g. vehicular networks, augmented reality). To fulfil these requirements, various paradigms, such as mobile edge computing, fog computing, and mobile cloud computing, have emerged in recent years. While these edge paradigms share several features, most of the existing research is compartmentalised; no synergies have been explored. This is especially true in the field of security, where most analyses focus only on one edge paradigm, while ignoring the others. The main goal of this study is to holistically analyse the security threats, challenges, and mechanisms inherent in all edge paradigms, while highlighting potential synergies and venues of collaboration. In our results, we will show that all edge paradigms should consider the advances in other paradigms.
