1、INTERNATIONA1.STANDARDISO/IEC27033-7editionFirst2023-1.1.Informationtechno1.ogy-Networksecurity一的IineSfornetworkvirtua1.izationsecurityTechno1.ogiesdeinformationSecuritedesreseauxPartie7:1.ignesdirectricespourIas6cuht6de1.avirtua1.isationdesreseauxReferencenumberISO/IEC27033-7:2023(E)COPYRIGHTPROTEC
2、TEDDOCUMENTIS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmkfifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andContentsForewordivIntroductionv2 Scope13 Normativereferences14 Termsanddefinitions115 Abbreviatedterms2Overview45.1 Genera1.45.2 Descrip
3、tionofnetworkvirtua1.ization45.3 Securitymode1.45.3.1 Mode1.ofnetworkvirtua1.izationsecurity6 5.3.2Networkvirtua1.izationcomponents.67 Securitythreats6Securityrecommendations77.1 Genera1.77.2 Confidentia1.ity77AUttabjIity87.5 Authentication(.9,t,.,.87.6 Accesscontro1.88Securitycontro1.s981Generi1.1.
4、98.2 Vworkinfrastructuresecurity1()8.5 Vworkmanagt11untocuritysecurity.-118.5.1 SDNcontro1.1.ersecurityI1.9 8.4.2NFVorchestratorsecurity12Designtechniquesandconsiderations129.1 Overview129.2 Integrityprotectionofp1.atform139.3 APIHjndngdbdonnetvmiuitbiGtfr11n139.5 Swork.13Annex A (informative)Usecas
5、esofnetworkvirtua1.ization.一.一.15Annex B (informative)Detai1.edsecuritythreatdescriptionofnetworkvirtua1.ization18Bib1.iography22IntroductionThepurposeofthisdocumentistoaddressthekeycha1.1.engesandrisksofnetworkvirtua1.izationWnuatydHefuiQckKicBijrrationniahngaihKiT1.Mirhia1.atecumriarinisitdrastruc
6、ture,rorkfunction,1) identifysecurityrisksofnetworkvirtua1.ization;2) proposeanetworkvirtua1.izationsecuritymode1.;3) workinfrastructure,workfunction,virtua1.contro1.andresourcemanagement.干力WdDwrtIUW煽。3昧FaihUIPCwj1.tuffeforsdOdUmentUndunduriJ1.喉中小小;伏SbMuDMfkr$tosecure1.ydesignanddeve1.opproductsthat
7、imp1.ementnetworkvirtua1.ization,andhe1.poperatorstoeva1.uatethesecurityoftheseproductsanddep1.oythemsecure1.yfornetworkservices.Byproposingsecurityguide1.ines,thisdocumentnetworkvirtua1.izationtechno1.ogy,aimstohe1.ptheindustrytoimprovesystemsecuritythatisbui1.tonThetargetaudiencecaninc1.udethenetw
8、orkequipmentvendors,networkoperators,internetserviceprovidersandsoftwareserviceproviders.Withtherapiddeve1.opmentofITtechno1.ogiessuchasc1.oudcomputing,ITsystemsandcommunicationsystemsareincreasing1.yevo1.vingwiththeadoptionofvirtua1.izationtechno1.ogy.Virtua1.izationenab1.es那时hiss段隔叩H81.eMrf1.exibi
9、1.ityandsca1.abi1.itywith1.owcost,butatthesametime,introducesInformationtechno1.ogy-Networksecurity一f席1.ineSfornetworkvirtua1.izationsecurity1 ScopeThisdocumentaimstoidentifysecurityrisksofnetworkvirtua1.izationandproposesguide1.inesfortheimp1.ementationofnetworkvirtua1.izationsecurity.Overa1.1.,thi
10、sdocumentintendstoconsiderab1.yaidthecomprehensivedefinitionandimp1.ementationofsecurityforanyorganizationvirtua1.izationenvironments.Itisaimedatusersandimp1.ementerswhoSW佬Dft1.tb1.1.娟HbntIMviff11酬琳如tionandmaintenanceofthetechnica1.contro1.srequiredtoprovide2 NormativereferencesTherearenonormativere
11、ferencesinthisdocument.3 TermsanddefinitionsForthepurposesofthisdocument,thefo1.1.owingtermsanddefinitionsapp1.y.ISOandIECmaintaintermino1.ogydatabasesforuseinstandardizationatthefo1.1.owingaddresses:ISOOn1.inebrowsingp1.atform:avai1.ab1.eathttps:/www.iso.org/obpX1.IECE1.ectropedia:avai1.ab1.enetwor
12、kvirtua1.izationworkscansimu1.taneous1.ycoexistoverthesharedinfraStEetUreSNniMitctHpvajWatmfcnrtuohaationa1.1.owstheaggregationofmu1.tip1.eresourcesandmakestheaggregatedygURCE:ISO/IECTR29181-1:2012,3.3netvorkfunctionsvirtua1.izationNFVtechno1.ogythatenab1.esthecreationOworkscansimu1.taneous1.ycoexis
13、toverthesharednetworksNote1toresource,entry:Thisinc1.udestheaggregationofmu1.tip1.eresourcesinaproviderandappearingasasing1.eSOURCE:ISO/iECTR22417:2017.3.83.3software-definednetworkingsetoftechniquesthatenab1.estodirect1.yprogram,orchestrate,contro1.andmanagenetworkresources,whichfaci1.itatesthedesi
14、gn,de1.iveryandoperationOfnetworkservicesinadynamicandsca1.ab1.emanner史9URCE:ITU-T.3300:2014,3.2.1virtua1.machinevirtua1.dataprocessingsystemthatappearstobeatthedisposa1.ofaparticu1.aruser,butwhosefunctionsareaccomp1.ishedbysharingtheresourcesofarea1.dataprocessingsystemPgIJRCE:ISO/IEC/IEEE24765:201
15、7,3.4564)containeriso1.atedexecutionenvironmentforrunningsoftwarethatusesavirtua1.izedoperatingsystemkerne1.fgURCE:ISO1EC22123-1:2023,3.12.4)orchestratortoo1.thatenab1.esDevOpspersonasorautomationworkingontheirbeha1.ftopu1.1.imagesfromregistries,dep1.oythoseimagesintocontainers(3.5),andmanagethenmni
16、ngcontainersOURCE:N1.STSP800-190servicefunctionchainorderedsetofabstractfunctionsandorderingconstraintsthatareapp1.iedtopacketsand/orframesand/orf1.owsse1.ectedasaresu1.tofc1.assificationthcgCftnW2!i退谢此Muonchaindefinesanatthebeginningof4 AbbreviatedtermsThefo1.1.owingabbreviatedtermsapp1.ytothisdocu
17、ment.5Gthefifthgenerationmobi1.enetvrorkAMFaccessandmobi1.itymanagementfunctionAPIUSFapp1.icationprogramminginterfaceauthenticationserverfunctionCDNCIScontentde1.iverynetworkcentreforinternetsecurityDoSDDoSdenia1.ofservicedistributeddenia1.OfserviceHMACIDShash-basedmessageauthenticationcodeintrusion
18、detectionsystemIPSintrusionpreventionsystemMANOmanagementandorchestrationMFANFmu1.ti-factorauthenticationnetworkfunctionNEVNFVOnetworkfunctionsvirtua1.izationnetworkfunctionvirtua1.izationorchestratorNRFNSSFnetworkrepositoryfunctionnetworks1.icese1.ectionfunctionOAMOMCoperationandmanagementoperation
19、maintenancecentreOSSD-WANoperatingsystemsoftware-definedwide-areanetworkSDNSFCSOftWare-definednetworkingservicefunctionchainSMFUDMsessionmanagementfunctionunifieddatamanagementUPFvCPUuserp1.anefunctionvirtua1.CPUVIMv1./Ovirtua1.isedinfrastucturemanagervirtua1.)/0VNFVNFMvirtua1.isednetworkfunctionvir
20、tua1.isednetworkfunctionmanagerVMVMemOryvirtua1.machinevirtua1.memoryVMMvRoutervirtua1.machinemanagervirtua1.routervSwitchVWAFvirtua1.switchvirtua1.webapp1.icationfirewa1.1.Vx1.ANWAFvirtua1.extensib1.e1.oca1.areanetworkWebapp1.icationrewa1.1.5 Overview5.1 Genera1.Networkvirtua1.izationprovidesanove1
21、so1.utionforthedeve1.opmentanddep1.oymentofITsystemsandXmwniniratiChasnbwkEidR,greadystorageredddte11tUof1.fcBRM三rovemen柳州MkiCaHyfunctionagi1.ityandautomation,whi1.esubstantia1.1.yreducingthecostofnetworkoperations.c) ManagementsystemOnthebasisofthe1.egacymanagementsystemsuchasOMCrtheSDNcontro1.1.e
22、randNFVorCheStratorarea1.soadded.TheNFVorchestratorisresponsib1.eforthea1.1.ocation,Schec1.u1.ingand1.ifecyc1.eonVM6VXF)4rdw4rr(R1M*Q)CenUinwConUinvrVirtMaIiMtiMMachineManMrrVirtiM1.Ncwur1.Function(SDNenab1.ed)HAftKrMe(BareMn)VmuaUjMtiMMMhiDCMgtrHvdwBTYgrM3Krtda4riHf1.itti4sbtittvi1.nWuHowingdata:FJtra1.hittedinthevirtua1.izeddata1.inkbetweentwovirtua1.izednetworke1.ements(seedatatransmittedintheintra-interfacesbetweenIWworkmanagement,e.g.betweenNFVOandVNEM,VNFMandVIM,VIMandSDNcontro1.1.er,etc.Datatransmi
