Skip to main content

Securing against intruders and other threats through a NFV-enabled environment

Periodic Reporting for period 2 - SHIELD (Securing against intruders and other threats through a NFV-enabled environment)

Reporting period: 2017-09-01 to 2019-02-28

The priorities of the EC Digital Agenda state that protection against online accidents and crime has become central to consumer confidence and the online economy. This calls for an effective strategy against cyber-attacks that accurately transforms shared knowledge into actionable information while maintaining a global view of the network.
The ambition of SHIELD is to contribute towards addressing these challenges by designing and implementing an integrated framework for next-generation security-as-a-service (SecaaS) offerings.
Towards this aim, the SHIELD approach combines Network Functions Virtualisation (NFV), Big Data Analytics and Trusted Computing (TC), in order to provide an extensible, adaptable, fast, low-cost and trustworthy cybersecurity solution. It aims at delivering cybersecurity as an integrated service of virtual network infrastructures, which can be tailored for Internet Service Providers (ISPs) and enterprise customers - including SMEs - in equal terms. Virtualised Network Security Functions (vNSF) provide software instantiations of security appliances that can be dynamically deployed into a network infrastructure. In line with the NFV concept and going beyond traditional cloud-based SecaaS offers, vNSFs can be distributed within the network infrastructure close to the user/customer. This allows to radically optimize resource allocation, minimize costs and reduce incident response time.
Furthermore, SHIELD envisages that data and logs from vNSFs are aggregated and fed into an information-driven Intrusion Detection and Prevention System (IDPS) platform called Data Analysis and Remediation Engine (DARE), featuring analytical components capable of predicting specific vulnerabilities and attacks. The DARE leverages state-of-the-art Big Data technologies in order to collect, store and process data from vNSFs and translate them into adversarial options, behaviours and intents. By centralising events and logs form multiple vNSFs, the DARE maintains the “big picture” of the network infrastructure status; thus it can infer events which cannot be detected by the individual vNSFs - and dynamically propose actions so as to automatically mitigate them.
Last but not least, in order to address security issues associated with software-based infrastructures, such as SDN/NFV, SHIELD leverages Trusted Computing (TC) aspects and mechanisms in order to attest both the software-defined network infrastructure as well as the virtualised security appliances (vNSFs) and the underlying infrastructure, protecting them against unauthorised modifications.
The SHIELD virtual security infrastructure can either used by the ISP internally for network monitoring and protection, but it can also be offered as-a-service to ISP customers; for this purpose, SHIELD establishes a “vNSF Store”, i.e. a repository of available virtual security functions (firewalls, DPIs, content filters etc.) from which the ISP customers can select the ones which best match their needs and deploy them to protect their infrastructure. This approach promotes openness and interoperability of security functions and offers an affordable, zero-CAPEX security solution for citizens and SMEs.
The project work plan is divided into three main phases; design, implementation and integration/verification/assessment. Throughout the project duration, the following were achieved:
- The candidate use cases of the SHIELD framework were defined, identifying the involved stakeholders and the value chain, leading to a set of technical requirements.
- The implementation phase followed, focusing on the two main subsystems of the SHIELD framework, i.e. the DARE and the vNSF ecosystem (including the Attestation framework).
- System integration and testing followed several iterative cycles, putting together all components and assembling/verifying the end-to-end SHIELD framework.
- The evaluation and assessment phase was also carried out during the final phase of the project, including realistic lab-based usage scenarios, assessment in pre-operational conditions (under real traffic), as well as targeted demos with external stakeholders.
- Last, with respect to the communication and exploitation part, the communication activities included public online channels, articles in international conferences and journals, participations in exhibitions and targeted speeches. The exploitation activities included an analysis of the market landscape, the positioning of SHIELD, as well as a concrete business plan accompanied by a thorough techno-economic analysis.
Overall, the project has produced three main discrete results, in terms of technical development:
- The Data Analytics and Remediation Engine (DARE).
- The vNSF Ecosystem, consisting of the vNSFs and the vNSF management and orchestration (MANO) stack.
- The attestation framework, consisting of both hardware and software components.
All above results are jointly developed foreground and most of them have been publicly released as open-source software.
The ambition of SHIELD is to constitute a significant step forward compared to the current state-of-the-art in cybersecurity-as-a-service (SecaaS) offerings and SIEM (Security Information and Event Management) platforms. Going beyond cloud-based SecaaS services, SHIELD adopts an NFV-based concept, where security appliances are virtualised (vNSFs) and are dynamically spawned into the network (rather than in the cloud), thus increasing resource efficiency, minimising delay and maximising throughput. SHIELD integrates attestation mechanisms (which are missing from current NFV platforms) in order to better secure the software-based network infrastructure and the services running on it. It also opens the virtual appliance market by adopting a “vNSF store” concept, allowing the customer to compose services from various vNSF vendors in a “mix-and-match” fashion. Furthermore, SHIELD adds another layer of security by concentrating information from the vNSFs into a centralised intelligence engine - the DARE; a fully open, modular and scalable platform which can be extended using third-party algorithms. Summarising, the uniqueness of SHIELD is twofold; first, it constitutes an integrated solution, combining the power and versatility of NFV and SIEM/Big Data in a single framework and, second, it is fully open (most of it is released as open-source), enabling customisation and scaling/expansion according to the customers’ needs.
The envisaged impact of SHIELD includes:
- Addressing of all expected impacts targeted by the EC Work Programme (better management of cybersecurity information sources; more effective vulnerability remediation, enhanced prevention and detection; reducing the impact of incidents, increasing the level of awareness and preparedness)
- Improving the innovation capacity and fostering the integration of new knowledge, by enabling third-party services and algorithms to be easily integrated into the SHIELD system
- Offering competitive advantages for key stakeholders (telecom operators, ISPs, vendors, SMEs, cybersecurity agencies) by promoting the creation of an open ecosystem for cybersecurity infrastructure and services
- Bringing clear benefits to the society, by efficiently and effectively combating cybercrime and also improving the intelligence operations within the network - rather than the endpoints, whose level of protection mostly depends on the expertise of the end user/individual citizen.
SHIELD overall concept