MAR 31 2017
SHIELD High Level Architecture
SHIELD offers security-as-a-Service in an evolved telco environment, leveraging NFV (Network Function Virtualisation) and SDN (Software-Defined Networking) for virtualization and dynamic placement of security appliances in the network (virtual Network Security Functions – vNSFs), Big Data analytics for real-time incident detection and mitigation, as well as attestation techniques for securing both infrastructure and services.
Based on SHIELD’s use cases and requirements, an initial high-level architecture is already specified and publicly available. The architecture is articulated around different components, illustrated in figure bellow:
In a nutshell, the Network infrastructure is the running space for the vNSFs, the DARE stores and analyses the security logs and events provided by the former; and finally the results are presented to the operator in the security dashboard. These core components are supported by i) the vNSF store, which holds the vNSFs images; ii) the vNSF orchestrator, which manages the Network infrastructure and vNSFs; and iii) the Trust Monitor, which verifies that the SHIELD platform is trusted at all time.
The network infrastructure provides a trusted environment for supporting the execution of vNSFs. For these purposes, the infrastructure will support attestation and should also include virtualized resources for hosting the vNSFs, as per ETSI NFV mandates. The network infrastructure interacts with the Trust Monitor in order to authenticate the integrity of each network component. The network infrastructure is interconnected with the vNSF Orchestrator through the vNSF Manager Engine. This interaction allows the deployment of vNSFs, the vNSF lifecycle management and the collection of monitoring information. Monitoring vNSFs inspect captured data and provide valuable information to the Data Service Engine component of DARE.
Virtual Network Security Functions (vNSFs) are software instantiations of security appliances that are dynamically deployed into the network infrastructure. There are two main types of vNSFs operating on the network. The first one are the monitoring vNSFs, devoted to gathering information about the network, and generating events in case of ongoing attacks. The second type are the vNSFs exerting the actions to prevent attacks or mitigate vulnerabilities and threats. The proper acting vNSF is chosen depending on the kind of threat. In terms of vNSF architecture, the main differentiating factor in SHIELD from other NFV frameworks is the addition of the attestation capacity to the platform which has a wide impact on the technical implementation of the vNSFs that are deployable on SHIELD.
The vNSF orchestrator, or vNSFO, is responsible for managing the lifecycle of vNSFs. Among others, this allows to deploy (instantiate and place) vNSFs in specific points of the network infrastructure. To that end, the vNSFO interacts with each of the other modules to obtain data on the vNSFs, to receive deployment requests or to convey information of specific vNSFs to enable analysis processes. The orchestrator also
