ISO/IEC 27033-7:2023

INTERNATIONAL ISO/IEC
STANDARD 27033-7
First edition
2023-11
Information technology – Network
security —
Part 7:
Guidelines for network virtualization
security
Technologies de l'information — Sécurité des réseaux —
Partie 7: Lignes directrices pour la sécurité de la virtualisation des
réseaux
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview . 4
5.1 General . 4
5.2 Description of network virtualization . 4
5.3 Security model . 4
5.3.1 Model of network virtualization security . 4
5.3.2 Network virtualization components . 6
6 Security threats . 6
7 Security recommendations . 7
7.1 General . 7
7.2 Confidentiality . 7
7.3 Integrity . 8
7.4 Availability . 8
7.5 Authentication . 8
7.6 Access control . 8
7.7 Non-repudiation . 9
8 Security controls . 9
8.1 General . 9
8.2 Virtual network infrastructure security . 10
8.3 Virtual network function security . 10
8.4 Virtual network management security . 11
8.4.1 SDN controller security . 11
8.4.2 NFV orchestrator security .12
9 Design techniques and considerations .12
9.1 Overview .12
9.2 Integrity protection of platform . 13
9.3 Hardening for network virtualization . 13
9.4 API authentication and authorization. 13
9.5 Software defined security for virtual network . 13
Annex A (informative) Use cases of network virtualization .15
Annex B (informative) Detailed security threat description of network virtualization .18
Bibliography .22
iii
© ISO/IEC 2023 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 27033 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
© ISO/IEC 2023 – All rights reserved

Introduction
The purpose of this document is to address the key challenges and risks of network virtualization
security. Network virtualization includes virtual network infrastructure, virtual network function,
virtual control and resource management. This document aims to:
1) identify security risks of network virtualization;
2) propose a network virtualization security model;
3) propose security guidelines for virtual network infrastructure, virtual network function, virtual
control and resource management.
This document intends to help stakeholders in understanding the main characteristics of network
virtualization security. For example, this document can help software and hardware suppliers to
securely design and develop products that implement network virtualization, and help operators to
evaluate the security of these products and deploy them securely for network services. By proposing
security guidelines, this document aims to help the industry to improve system security that is built on
network virtualization technology.
The target audience can include the network equipment vendors, network operators, internet service
providers and software service providers.
With the rapid development of IT technologies such as cloud computing, IT systems and communication
systems are increasingly evolving with the adoption of virtualization technology. Virtualization enables
systems to have high agility, flexibility and scalability with low cost, but at the same time, introduces
many security challenges.
v
© ISO/IEC 2023 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27033-7:2023(E)
Information technology – Network security —
Part 7:
Guidelines for network virtualization security
1 Scope
This document aims to identify security risks of network virtualization and proposes guidelines for the
implementation of network virtualization security.
Overall, this document intends to considerably aid the comprehensive definition and implementation of
security for any organization’s virtualization environments. It is aimed at users and implementers who
are responsible for the implementation and maintenance of the technical controls required to provide
secure virtualization environments.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
network virtualization
technology that enables the creation of logically isolated network partitions over shared physical
network infrastructures so that multiple heterogeneous virtual networks can simultaneously coexist
over the shared infrastructures
Note 1 to entry: Network virtualization allows the aggregation of multiple resources and makes the aggregated
resources appear as a single resource.
[SOURCE: ISO/IEC TR 29181-1:2012, 3.3]
3.2
network functions virtualization
NFV
technology that enables the creation of logically isolated network partitions over shared physical
networks so that heterogeneous collections of multiple virtual networks can simultaneously coexist
over the shared networks
Note 1 to entry: This includes the aggregation of multiple resources in a provider and appearing as a single
resource.
[SOURCE: ISO/IEC TR 22417:2017, 3.8]
© ISO/IEC 2023 – All rights reserved

3.3
software-defined networking
set of techniques that enables to directly program, orchestrate, control and manage network resources,
which facilitates the design, delivery and operation of network services in a dynamic and scalable
manner
[SOURCE: ITU-T Y.3300:2014, 3.2.1]
3.4
virtual machine
virtual data processing system that appears to be at the disposal of a particular user, but whose
functions are accomplished by sharing the resources of a real data processing system
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.4564]
3.5
container
isolated execution environment for running software that uses a virtualized operating system kernel
[SOURCE: ISO/IEC 22123-1:2023, 3.12.4]
3.6
orchestrator
tool that enables DevOps personas or automation working on their behalf to pull images from registries,
deploy those images into containers (3.5), and manage the running containers
[SOURCE: NIST SP 800-190]
3.7
service function chain
ordered set of abstract functions and ordering constraints that are applied to packets and/or frames
and/or flows selected as a result of classification
[SOURCE: IETF RFC 7665, modified — removed “a service function chain defines an” at the beginning of
the definition and replaced “must” with “are” in the definition.]
4 Abbreviated terms
The following abbreviated terms apply to this document.
5G the fifth generation mobile network
AMF access and mobility management function
API application programming interface
AUSF authentication server function
CDN content delivery network
CIS centre for internet security
DoS denial of service
DDoS distributed denial of service
HMAC hash-based message authentication code
IDS intrusion detection system
© ISO/IEC 2023 – All rights reserved

IPS intrusion prevention system
MANO management and orchestration
MFA multi-factor authentication
NF network function
NFV network functions virtualization
NFVO network function virtualization orchestrator
NRF network repository function
NSSF network slice selection function
OAM operation and management
OMC operation maintenance centre
OS operating system
SD-WAN software-defined wide-area network
SDN software-defined networking
SFC service function chain
SMF session management function
UDM unified data management
UPF user plane function
vCPU virtual CPU
VIM virtualised infrastructure manager
vI/O virtual I/O
VNF virtualised network function
VNFM virtualised network function manager
VM virtual machine
vMemory virtual memory
VMM virtual machine manager
vRouter virtual router
vSwitch virtual switch
vWAF virtual web application firewall
VxLAN virtual extensible local area network
WAF web application firewall
© ISO/IEC 2023 – All rights reserved

5 Overview
5.1 General
Network virtualization provides a novel solution for the development and deployment of IT systems and
communication networks. It greatly reduces the cost of system maintenance, improves the utilization
of resources (such as computing, storage and networking) and the flexibility of IT systems or networks.
Cloud computing, the dominant platform for new IT systems and networks makes extensive use of
network virtualization technology. ISO/IEC 22123-1 and ISO/IEC 22123-2 provide an overview of cloud
computing and its concepts. ISO/IEC 22123-3 provides reference architecture for cloud computing.
The typical use cases of network virtualization include but are not limited to software-defined wide-
area network (SD-WAN), network slice, Virtual WAF and cloud CDN with centralized control, which are
referred to in Annex A.
With the adoption of network virtualization, new security challenges to IT and communication systems
are introduced. Hence, traditional security protection solutions, which are often static, passive and
isolated, would not be effective for virtualized systems. New security solutions, which are dynamic,
proactive, coordinated and have intelligent management capability, are needed.
5.2 Description of network virtualization
Network virtualization abstracts physical resources, such as computing, networking, memory and
storage into standard and general-purpose entities. Each entity can be deployed with service functions
under the control of an orchestrator. Through virtualization, the limitation of physical resources are
broken, thus, the utilization of these resources are improved. The new virtual entities of these resources
are no longer limited by the way their physical counterparts are deployed.
In this document, network virtualization includes virtual network function and virtual network
connection. Virtual network function runs on virtual infrastructure (such as virtual computing,
virtual storage and virtual networking) using virtualization technologies (such as virtual machines
and containers). NFV is a common method to implement virtual network function. Virtual network
connection is applied to connect functional units on demand. The resulting network called SDN is
composed of virtual data links. An important characteristic of SDN is that all underlying resources
can be centrally managed and provide a standard interface that support software programming
based on the customer’s requirements. The introduction of SDN and NFV solutions changes the
network significantly: general-purpose hardware, virtual software function, programmable network
connections and services. With SDN and NFV, the cost of network operation and maintenance is cut
down, the utilization of resources (such as computing, storage and networking) is improved, the
flexibility of the network and service logic is increased, and the time-to-market of new services is
considerably decreased.
5.3 Security model
5.3.1 Model of network virtualization security
ISO/IEC 27033-1 provides a conceptual model of network security for network security risk and
management review. In general, network security includes three areas: security of the element, security
of network connection and security of management. In network virtualization, the element is a virtual
network function and the network connection is a virtual connection. This document further enhances
this model according to the technical characteristic of network virtualization, as shown in Figure 1.
© ISO/IEC 2023 – All rights reserved

Figure 1 — A conceptual model of network virtualization security risk areas
These changes brought about by network virtualization include:
a) Centralized controllers are included. The NFV orchestrator is responsible for the allocation,
scheduling and life cycle management of infrastructure and resources. The SDN controller is in
charge of the management of network topology and virtual data links. The NFV orchestrator and
SDN controller provide standard northbound API to support the scheduling of computing, network
and storage resources in the system in a software programmable manner, and also provide
collaborative, dynamic and optimized scheduling of network resources and services.
b) Network elements are now virtual elements (as opposed to physical elements) whose behaviour
is directed by the controller (NFV orchestrator). Network elements can be deployed or destroyed
on demand as software, with service logic and functionality programmed to run on virtualized
infrastructure (such as virtual machines and containers). ISO/IEC 21878 provides guidelines for
design and implementation of virtualized servers.
c) Data link has changed. Besides the physical data links, the adoption of new technologies such
as SDN and SFC provides efficient virtualized data links according to applications’ needs. New
technologies can also improve the efficiency of data transmission inside the system and meet the
transmission resiliency needs of cloud computing (such as load balancing and high reliability).
© ISO/IEC 2023 – All rights reserved

5.3.2 Network virtualization components
There are two forms of virtualization, which are bare metal architecture and hosted architecture. For
the reason of efficiency, in network virtualization, bare metal architecture is often used. The common
components and system architecture of network virtualization are as shown in Figure 2, which consists
of three parts: virtual network infrastructure, network functions and management system.
a) Virtual network infrastructure
This layer includes the virtual machine manager and host OS. Hardware resources include hardware
for bare metal, hardware for switch and router and hardware for storage. The virtualization machine
manager abstracts the hardware resources to form virtual computing, storage and network resources
for the upper layer to be invoked. The typical virtualization machine manager includes hypervisor for
virtual machines, and container engine for containers.
b) Virtual network functions
To deploy network functions as software based on virtual resources provided by virtualization, VNFs
can be applied, and can create on-demand data connections between VNFs under the scheduling of the
SDN controller. These VNFs, vRouter and vSwitch provide a standards-based approach to dynamically
provision network function from the SDN controller. SDNs enable dramatic improvements in network
function agility and automation, while substantially reducing the cost of network operations.
c) Management system
On the basis of the legacy management system such as OMC, the SDN controller and NFV orchestrator
are also added. The NFV orchestrator is responsible for the allocation, scheduling and life cycle
management of infrastructure and resources. The SDN controller is in charge of the management of
network topology and virtual data links.
Figure 2 — Components and architecture of network virtualization
There are three types of VNF deployments in bare metal architecture. Figure 2 shows the VM
deployment, container deployment that runs on host OS and container deployment that runs on VM.
6 Security threats
Network virtualization uses new technologies such as NFV and SDN, which bring the advantages of
resource flexibility and business agility. Meanwhile, the characteristics of these new technologies, as
well as the interoperation of these technologies also introduce new security threats.
The following security issues describe the security threats of network virtualization with reference to
the dimensions of the security threat description in ISO/IEC 27033-3. Annex B describes the security
threats from the dimension of network virtualization architecture that are shown in Figure 2, as well
© ISO/IEC 2023 – All rights reserved

as the virtualization-specific security threats. The descriptions in Annex B help to better identify the
security threats of network virtualization.
Security issues for network virtualization include:
— Virus attacks and introduction of malware: host OS, guest OS of virtual network function, SDN
controller software, OS of MANO, etc. in the network virtualization are subject to virus and malware
attacks.
— Information leakage: if data under the control of a VM are not processed by special “purification”
after deleting a VM, other business systems or malicious operation and maintenance personnel can
obtain the key business information, triggering sensitive data disclosure.
— Unauthorized usage and access: an unauthorized attacker uses and accesses data of a VM or API of
MANO.
— DoS and DDoS attacks: an attacker utilizes a lot of switches to forward a large number of packages
to the SDN controller, resulting in (D)DoS attack of SDN controller.
— Insider attacks: an administrator tampers image or changes security configurations. An administrator
also can intentionally jeopardize a security misconfiguration (e.g. opening unnecessary ports of a
VNF), an attacker can use this security misconfiguration to launch an attack.
— Insider-outsider collusion: an insider can also collaborate with an outside threat agent to launch
attacks.
— Privilege escalation: a user exploits a vulnerability to obtain administrator privilege.
— Forgery of transaction contents: the transaction contents of VM are tampered with by an attacker.
— Reducing network availability: the loss of backup data makes the business unavailable.
— Compromising the network segregation: an attacker can use compromised VM to attack other VMs
to which it has access.
— Reducing real-time performance: an attacker uses a virtual machine to maliciously deplete resources
on the host, which will affect the real-time performance of other virtual machines on the host.
For detailed security threats of the network virtualization, refer to Annex B.
7 Security recommendations
7.1 General
The primary security objective of network virtualization is to provide a secure runtime environment
and data protection in the life cycle. To achieve this objective, the network virtualization should support
the security recommendations of confidentiality, integrity, availability, authentication, access control
and non-repudiation.
7.2 Confidentiality
The network virtualization should provide the data confidentiality protection. It should include, at the
minimum, the following security recommendations:
a) The virtual network infrastructure should provide the storage resource to the virtual network
function. It should give support by providing data confidentiality protection for the stored data of
the virtual network function. The protected data includes the image and snapshot of the virtual
network function, the password, private key, signalling, and customer’s data (e.g. subscription
data).
© ISO/IEC 2023 – All rights reserved

b) When data are transmitted, the data confidentiality protection should be provided for the
transmitted data. In the network virtualization, the transmitted data include at least the following
data:
— data transmitted in the virtualized data link between two virtualized network elements (see
Figure 1).
— data transmitted in the intra-interfaces between two elements in virtual network management,
e.g. between NFVO and VNFM, VNFM and VIM, VIM and SDN controller, etc.
— Data transmitted in the interface between the external system and the virtual network
management, e.g. between the virtual network function and VNFM.
— Data transmitted in the interface of the remote operation and management such as the interface
between OAM and the virtual network function.
7.3 Integrity
The hardware, firmware, OS and applications in the network virtualization should support secure
booting to detect whether they have been tampered with. This detection ensures that the critical
components are in a trusted state. The image and software such as SDN controller software should
support integrity protection. The integrity protection of the transmitted data on the interfaces and the
stored data (such as image) should be provided.
7.4 Availability
— The network virtualization should support availability. It includes the following recommendations
at least: the virtual network function, SDN controller and MANO should support disaster resilience.
— The virtual network function, SDN controller and MANO should support anti-(D)DoS attacks.
— The network virtualization should support segmentation into security domains as well as boundary
protection to prevent (D)DoS from internet.
— The network virtualization should support security policy synchronization in a migration scenario.
— The SDN controller should support the policy conflict detection.
NOTE Policy conflict means that the new policy generated by the SDN controller conflicts with the existing
effective policy or another newly generated policy. For example, the attacker issued the shortest path request
from server A to server D by calling the northbound API of the SDN controller. The SDN controller had previously
generated a policy that the communication from server A to D is required to pass through a firewall. If a new
policy of higher priority is generated that provides a path bypassing the firewall, that clearly conflicts and
overrides the previous policy.
7.5 Authentication
Access to the physical interface of the hardware (e.g. console interface, WAN interface), the logical
interface of the virtualization engine, the virtual network function and the virtual network management
should be authenticated.
7.6 Access control
The physical interface of the hardware (e.g. console interface or WAN interface), the logical interface
of the virtualization engine, the virtual network function and the virtual network management should
support access control, e.g. role based access control or attribute based access control should be
provided. Only authorized entities are allowed access.
© ISO/IEC 2023 – All rights reserved

7.7 Non-repudiation
The network virtualization should support non-repudiation. At least the following recommendations
apply:
— Access to physical device, the virtualization engine, the virtual network function and the virtual
network management should be logged through appropriate log forms and those log records should
be transmitted to the remote server for appropriate analysis.
— The image and the package of the virtual network function should support digital signature.
Table 1 illustrates the relationship between the threats in Clause 6 and the security recommendations
in this Clause.
Table 1 — Relationship between threats and recommendations
Recommendations
Support the
Support the
availability Support ac-
integrity
protection Support authen- cess control
protec-
Support the through tication for the for accessing
tion for Support
Threats
data confi- disaster physical or log- the physical
hardware, non-repudi-
dentiality resilience, ical interfaces or logical
firmware, ation
protection anti-(D)DoS, in the network interfaces in
software
security virtualization the network
and image,
domain divi- virtualization
etc.
sion, etc.
Virus attacks
and introduction √ √ √ √ √ √
of malware
Information
√ √ √
leakage
Unauthorized
√ √
usage and access
DoS and DDoS
√
attacks
Insider attacks  √ √ √
Forgery of trans-
√ √  √
action contents
Reducing net-
√
work availability
Compromising
the network √ √ √ √
segregation
Reducing re-
al-time perfor- √
mance
8 Security controls
8.1 General
Based on the design principles such as defence in depth, network segmentation and design resilience
in ISO/IEC 27033-2 and the security design techniques and controls in ISO/IEC 27033-3, the security
controls for the network virtualization infrastructure are described in 8.2 to 8.4.
© ISO/IEC 2023 – All rights reserved

8.2 Virtual network infrastructure security
a) Hardware
The hardware in network virtualization (e.g. host server, router, switch) should be deployed in a
secure environment. For example, the room where the hardware is deployed should be equipped with
waterproof, anti-earthquake mechanisms, and access control should be deployed to monitor personnel
access.
The physical interface on the hardware (e.g. console interface, WAN interface) should configure an
access control mechanism to authenticate and authorize the access. The administrator should be
authenticated and authorized when he/she logs into the device. If a password is used, the complexity
of the password should be guaranteed, i.e. the password is no shorter than 8 characters and contains
at least three types of uppercase letters, lowercase letters, special characters and numbers. The
communication between the management system and the device should be protected for confidentiality
and integrity
The host server should support secure boot to ensure the integrity of the host server.
b) Virtualization engine
The virtualization engine should support detection and prevention of the virtual machine escape
and the container engine escape. Host OS, virtual machine manager, Guest OS and container engine
should support hardening mechanisms such as proper configuration of ports and services, closing of
unnecessary ports and services, scanning for vulnerabilities, and virus detection. The virtualization
engine should also support resource isolation. For example, vCPU, vMemory and vI/O used by one
VM should be isolated from the resources used by another. All access should be authenticated and
authorized, e.g. one VM accessing another VM, the virtualization engine accessing the VM/container, or
the administrator accessing the VM.
c) Network connection
Virtual network infrastructure should support secure network connection, such as protecting the
boundary with internet, e.g. anti-DDoS and anti-botnet devices can be deployed for preventing DDoS
attacks and for botnet detection and prevention. The host server should support physical or logical
traffic separation. For example, management traffic, signalling traffic, and data traffic should be
transmitted through different interfaces.
8.3 Virtual network function security
a) VM
The guest OS should support hardening mechanisms such as closing unnecessary ports and services,
scanning for vulnerabilities and virus detection. The resources accessed by VMs, and VMM should be
isolated. The VM images should have integrity and confidentiality protection and should be stored
securely to prevent unauthorized access. When a VM is migrated, the security policy associated with
that VM should be transferred and deployed to the new location so that the security profile of that VM is
not affected by the migration. All access to the virtual machine should be authenticated and authorized.
b) Container
As with VM security, the host OS should also support hardening. The resources accessed by various
containers, as well as the host OS should be isolated. The image repository and image of container should
have integrity and confidentiality protection, and should be stored securely to prevent unauthorized
access. All access to the container should be authenticated and authorized.
© ISO/IEC 2023 – All rights reserved

c) Network function
Virtualized network function should use secure protocols to protect the communication with other
VNFs or management elements. There should be disaster resilience mechanisms to ensure the
availability of VNF.
d) Data security
There should be life cycle protection for VNF’s data, that includes at the minimum secure storage and
ensuring authenticated and authorized access. The residual data should be completely erased.
Access to VNFs should be authenticated and authorized, and the data transmitted by them should be
encrypted and integrity protected.
e) Network security
VNF’s traffic should be monitored, and the monitoring data should be analysed by using techniques
such as artificial intelligence, machine learning and other technologies. If DDoS and other attacks are
detected, relevant security measures should be taken, such as blocking all traffic to the malicious VNF
and re-routing the traffic to a new secure VNF.
The security misconfiguration controls should be supported. Ingress whitelisting at each subnet level
can be used to limit the blast radius. For example, using network ACL or subnet level ingress firewalls
to provide network segmentation.
f) Management security of VNF
Access to VNF from internal operation and maintenance personnel should be authenticated and
authorized.
g) SDN security
The SDN controller should support confidentiality and integrity protection for transmitted data on
southbound and northbound interfaces. The SDN controller should check whether the policy is in
effect on the switch, and policy synchronization between the SDN controller and the switch should
be implemented. If the policy is not synchronized, it should be detected by the SDN controller. The
software-defined networking process should not be susceptible to security attacks during the time of
reconfiguration.
8.4 Virtual network management security
8.4.1 SDN controller security
The SDN controller should support the detection of the (D)DoS attacks from southbound interface and
northbound interface. The related security mechanism (e.g. traffic limit) should be supported by the
SDN controller to prevent (D)DoS attacks.
The SDN controller software should have integrity and confidentiality protections. The platform which
installs the SDN controller software should support hardening mechanisms such as proper configuration
of ports and services, closing of unnecessary ports and services, scanning for vulnerabilities and
detection of viruses.
The SDN controller should support the detection and resolution of the policy conflicts to prevent
the sensitive information disclosure or security policy bypass, etc. The SDN controller should also
authenticate and authorize the access from the southbound interface and northbound interface.
© ISO/IEC 2023 – All rights reserved

8.4.2 NFV orchestrator security
MANO is responsible for the management and orchestration of virtual resources. It should support the
detection of presence of hardening features such as closure of unnecessary ports and services. MANO
should also support vulnerability scan, virus detection and the authentication and authorization of all
access from other elements in MANO and other systems.
9 Design techniques and considerations
9.1 Overview
This clause provides high-level guidance when designing and deploying network virtualization.
According to the architecture of network virtualization in Figure 2, the security of network
virtualization includes the following aspects:
— virtual network infrastructure security;
— virtual network function security;
— virtual network management security.
The related design techniques which are used to ensure the security of the above three aspects
should be based on the security recommendations and the security controls in Clause 7 and Clause 8
respectively. Ensuring that the design techniques meet the security recommendations and the security
controls should also be considered. The design techniques are listed in a) to c).
a) Design techniques for the virtual network infrastructure security
The physical interface on the hardware can be a configured username and password to achieve access
control. MFA mechanisms can also be used, such as using passwords and fingerprints for access control
of the physical interface on the hardware. The communication between the management system and
the device can be protected using security protocols, such as SSH v2.
The secure boot which ensures the integrity of the host server can be implemented using, for example,
trusted computing technology which are described in detail in 9.2.
The virtualization engine should be monitored to detect virtual machine escape and container engine
escape, and the monitoring mechanism can refer to relevant standards, e.g. ETSI GS NFV SEC 013.
Hardening virtualization engines can be done by referring to industry standards or best practices, such
as CIS benchmarks. The detailed hardening mechanism of the virtualization engine is described in 9.3.
ETSI GS NFV 001, ETSI GS NFV 002 and ETSI GS NFV 003 provide use cases, architectural framework
and terminology, respectively.
In order to protect the security of the internal system, security devices (e.g. anti-DDoS, firewall, IDS/
IPS) can be deployed at the network boundary of the virtual network infrastructure to protect the
communication between the external system and the internal system.
b) Design techniques for the virtual network function security
The hardening of host OS, guest OS and database etc. refers to standards and best practices such as CIS
benchmarks. The image of the VM and container can use HMAC for integrity protection. When a virtual
machine is migrated, an overlay network that is built by VxLAN can be used to achieve security policy
synchronization.
The namespace, cgroup, etc. are used to isolate the resources between containers. Username and
password or MFA are used to protect access to VM or container.
The communication protection between the VNFs can be achieved by using HTTPS. For the VNF’s
availability, the VNF should be backed up periodically and the backed up VNF should be stored in
© ISO/IEC 2023 – All rights reserved

another data centre. A VNF can authenticate another entity (e.g. another VNF or VNFM) based on PKI
technology and use TLS to protect the transmitted data.
The SDN controller orchestrates the traffic path of the virtual network function through sending the
flow tables to the switches. The SDN controller should support TLS on the southbound interface and
northbound interface.
c) Design techniques for the virtual network management security
The SDN controller software should be protected by the digital signature. The policies should be
prioritized. For the policy with higher priority, the corresponding flow table should also have higher
priority. When two policies conflict, the higher priority flow table replaces the lower priority flow table.
The detailed hardening and API security of network virtualization is described in 9.3 and 9.4,
respe
...