The Security Threats and Solutions of Network Functions Virtualization: A Review

The appearance of Network Functions Virtualization (NFV) has provided a revolution in various network-based applications owing to its different advantages like manageability, flexibility, security, and scalability. The users of NFV are provided with a framework that supplies different flexible network services in a dynamic way via the software-based virtualization of network functions in a single infrastructure. Nevertheless, NFV confront various challenges of security which make it vulnerable to several cybersecurity threats. In this paper, a review of NFV has been provided by introducing many related works, discussing serious and potential security attacks on the NFV, and presenting the efficient countermeasures for mitigating these attacks. Finally, several practical solutions are suggested for providing a reliable platform for NFV

are capable of sharing the available resources and nning concurrently on infrastructure via virtualization [1].
Recently, NFV has appeared as one of the main leading forces technologies that substantially speed up the nowadays development of computer and communication networks [2].Although the NFV has many advantages such as; optimizing the consumption of resources, saving the cost of investment, increasing operational efficiency, and facilitating the lifecycle management of network service, several vulnerabilities and security threats will be presented, thus inhibiting their expansion and utilization in practice.In this subject review, the main threats on NFV have been analyzed, and the corresponding security necessities have been identified.

NFV Framework and Major Components
According to the framework presented via the European Telecommunications Standards Institute (ETSI), NFV is constructed of four essential components; The first component is NFV Infrastructure (NFVI) which indicates all the software and hardware resources that provide the environment of virtualization on the deployed Virtual Network Functions (VNFs) [3].As an instance, physical computing, networking, and storage can be virtualized so as to be shared among various network functions.The second component indicates VNFs / Element Management System (EMS), where VNFs represent a set of network functions which are executed in software (for example, firewall, deep packet inspection, balancing the load) for running on a virtualized environment, besides a set of EMSs which implement configurations and fundamental management functions to one or many VNFs.The third component indicates NFV Management and Orchestration (MANO).This component works on managing and orchestrating the whole resources in the environment of NFV, involving computing, networking, and storage.The final component indicates the Operating Support System/Business Support System (OSS/BSS).These are performed via the providers of VNF service for meeting various business objectives like the billing process [4].
Because the software and hardware of NFV are mostly expanded via various vendors, the concept of interoperability is still representing an essential challenge for deploying the services of NFV.For instance, it is possible to effectively implement MANO, only when VNFs and the appliances of the network are accessible and manageable via standard interfaces that conceal as much as possible of heterogeneity in physical resources.For providing standard and open interfaces to the physical resources, Figure 1 illustrates the proposition of ETSI NFV for the architectural framework of NFV involving the essential functional blocks and the points of reference.The infrastructure of NFV involves a virtualization layer.The virtualization layer works on logically partitioning physical resources and providing a fulcrum between VNF and the underlying layer of virtualized infrastructure.The fundamental tools for implementing this layer are called hypervisors.These tools provide a host with an environment of virtualization which is functionally similar to the environment of the original machine.In practice, the hypervisor works on monitoring the operations of virtual machines (VMs) and managing access to resources, as well as providing failure recovery for the needed Quality of Serves (QoS).In the security view, hypervisors must supply a separated space to serve VMs and the mechanisms of right access control for preventing unauthorized access to the shared resources among VMs.
Nevertheless, practically, it is not plain for securing isolation between them [5].

NFV Security Threats and Solutions
In theoretic, NFV represents a typical solution to deploy new network services and equipment since network functions can be updated dynamically using the downloads of software rather than substituting physical hardware.But, several issues of robustness and security still require to be handled for completely attaining the interest of utilizing NFV.In practice, the main security challenges that should be addressed: firstly, Network function-specific threats, and secondly, Generic virtualization threats, as illustrated in Figure 2   The NFV foundation is firmed on network virtualization.In this environment of NFV, multiple VNFs can logically share a single physical infrastructure.In these VNFs, offering a hosted and shared network infrastructure presents new vulnerabilities of security.As shown in Figure 3, the generic network virtualization platform includes several elements; the network infrastructure providers, the providers of VNF, and users.Because the system includes various operators, certainly, the cooperation of these operators can be imperfect and every element may conduct in a greedy or uncooperative manner for gaining benefits.The NFV virtualization attacks can be originated from each element and may target part or all of the system [5].

Infrastructure-targeted attacks
There are several infrastructure-targeted attacks [7], as summarized in Table 1: 1. Operational interference: Owing to the concerted infrastructure accessibility, a compromised provider or a malicious user of VNF can interfere with the infrastructure operations via changing network traffic or inserting malware.
2. The chance of cooperating with malicious providers: Through access to the network infrastructure resources, the providers of VNF are capable of taking participation in the operations of the network, for a good example Network-as-a-Service (NaaS), which the providers of VNF utilize for supporting the decisions of customized forwarding depends on every application's requirements in cloud computing.Though this model possibly offers effective services in-network like stream processing, data aggregation, protocols of redundancy elimination, and caching, it allows the providers of VNF to carry out subversive activities against the network infrastructure or their competitors.The hypervisor is capable of preventing this issue to happen via detecting the excessive consumption of resource by a virtual network.

Misuse of shared resources:
The abuse of the infrastructure shared resources, in such a way that the victim cannot benefit from the dedicated or shared resources, is the principle of these threats.To find solutions to these attacks, devoted instances for users can be created and malicious demands regarding IP addresses blacklist can be verified.

VNF-targeted attacks
There are several VNF-targeted attacks [8]: 1-Outsourcing challenges: NFV permits outsourcing the core software and computing abilities for the network's third-parties.A considerable issue of security in NFV maybe rise via releasing the cloud resources and transmitting the workload to an off-device network for managing the possible workload.
2-Logical isolation: It works on improving the manageability and control of a shared infrastructure system.This isolation can be implemented at various levels as in the SDN virtualization system.In the modern virtualization systems, it is not sufficient to rely only upon the conventional mechanisms of access and control (for example, programming isolated slices or virtual LAN) for performing logical isolation of VMs.Therefore, depending on this insufficiency, several attacks of cross virtual network side-channel can threaten co-hosted VNFs in the shared infrastructure.Practically, as the attack of a sidechannel, the attack of a covert channel evades mandatory auditing and access controls for violating resource isolation.For reducing the opportunity of side-channel threats, several arrangements are necessary, like the utilization of secure database interfaces, the concealment of access management, the obfuscation of service structures, and the dedication of resource instances.The technologies of virtualization depend on a trusted platform module (TPM) that provide the conditions of protection against the attacks of side-channel.
3-VM Live migration: It is considered a significant feature of virtualization since it works on relocating VMs with no interruption in NFV services.The usefulness of migration is considerably obvious in the system management and balancing of workload.But, it might be vulnerable to some threats, like Man-in-the-Middle attack has risen via traffic sniffing, DDoS flooding attack when the protection for the migration is un-carefully designed, and a replay attack.Usually, the migration of VM is implemented via copying its pages of memory from the source to the destination hypervisors whilst a VM is running within the source hypervisor.The initialization of unauthorized migration to the network of the attacker, which results in taking control of a victim's VM, or the initialization of migration to a considerable number of VMs to a victim's network for breaking down, represents the potential results of these attacks.There are several protection solutions which rely on the methods of cryptography, for preparing a secure environment for live migration.Under this consideration, the virtual trusted platform module is capable of using the protocol of TLS for providing authentication and confidentiality.Substantially, these solutions result in a computational overhead of cryptography which is undesirable for having an agile NFV.To prevent this overhead, several solutions are available for safe migration, such as live migration defense framework or Intel's trusted execution technology defines uncryptographic techniques.In spite of bypassing the overhead, the presented solutions still have their own restrictions.

User-target attacks
There are several User-target attacks [8]: 1-Confidentiality and privacy of user: A user is a network end-point which represents the most convenient target to other NFV malicious elements.The traffic of the user is subjected to a VNF provider monitoring and sniffing for a suitable quality of service (QoS).Providing services of virtualized networks, like intrusion detection, firewall, detection of DDoS, etc. allow the providers of services a full dominance on the information of the user.It is leading to a new relationship of confidence in such a way that users should trust their providers of VNF regarding users' data privacy and computations integrity.On another side, the users' confidentiality and privacy are open to the provider of network infrastructure.For controlling the network access and congestion, the traffic of the network is subjected to the monitoring of the infrastructure provider.For examples related to this vulnerability, annoying peer-to-peer connections, and sniffing protocol headers in the excuse of traffic forming.Additionally, the infrastructure can introduce non-evident attacks to other users owing to the subtlety of how physical resources are capable of transparently sharing among VMs.

2-Malicious cases:
The NFV user may be attacked with attacks originated via malicious users who use the VNFs flaws or the infrastructure.For example, as a malware injection attack on a cloud, on Amazon EC2 public IaaS Cloud, a malicious user via modifying the image permission (Amazon Machine Image) of its VM are capable of making this malicious image be public in the cloud.This image is becoming visible to other users, therefore, they can launch the instance of VM depend on the malicious image, which creates several attacks like the victims' information leakage.As a result, for providing a secure environment to the users, it is significant to the infrastructure for detecting and preventing all malicious cases.In order to achieve this requirement, the attacker should be incapable of determining where within infrastructure, an instance is located or colocated with its own instance.
Table 1 The Summarization of the main security attacks and counterattacks facing the NFV.The authentication of source and destination, The detection of malicious activity, Authorized access to the interface.

Compromise provider of infrastructure and VNF provider: The violation of confidentiality and privacy
The management of trust for ensuring the provision of information integrity

Malicious user: The violation of service, and the leakage of information
Concealing co-serving instance, and the techniques of cryptographic

The Presented Efforts for Finding Security Solutions
Security represents a significant issue in NFV environments, however, the architecture ETSI NFV didn't include much about security.Therefore, there are several efforts have been presents by different researchers for finding suitable solutions for common security attacks on NFV.Basically, NFV permits VNFs to be outsourced via a third party since it works on separating the functions of network from their locations.The outsourcing of VNF puts up considerable challenges for network service chains that represents a significant technology for realizing NFV.H. Jeon and B. Lee [6], discussed the network service chains challenges under the consideration of VNF outsourcing.The detected technical challenges are presented in maintaining multisubdivided network service chains for each flow of traffic, managing the dependency between these service chains, identifying an outgoing point per service chain, and establishing the data plane among domains supplying network service chains implement to the same flow of traffic.H. Jang et al. [9], presented the activities that lots of Internet service providers and security vendors are working to specify general interfaces for NFV security services via analyzing the utilized cases and relevant techniques.P. Patel et al. [10] described NFV, SDN, and the integration of these technologies in Openstack cloud for minimizing the surface of network attacks, and improving network service, as well as providing the salient SDN advantages.In cloud computing, the integration of NFV and SDN gives strength of virtualization and enhance the network service and security.Y. Liu et al. [11], discussed the conventional manner for implementing service chain, and worked on finding a suitable manner to supply security service chain.In this work, an architecture based on ETSI NFV integrated with SDN has been proposed for implementing security service chain.M. Pattaranantakul et al. [12], proposed a security-oriented MANO framework which addresses the main requirements to have built in mechanisms of security for NFV based platforms and infrastructure, at the same time, dynamically manages the whole lifecycle of different security functions in NFV context.This proposed architecture includes two fundamental concepts.The first one is the engagement of a security trust model and the validation of security features of services and resources (secure by design).The first second one is providing a set of security functions (security as a service), fo example, IDS/IPS, protection of data, identity and access management, network isolation, that can be utilized for preventing massive threats.W. Yang and C. Fung [13], presented a theoretical background about NFV and highlighted the main issues of security, and briefly described the security challenges of NFV, and provided solutions for addressing these security issues.The integration of NFV and SDN gives strength of virtualization and enhance the network service and security.Y. Liu et al., [11], 2016 Finding a suitable manner to supply security service chain The integration of NFV and SDN provides an efficient security service chain.

M. Pattaranantakul et al., [12], 2016
Handling the requirements to have built in mechanisms of security for NFV based platforms and infrastructure, and managing the whole lifecycle of different security functions in the NFV context.
Secure by design, and security as a service.
-The domain of computing: shared computing resources.
-The domain of Network: shared the virtual switches, and shared physical network interface controllers.
-VMs are only available for authentication controls.
-Data can be accessed and encrypted only via the VNFs.
-The techniques of secure networking must be adopted.
Implementing the defense in OpenStack with SDN enabled network environment
Employing the technology of NFV/SDN and applying it to defend the systems of critical industry against DDoS.
Developing a model based on genetic algorithm and neural network to form an optimized list of rules for providing security.

A. K. Alnaim et al., [17], 2019
Analyzing several potential attacks in the VM Environment of NFV.
Using misuse patterns depend on logical arguments.

A. M. Alwakeel et al., [18], 2019
Enhancing the NFV security Depend on analyzing several NFV use cases for enumerating their attacks and analyzing their activities of misuse, several potential countermeasures are provided.
Utilizing the Hidden Markov Model for protecting online VNF services.
The mitigation was accomplished for these attacks by optimizing the placement of VM regarding the specified limitations.The obtained simulations results show the efficiency of the solutions.

Conclusions
As a new technology, NFV has considerable abilities and can supply several advantages for the providers of telecommunication service via decreasing the setting up a network cost, enhancing it, and dynamically deploying several services for users.But, the NFV technology must be secured from outsider and insider threats, tacking in the consideration that this service holds its own infrastructure with various elements that require to be analyzed seriously for understanding potential attacks and vulnerabilities.NFV provides cost-effective and agile deployment of various services of network for multi-tenants at the same physical infrastructure.
Since it depends on virtualization, and since it's stack generally includes various abstraction levels and multi-tenants, this technology inevitably is leading to various security attacks.In this paper, a review of several security threats that faces the NFV has been presented.Additionally, many countermeasures for prevalent threats could alleviate the severity of NFV attacks.
However, NFV security remains a field under consideration with different security challenges that require to be studied.Furthermore, recently, NFV is lacking the experimental implementation for understanding its weak points and disadvantages.Finally, NFV has unlimited abilities and represents the networking future.Through integrating several features of security, NFV will provide a secure future of networking as well.

Figure 1 .
Figure 1.The proposition of ETSI NFV for the architectural framework of NFV involving the essential functional blocks and the points of reference [5]. [6].
Secure services of outsourcing, validation of integrity, Over-encryption connection Multiple tenancies: Side channel threats among co-hosted VNFs secure database interfaces, the concealment of access management, the obfuscation of service structures, and the dedication of resource instances VM Live migration: Man-in-the-Middle attack has risen via traffic sniffing, DDoS flooding attack when the protection for the migration is uncarefully designed, and a replay attack

Table 2 .
Comparison of several researchers' efforts in finding NFV security solutions.