Preventing security meltdown at the network edge

Ulrich Kohn
Hooded figure

Security analysts recently disclosed the Spectre and Meltdown vulnerabilities. They are frightening because they exist on most commonly used processors. Naturally, communication service providers (CSPs) are concerned about the security of VNF-based business services running on these processors. In particular, they are worried about the vCPE use case, which allows them to replace multiple hardware appliances at the network edge with a standard server. They now need to consider additional protective measures.

Both vulnerabilities affect commonly deployed processors such as x86 and ARM. They are not attack vectors per se, but they do present a risk if the system allows the loading of malicious software. In that case, an adversary can exploit a side effect of speculative command execution. In particular, Meltdown circumvents established controls for isolation of memory spaces. With Meltdown, it becomes possible to read any data anywhere in memory, such as keys and passwords.

These vulnerabilities exist at the lowest hardware level using standard processor microcode. It’s assumed that processors will need to implement security controls in the microcode itself to ultimately eliminate this problem. Processor manufacturers and independent software vendors (ISVs) are developing software patches that will provide some remedy. However, there are reports about this leading to reduced performance. It’s also not known whether software patches can provide protection against all microcode attack vectors.

Spectre and Meltdown require the loading of foreign code to implement the exploits, so the first line of defense is to secure the system. Firewalls will not work by themselves because there aren’t known signatures of malicious code exploiting these vulnerabilities. This code also needs a communication channel to transfer compromised data from a device back into the attacker’s domain. Those facts provide a basis for protecting systems, assuming that the attacker does not have physical access to the device. Service providers rolling out vCPE solutions can use the following methods for reducing the attack surface:

Pragmatic isolation of user and control domains

Network edge devices are frequently connected over untrusted networks, including the internet. Service providers use tunneling technologies to protect traffic destined for other user traffic endpoints or to the management systems. Even so, attackers are able to ping and probe the device. Software vulnerabilities of the operating system or the hypervisor might open up possibilities to sneak in malicious Spectre or Meltdown exploits. Compromised user software interfaces might attack operational control and vice versa. A pragmatic, separation of control plane and VNF resources using independent processors and/or closing software entry points reduces the attack surface significantly.

Limiting access to trusted parties

Security can be further improved with encryption and firewalls. CSPs should consider encrypting all traffic, including both user traffic and the management plane. On the software side, a VNF-based encryption may not protect the underlying operating system and hypervisor unless it’s coupled with a secure switching layer. Even better is hardware-based encryption in front of a server that protects all traffic and eliminates adversary access to the device. In either case, the transmitted data is only decrypted in trusted environments, blocking external attackers.

A layered defense is best

There is no silver bullet for protecting against security threats, but ADVA Optical Networking can help. ADVA‘s solutions include hardware platforms that combine standard servers with hardware-based encryption and separated processors for user and control data. ADVA also offers software solutions with encryption and an extended security feature set.

With ADVA’s solutions, service providers can deploy a layered defense to protect against lower layer processor vulnerabilities. These layers reduce the attack surface at the network edge and provide additional barriers to entry. Of course, any patches should be applied to address the known issues. But a layered defense can help prevent the next issue – and the next issue is always just around the corner.

Related articles