Service Function Chaining security survey: Addressing security challenges and threats

Abstract

Service function chaining (SFC) is a trending paradigm and it has attracted considerable attention from both the industry and academia because of its potential to improve dynamicity and flexibility in service chain provisioning significantly. SFC makes it easier and more convenient to compose on-demand service chains customized for application-specific requirements. In addition to SFC, network functions virtualization (NFV) and software-defined networking (SDN) are two other technology enablers that drive software-based service chain solutions. SFC leverages NFV for flexible deployment and for the placement of virtual resources and virtual network functions (VNFs); further, it employs SDN to provide traffic steering and network connectivity between the deployed VNF instances to form an application-specific service chain. Although SFC introduces many promising advantages, security is a major concern and a potential barrier for the widespread adoption of SFC technology. The integration of these technologies introduces a wide variety of security risks in the different levels of SFC stacks because SFC relies on NFV and SDN, and this results in a greater attack surface. Therefore, this survey aims to conduct a comprehensive analysis of SFC from a security perspective. To this end, we examine the SFC architecture in detail, including the design principles and relationships between other functional components, to obtain a clear understanding of SFC. The significant enhancements achieved by adopting SFC are highlighted. Further, we exemplify its deployment in several realistic use cases. Based on the SFC layering model, we analyze security threats to identify all possible risk exposures and establish a layer-specific threat taxonomy. We then systematically analyze the existing defensive solutions and propose a set of security recommendations to secure an SFC-enabled domain. Our goal is to help network operators deploy cost-effective security hardening based on their specific requirements. Finally, several open research challenges and future directions of SFC are also discussed.