The NCSC’s findings on telecom security emphasize the protection of security-critical functions. Security-critical functions include orchestration systems for virtualization, management systems such as jump boxes, firewalls protecting a security zone, directory services such as Active Directory used for authentication and access control, IPSec security gateways, and monitoring and auditing systems.

Because of the importance of the virtualization plane to telecom networks, the management and orchestration of those networks requires additional security. These management functions are security-critical functions by the NCSC and they must be secured by the following:

• Two-factor authentication

• Role-based access control that uses the principles of separation of duties and least privilege

The NCSC summary says “Operators use security-critical functions to enforce security controls in their networks and mitigate risk. As risks are mitigated, the options available to attackers are reduced, and the security-critical functions become the primary focus of attack. The Telecoms Security Requirements (TSRs) define additional controls for security-critical functions to ensure that they are resilient to targeted attacks from determined attackers.”

To limit the attack surface of security-critical functions and reduce risk, segregate security-critical functions in the virtualization fabric by using micro-segmentation with NSX. Micro-segmentation isolates security functions in their own trust domains.

In addition to virtualization, protecting security-critical functions also requires appropriate hardware with disks that can be encrypted and sufficient physical ports to separate traffic by type or sensitivity level.