WO2017178068A1 - Mechanism for modyfying security setting of a network service including virtual network parts - Google Patents

Abstract

A system including a network function virtualization control element or function configured to manage at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts, a security control element or function configured to execute security-related management tasks in the communication network comprising virtualized network parts, and a security monitoring element or function configured to monitor the communication network and to recognize security related incidents in the communication network occurring at network elements or functions involved in the network service, wherein the security monitoring element or function is further configured, during an operation of the network service, to notify the security control element about a security incident at a network element or function involved in the network service, the security control element or function is further configured, during the operation of the network service, to obtain an analysis result of the security incident and to determine countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and the network function virtualization control element or function is further configured to receive and process information indicating the determined countermeasures and to initiate a modification of the network service for realizing the countermeasures.

Description

MECHANISM FOR MODYFYING SECURITY SETTING OF A NETWORK SERVICE INCLUDING VIRTUAL NETWORK PARTS

DESCRIPTION

BACKGROUND

Field

The present invention relates to apparatuses, methods, systems, computer programs, computer program products and computer-readable media usable for providing a possibility to modify security settings of a network service established in a communication network including virtual network parts.

Background Art

The following description of background art may include insights, discoveries, understandings or disclosures, or associations, together with disclosures not known to the relevant prior art, to at least some examples of embodiments of the present invention but provided by the invention. Some of such contributions of the invention may be specifically pointed out below, whereas other of such contributions of the invention will be apparent from the related context.

The following meanings for the abbreviations used in this specification apply:

3GPP 3^rd Generation Partner Project

ACK: acknowledgment

API: application programming interface

BS: base station

BSS: business support system

CPU: central processing unit

DB: database

DC: data center

DMZ: demilitarized zone DoS: denial of service

DSL: digital subscriber line

E2E: endpoint-to-endpoint

EM: element manager

eNB: evolved node B

ETSI European Telecommunications Standards Institute

HW: hardware

IDS: intrusion detection system

IMS: IP multimedia system

loT: Internet of things

IPS: intrusion protection system

IP Internet protocol

LTE: Long Term Evolution

LTE-A: LTE Advanced

M2M: machine to machine

MANO: management and orchestration

NE: network element

NF: network function

NFV: network function virtualization

NVFI: NVF infrastructure

NFVO: NFV orchestrator

NS: network service

NSD: network service descriptor

NSR: network service record

OS: operation system

OSS: operation support system

PNF: physical network function

PSF: physical security function

PSFR: physical security function record

SBD: security baseline descriptor

SBR: security baseline record

SDN software defined networks/networking

SEM: security element manager

SFD: security function descriptor

SFR: security function record SMON: security monitor

SO: security orchestrator

SP: security policy

SPD: security policy/procedure descriptor

SPR: security policy/procedure record

ST: service tool

SW: software

UE: user equipment

UMTS: universal mobile telecommunication system

VIM: virtual infrastructure manager

VM: virtual machine

VNF: virtual network function

VNFC: virtual network function component

VNFD: virtual network function descriptor

VNFM: virtual network function manager

VSF: virtual security function

VSFC: virtual security function component

VSFM: virtual security function manager

VSFR: virtual security function record

Embodiments of the present invention are related to a communication network comprising at least one virtualized network function, virtualized communication function or communication application (referred to hereinafter as virtual network function) wherein physical resources and/or at least one physical network function or communication function may be included. A virtual network function, communication function or communication application may be of any type, such as a virtual core network function, a virtual access network function, a virtual IMS element, a virtualized terminal function, a function or element capable to an M2M communication, or the like. Specifically, embodiments of the present invention are related to ways allowing to adjust or modify settings for security of a network service established in the communication network using virtual network functions.

SUMMARY According to an example of an embodiment, there is provided, for example, a system including a network function virtualization control element or function configured to manage at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts, a security control element or function configured to execute security-related management tasks in the communication network comprising virtualized network parts, and a security monitoring element or function configured to monitor the communication network and to recognize security related incidents in the communication network occurring at network elements or functions involved in the network service, wherein the security monitoring element or function is further configured, during an operation of the network service, to notify the security control element about a security incident at a network element or function involved in the network service, the security control element or function is further configured, during the operation of the network service, to obtain an analysis result of the security incident and to determine countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and the network function virtualization control element or function is further configured to receive and process information indicating the determined countermeasures and to initiate a modification of the network service for realizing the countermeasures.

Furthermore, according to an example of an embodiment, there is provided, for example, a method including managing, by a network function virtualization control element or function, at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts, executing, by a security control element or function, security-related management tasks in the communication network comprising virtualized network parts, and monitoring, by a security monitoring element or function, the communication network and recognizing security related incidents in the communication network occurring at network elements or functions involved in the network service, wherein the method further includes, during an operation of the network service, notifying about a security incident at a network element or function involved in the network service, obtaining an analysis result of the security incident, determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and receiving and processing information indicating the determined countermeasures and initiating a modification of the network service for realizing the countermeasures.

Moreover, according to an example of an embodiment, there is provided, for example, a computer program product, comprising a computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to execute a process comprising managing, by a network function virtualization control element or function, at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts, executing, by a security control element or function, security-related management tasks in the communication network comprising virtualized network parts, and monitoring, by a security monitoring element or function, the communication network and recognizing security related incidents in the communication network occurring at network elements or functions involved in the network service, wherein the method further includes, during an operation of the network service, notifying about a security incident at a network element or function involved in the network service, obtaining an analysis result of the security incident, determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and receiving and processing information indicating the determined countermeasures and initiating a modification of the network service for realizing the countermeasures.

According to further refinements, these examples may include one or more of the following features:

- In the security control element or function, there may be determined, as the countermeasures related to the security incident, at least one of introducing at least one virtual security function in a path of the network service including the network element or function affected by the security incident, selecting a type of the at least one virtual security function to be introduced and determining a procedure for introducing the at least one virtual security function in the network service during operation of the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function; modifying at least one existing virtual security function, physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident, selecting a kind of modification of the at least one existing virtual security function, physical security function, virtual network function and physical network function and determining a procedure for effecting the modification of the at least one virtual security function, physical security function, virtual network function and physical network function in the network service during operation of the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the kind of modification of the at least one virtual security function physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification; changing a path of the network service including the network element or function affected by the security incident for being directed to at least one existing virtual security function or physical security function, selecting the at least one existing virtual security function or physical security function to which the path is to be directed and determining a procedure for effecting the change of the path to the at least one virtual security function or physical security function in the network service during operation of the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the at least one virtual security function or physical security function to which the path is to be changed, and the procedure for effecting the change of the path; and terminating the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the indication to terminate the network service;

- In the security control element or function, the analysis result of the security incident may be obtained by conducting an own analysis on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function, or the analysis result may be received from an external analysis process and processed;

- the security monitoring element or function may be an internal element or function of the security control element or function or a separate element or function of the communication network and capable of communicating with the security control element or function; - the security monitoring element or function may monitor virtual network functions and physical network functions involved in the network service and to notify the security control element or function about a security incident at the virtual network functions and physical network functions;

- In the security control element or function, information indicating the determined countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service may be forwarded to a service tool of a network administrator of the communication network, wherein the service tool may process an input regarding a confirmation of the received information, or process an input regarding a change of the received information for generating a changed set of information indicating countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service, and send the confirmed information or the changed information indicating the determined countermeasures and at least one of an introduction and a modification of the security setting for the network service;

- In the security control element or function, information indicating paths of the network service being allowed to be automatically modified in case of an security incident may be received and stored, it may be checked, when obtaining the analysis result of the security incident, whether countermeasures related to the security incident concern a path allowed to be automatically modified, and in case the check is affirmative, the information indicating the determined countermeasures may be sent to the network function virtualization control element or function;

- the information indicating the determined countermeasures may include a modified network service description and a network service change indication generated by the security control element or function;

- in the security control element or function, it may be considered, when determining countermeasures related to the security incident, at least one of a type of attack causing the security incident, a type of the network element or function being affected by the security incident, a location of the network element or function being affected by the security incident, and an operation state of a path of the network service including the network element or function being affected by the security incident;

- in the security control element or function, as countermeasures related to the security incident, there may be used at least one of interrupting permanently a connection to the path of the network service including the network element or function being affected by the security incident, interrupting temporarily a connection to the path of the network service including the network element or function being affected by the security incident, introducing at least one new virtual security function in the path of the network service including the network element or function being affected by the security incident, modifying at least one virtual or physical security function existing in the path of the network service including the network element or function being affected by the security incident, redirecting at least a part of the path of the network service including the network element or function being affected by the security incident to at least one virtual or physical security function, modifying at least one virtual or physical network function existing in the path of the network service including the network element or function being affected by the security incident, deleting the network element or function being affected by the security incident from the network service, checking an integrity of the network element or function being affected by the security incident from the network service, rehealing the network element or function being affected by the security incident from the network service, reconfiguring the path of the network service including the network element or function being affected by the security incident as a honeypot path for learning behavior of the security incident, redefining security related attributes of network elements or functions of the path including the network element or function being affected by the security incident for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and establishing of a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced as countermeasure;

- in the security control element or function, at least one of configuring security policies of the at least one virtual security function being introduced as countermeasure and adapting security policies of existing security functions of the network service may be conducted;

- the network function virtualization control element or function may be further configured, on the basis of information indicating the determined countermeasures to initiate a modification of the network service including immediately interrupting the connection to the path of the network service including the network element or function being affected by the security incident, instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, installing a new version of the network element or function being affected by the security incident or checking integrity of the network element or function being affected by the security incident, re-connecting the network element or function being affected by the security incident or connecting the new version of the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service;

- the network function virtualization control element or function may be further configured, on the basis of information indicating the determined countermeasures to initiate a modification of the network service including instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, interrupting the connection to the path of the network service including the network element or function being affected by the security incident, analyzing the network element or function being affected by the security incident, rehealing or relaunching the network element or function being affected by the security incident on the basis of the analyzing result, reconnecting the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service;

- the network function virtualization control element or function may be further configured, on the basis of information indicating the determined countermeasures to initiate a modification of the network service including instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, instantiating a new virtual network element or function corresponding to the network element or function being affected by the security incident, connecting the new virtual network element or function via the new or modified virtual security function to the network service in parallel to the path including the network element or function being affected by the security incident, stopping establishment of new connections to the path of the network service including the network element or function being affected by the security incident and starting establishment of new connections to the path of the network service including the new virtual network element or function and the new or modified virtual security function, checking whether any active connection remains on the path of the network service including the network element or function being affected by the security incident, and if the result of the check is negative, interrupting the connection to the path of the network service including the network element or function being affected by the security incident; - in the security control element or function, it may be checked whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function, and when the result of the check is negative, the path of the network service including the network element or function being affected by the security incident may be prepared for introducing the at least one virtual security function by assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service;

- the network function virtualization control element or function may be included in a network function virtualization orchestrator implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing, the security control element or function may be included in a security orchestrator implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing, and the security monitoring element or function may be included in a security monitor implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing.

According to an example of an embodiment, there is provided, for example, an apparatus including at least one processing circuitry, and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus at least: to receive and process, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service, to obtain, during the operation of the network service, an analysis result of the security incident, to determine countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and to provide information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

Furthermore, according to an example of an embodiment, there is provided, for example, a method including receiving and processing, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service, obtaining, during the operation of the network service, an analysis result of the security incident, determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and providing information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

Moreover, according to an example of an embodiment, there is provided, for example, a computer program product, comprising a computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to execute a process comprising receiving and processing, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service, obtaining, during the operation of the network service, an analysis result of the security incident, determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and providing information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

According to further refinements, these examples may include one or more of the following features:

- as the countermeasures related to the security incident, there may be determined at least one of introducing at least one virtual security function in a path of the network service including the network element or function affected by the security incident, selecting a type of the at least one virtual security function to be introduced and determining a procedure for introducing the at least one virtual security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function are provided; modifying at least one existing virtual security function, physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident, selecting a kind of modification of the at least one existing virtual security function, physical security function, virtual network function and physical network function and determining a procedure for effecting the modification of the at least one virtual security function, physical security function, virtual network function and physical network function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the kind of modification of the at least one virtual security function physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification are provided; changing a path of the network service including the network element or function affected by the security incident for being directed to at least one existing virtual security function or physical security function, selecting the at least one existing virtual security function or physical security function to which the path is to be directed and determining a procedure for effecting the change of the path to the at least one virtual security function or physical security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the at least one virtual security function or physical security function to which the path is to be changed, and the procedure for effecting the change of the path are provided; and terminating the network service, wherein, as the information indicating the determined countermeasures, the indication to terminate the network service is provided.

- the analysis result of the security incident may be obtained by conducting an own analysis on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function, or the analysis result may be received from an external analysis process and processed; - the notification about the security incident at a network element or function involved in the network service may be obtained from a security monitoring element or function configured to monitor the communication network and to recognize security related incidents in the communication network occurring at network elements or functions involved in the network service, the security monitoring element or function being an internal or external function;

- the notification about the security incident at a network element or function involved in the network service the security monitoring element or function may be related to at least one of virtual network functions and physical network functions involved in the network service;

- information indicating the determined countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service may be forwarded to a service tool of a network administrator of the communication network, wherein the information indicating countermeasures may be provided when the countermeasures are confirmed by the network administrator;

- information indicating paths of the network service being allowed to be automatically modified in case of an security incident may be received and stored, it may be checked, when obtaining the analysis result of the security incident, whether countermeasures related to the security incident concern a path allowed to be automatically modified, and in case the check is affirmative, the information indicating the determined countermeasures may be sent to a network function virtualization control element or function;

- the information indicating the determined countermeasures may include a modified network service description and a network service change indication generated by a security control element or function managing at least one virtual network function involved in the network service;

- there may be considered, when determining countermeasures related to the security incident, at least one of a type of attack causing the security incident, a type of the network element or function being affected by the security incident, a location of the network element or function being affected by the security incident, and an operation state of a path of the network service including the network element or function being affected by the security incident;

- as countermeasures related to the security incident, there may be used at least one of interrupting permanently a connection to the path of the network service including the network element or function being affected by the security incident, interrupting temporarily a connection to the path of the network service including the network element or function being affected by the security incident, introducing at least one new virtual security function in the path of the network service including the network element or function being affected by the security incident, modifying at least one virtual or physical security function existing in the path of the network service including the network element or function being affected by the security incident, redirecting at least a part of the path of the network service including the network element or function being affected by the security incident to at least one virtual or physical security function, modifying at least one virtual or physical network function existing in the path of the network service including the network element or function being affected by the security incident, deleting the network element or function being affected by the security incident from the network service, checking an integrity of the network element or function being affected by the security incident from the network service, rehealing the network element or function being affected by the security incident from the network service, reconfiguring the path of the network service including the network element or function being affected by the security incident as a honeypot path for learning behavior of the security incident, redefining security related attributes of network elements or functions of the path including the network element or function being affected by the security incident for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and establishing of a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced as countermeasure;

- at least one of configuring security policies of the at least one virtual security function being introduced as countermeasure and adapting security policies of existing security functions of the network service may be conducted;

- as information indicating the determined countermeasures, information may be provided causing a modification of the network service including immediately interrupting the connection to the path of the network service including the network element or function being affected by the security incident, instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, installing a new version of the network element or function being affected by the security incident or checking integrity of the network element or function being affected by the security incident, re- connecting the network element or function being affected by the security incident or connecting the new version of the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service;

- as information indicating the determined countermeasures, information may be provided causing a modification of the network service including instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, interrupting the connection to the path of the network service including the network element or function being affected by the security incident, analyzing the network element or function being affected by the security incident, rehealing or relaunching the network element or function being affected by the security incident on the basis of the analyzing result, re-connecting the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service;

- as information indicating the determined countermeasures, information may be provided causing a modification of the network service including instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, instantiating a new virtual network element or function corresponding to the network element or function being affected by the security incident, connecting the new virtual network element or function via the new or modified virtual security function to the network service in parallel to the path including the network element or function being affected by the security incident, stopping establishment of new connections to the path of the network service including the network element or function being affected by the security incident and starting establishment of new connections to the path of the network service including the new virtual network element or function and the new or modified virtual security function, checking whether any active connection remains on the path of the network service including the network element or function being affected by the security incident, and if the result of the check is negative, interrupting the connection to the path of the network service including the network element or function being affected by the security incident;

- it may be checked whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function, and when the result of the check is negative, and the path of the network service including the network element or function being affected by the security incident may be prepared for introducing the at least one virtual security function by assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service;

- the apparatus and method may be implemented in a security control element or function included in a security orchestrator configured to execute security-related management tasks in the communication network comprising virtualized network parts.

In addition, according to embodiments, there is provided, for example, a computer program product for a computer, including software code portions for performing the steps of the above defined methods, when said product is run on the computer. The computer program product may include a computer-readable medium on which said software code portions are stored. Furthermore, the computer program product may be directly loadable into the internal memory of the computer and/or transmittable via a network by means of at least one of upload, download and push procedures.

BRIEF DESCRIPTION OF THE DRAWINGS

Some embodiments of the present invention are described below, by way of example only, with reference to the accompanying drawings, in which:

Fig. 1 shows a diagram illustrating a general architecture of a communication network where some examples of embodiments are implementable;

Fig. 2 shows a diagram illustrating a reference architecture of a management and orchestration system for network function virtualization in a communication network according to some examples of embodiments;

Fig. 3 shows a workflow diagram illustrating an a processing for preparing and designing security of a network service according to some examples of embodiments;

Fig. 4 shows a workflow diagram illustrating a processing for deploying network security according to some examples of embodiments; Fig. 5 shows a workflow diagram illustrating a processing for deploying network security according to some examples of embodiments;

Fig. 6 show flow chart illustrating a procedure for modifying a security setting of a network service according to some examples of embodiments;

Fig. 7 shows a diagram illustrating a configuration example of a network service including security setting representing a starting point for some examples of embodiments. Fig. 8 shows a diagram illustrating a configuration example of a network service including security setting being modified according to some examples of embodiments.

Fig. 9 shows a workflow diagram illustrating a processing for modifying security setting of a network service according to some examples of embodiments;

Fig. 10 shows a workflow diagram illustrating a processing for modifying security setting of a network service according to some examples of embodiments;

Fig. 1 1 shows a diagram illustrating a configuration example of a network service including security setting being modified according to some examples of embodiments.

Fig. 12 shows a workflow diagram illustrating a processing for modifying security setting of a network service according to some examples of embodiments; Fig. 13 shows a workflow diagram illustrating a processing for modifying security setting of a network service according to some examples of embodiments;

Fig. 14 shows a diagram illustrating a configuration example of a network service including security setting being modified according to some examples of embodiments.

Fig. 15 shows a workflow diagram illustrating a processing for modifying security setting of a network service according to some examples of embodiments;

Fig. 16 shows a workflow diagram illustrating a processing for modifying security setting of a network service according to some examples of embodiments; Fig. 17 shows a flow chart of a processing conducted in a security orchestrator element or function according to some examples of embodiments; and Fig. 18 shows a diagram of a network element or function acting as a security orchestrator according to some examples of embodiments.

DESCRIPTION OF EMBODIMENTS In the last years, an increasing extension of communication networks, e.g. of wire based communication networks, such as the Integrated Services Digital Network (ISDN), DSL, or wireless communication networks, such as the cdma2000 (code division multiple access) system, cellular 3rd generation (3G) like the Universal Mobile Telecommunications System (UMTS), fourth generation (4G) communication networks or enhanced communication networks based e.g. on LTE or LTE-A, fifth generation (5G) communication networks, cellular 2nd generation (2G) communication networks like the Global System for Mobile communications (GSM), the General Packet Radio System (GPRS), the Enhanced Data Rates for Global Evolution (EDGE), or other wireless communication system, such as the Wireless Local Area Network (WLAN), Bluetooth or Worldwide Interoperability for Microwave Access (WiMAX), took place all over the world.

Also M2M communication, Internet of Things (loT) and the like are implemented or planned to be implemented. Various organizations, such as the European Telecommunications Standards Institute (ETSI), the 3rd Generation Partnership Project (3GPP), Telecoms & Internet converged Services & Protocols for Advanced Networks (TISPAN), the International Telecommunication Union (ITU), 3rd Generation Partnership

Project 2 (3GPP2), Internet Engineering Task Force (IETF), the IEEE (Institute of Electrical and Electronics Engineers), the WiMAX Forum and the like are working on standards or specifications for telecommunication network and access environments. Generally, for properly establishing and handling a communication connection between two end points (e.g. terminal devices such as user equipments (UEs) or other communication network elements, a database, a server, host etc.), one or more network elements or functions, such as communication network control elements, for example access network elements like access points, base stations, eNBs etc., and core network elements or functions, for example control nodes, support nodes, service nodes, gateways etc., are involved, which may belong to different communication network systems.

Such communication networks comprise, for example, a large variety of proprietary hardware appliances. Launching a new network service often requires yet another appliance and finding the space and power to accommodate these boxes is becoming increasingly difficult. Moreover, hardware-based appliances rapidly reach end of life.

Due to this, it has been considered to use, instead of hardware based network elements, virtually generated network functions, which is also referred to as network functions virtualization. By means of software based virtualization technology, it is possible to consolidate many network equipment types onto industry standard high volume servers, switches and storage, which could be located in data centers, network nodes and in the end user premises, for example.

In the recent years, the virtualization of telecommunication network elements and running them on a standard Commercial of the Shelf HW platforms such as clouds has evolved. These virtualized network elements are then called VNF and are configured to run, for example, in telecommunication clouds. One example for a frame of such a telecommunication cloud is provided, for example, by ETSI NFV. For the sake of simplicity, network function virtualization will be referred to in the following as NFV.

However, instead of separated physical network elements in former network architecture, replacement of these elements by network function virtualization also causes that such a physical separation is not valid any time, since VNFs may run on one and the same HW. As such, it is necessary to consider also a logical separation of VNFs, in order to ensure the security of virtualized telecommunication networks.

It is to be noted that in a communication system both of a physical and a virtual network element approach may be used simultaneously and in a mixed manner, which is also referred to as a hybrid communication network (referred to hereinafter as "hybrid network"), where virtual and physical nodes, elements, functions etc. coexist and form a (dynamic) network structure. For example, a core network being employed for services comprises virtual and physical network elements or functions interacting which each other. Furthermore, also other network functions besides those of a (core) network (like EPC or IMS), such as network functions of an access network element like an eNB or BS, may be provided as virtual network functions.

NFV involves the implementation of network functions in software that can run on server hardware, such as standard or default server hardware, and that can be moved to, or instantiated/setup in, various locations in the network or cloud/data centers as required, without the need for installation of new equipment. It is to be noted that NFV is able to support SDN by providing the infrastructure upon which the SDN software can be run. Furthermore, NFV aligns closely with the SDN objectives to use commodity servers and switches. The SDN-User Plane part may be placed outside or inside the cloud.

As indicated above, NFV is intended to be implemented in such a manner that network functions are instantiated and located within a so-called cloud environment, i.e. a storage and processing area shared by plural users, for example. By means of this, it is for example possible to dynamically placing elements/functions of a core network in a flexible manner into the cloud.

Dynamically placing the NF into the cloud allows also that all of the NFs or some parts or functions of the core network are dynamically withdrawn completely from the cloud (i.e. de-instantiated or terminated), while other parts (legacy or virtualized network functions) remain in the network structure as deemed necessary.

It is to be noted that instantiated (or instantiation) means in the context of the following description, for example, that a virtual network function acting in a communication network in the virtual network part (see e.g. Fig. 1 ) is set up, turned on, activated or made in some other manner available for other communication network elements or functions. On the other hand, termination (or de-instantiation) means, for example, that a virtual network function acting in a communication network in the virtualized network part (see e.g. Fig. 1 ) is turned off, deactivated or made in some other manner not available for other communication network elements or functions, i.e. the instantiation of the virtual network function in question is removed or cancelled, at least temporarily.

There are various approaches for configuring a virtualized communication network running in a cloud environment. As one example, the Management and Orchestration (MANO) working group inside the ETSI Network Function Virtualization (NFV) Industry Specification Group (ISG) has developed a telecommunication cloud concept which is also referred to as ETSI NFV Reference Architecture. There have been defined so-called management entities such as a NFV Orchestrator (NVFO), VNF Manager (VNFM) etc. which are used to deploy and manage a virtualized communication network running on a NFV infrastructure.

However, as indicated above, one important aspect in the field of networks and in particular communication networks is that also security services and functions have to be deployed and managed. Security concerns, for example, communication security, credential management and provisioning, trust management, hardening, etc.

Virtualized telecommunication networks rely on a logical separation of VNFs by means of one of several possible mechanisms for virtualization, such as by a virtualization layer employing e.g. a network element like a hypervisor (described later), by container based technology. However, if a VNF or VM or an underlying virtualization layer is target for an attack, it is possible to perform nearly all kinds of attacks against availability, integrity and confidentiality. For instance, DoS attacks could be performed. Also critical components of the network, such as a Home Subscriber Server (HSS) which has sensitive data from user have to be protected.

Examples of embodiments of the present invention are related to management and modification of security concepts in communication networks, in particular of network services established in communication networks using virtual network functions (VNFs), allowing to increase the security level of virtualized telecommunication networks while the impact of attacks can be diminished.

Basically, according to examples of embodiments, a security concept or mechanism is provided which enables for a communication network comprising virtualized network elements or functions, such as a hybrid network, holistic end-to-end security measures and provides an at least partly automated deployment/management of security services/functions inside the communication network. For example, according to some examples of embodiments, a management entity is provided which is applicable to a communication network including virtualized network elements or functions, which may correspond, for example, to the ETSI NFV reference architecture indicated above. That is, an at least partly automated security management for a hybrid network considering security in the virtual parts of the hybrid network is provided.

According to examples of embodiments, in a network service established in the communication network using virtual and/or physical network elements or functions, a security service including one or more security (physical and/or virtual) functions is deployed and/or configured and/or managed wherein security requirements for the network provided by security policies are realized by the security service and the security function(s).

Embodiments as well as principles described below are applicable in connection with any (physical or virtual) network element or function being included in a (hybrid) communication network environment including at least one virtualized network element or function, such as a terminal device, a network element, a relay node, a server, a node, a corresponding component, and/or any other element or function of a communication system or any combination of different communication systems that support required functionalities. The communication system may be any one or any combination of a fixed communication system, a wireless communication system or a communication system utilizing both fixed networks and wireless parts. The protocols used, the specifications of networks or communication systems, apparatuses, such as nodes, servers and user terminals, especially in wireless communication, develop rapidly. Such development may require extra changes to an embodiment. Therefore, all words and expressions should be interpreted broadly and they are intended to illustrate, not to restrict, embodiments.

In the following, different exemplifying embodiments will be described using, as an example of a communication network to which the embodiments may be applied, a radio access architecture based on 3GPP standards, such as a third generation or fourth generation (like LTE or LTE-A) communication network, without restricting the embodiments to such architectures, however. It is obvious for a person skilled in the art that the embodiments may also be applied to other kinds of communication networks having suitable means by adjusting parameters and procedures appropriately, e.g. WiFi, worldwide interoperability for microwave access (WiMAX), Bluetooth®, personal communications services (PCS), ZigBee®, wideband code division multiple access (WCDMA), systems using ultra-wideband (UWB) technology, sensor networks, mobile ad-hoc networks (MANETs), wired access, fifth generation (5G) telecommunication systems, loT, etc..

The following examples and embodiments are to be understood only as illustrative examples. Although the specification may refer to "an", "one", or "some" example(s) or embodiment(s) in several locations, this does not necessarily mean that each such reference is related to the same example(s) or embodiment(s), or that the feature only applies to a single example or embodiment. Single features of different embodiments may also be combined to provide other embodiments. Furthermore, terms like "comprising" and "including" should be understood as not limiting the described embodiments to consist of only those features that have been mentioned; such examples and embodiments may also contain features, structures, units, modules etc. that have not been specifically mentioned.

A basic system architecture of a telecommunication network comprising virtualized network elements or functions and including a communication system where some examples of embodiments are applicable may include an architecture of one or more communication networks including a wired or wireless access network subsystem and a core network. Such an architecture may include one or more communication network control elements, access network elements, radio access network elements, access service network gateways or base transceiver stations, such as a base station (BS)/eNB or an access point, which control a respective coverage area or cell(s) and with which one or more communication elements, user devices or terminal devices, such as a UE, or another device having a similar function, such as a modem chipset, a chip, a module etc., which can also be part of an element, function or application capable of conducting a communication, such as a UE, an element or function usable in a machine-to-machine communication architecture, or attached as a separate element to such an element, function or application capable of conducting a communication, or the like, are capable to communicate via one or more channels for transmitting several types of data. Furthermore, core network elements such as gateway network elements, policy and charging control network elements, mobility management entities, operation and maintenance elements, and the like may be included.

The general functions and interconnections of the described elements, which also depend on the actual network type, are known to those skilled in the art and described in corresponding specifications, so that a detailed description thereof is omitted herein. However, it is to be noted that several additional network elements and signaling links may be employed for a communication to or from an element, function or application, like a communication endpoint, a communication network control element, such as an server, a radio network controller, and other elements of the same or other communication networks besides those described in detail herein below.

A communication network including virtualized network elements or functions as being considered in examples of embodiments may also be able to communicate with other networks, such as a public switched telephone network or the Internet. The communication network may also be able to support the usage of cloud services for the virtual network elements or functions thereof, wherein it is to be noted that the virtual network part of the telecommunication network can also be provided by non-cloud resources, e.g. an internal network or the like. It should be appreciated that network elements of an access system, of a core network etc., and/or respective functionalities may be implemented by using any node, host, server, access node or entity etc. being suitable for such a usage.

Furthermore, a network element, such as communication elements, like a UE, access network elements, like a radio network controller, other network elements, like a server, etc., as well as corresponding functions as described herein, and other elements, functions or applications may be implemented by software, e.g. by a computer program product for a computer, and/or by hardware. For executing their respective functions, correspondingly used devices, nodes, functions or network elements may include several means, modules, units, components, etc. (not shown) which are required for control, processing and/or communication/signaling functionality. Such means, modules, units and components may include, for example, one or more processors or processor units including one or more processing portions for executing instructions and/or programs and/or for processing data, storage or memory units or means for storing instructions, programs and/or data, for serving as a work area of the processor or processing portion and the like (e.g. ROM, RAM, EEPROM, and the like), input or interface means for inputting data and instructions by software (e.g. floppy disc, CD- ROM, EEPROM, and the like), a user interface for providing monitor and manipulation possibilities to a user (e.g. a screen, a keyboard and the like), other interface or means for establishing links and/or connections under the control of the processor unit or portion (e.g. wired and wireless interface means, radio interface means including e.g. an antenna unit or the like, means for forming a radio communication part etc.) and the like, wherein respective means forming an interface, such as a radio communication part, can be also located on a remote site (e.g. a radio head or a radio station etc.). It is to be noted that in the present specification processing portions should not be only considered to represent physical portions of one or more processors, but may also be considered as a logical division of the referred processing tasks performed by one or more processors. It should be appreciated that according to some examples, a so-called "liquid" or flexible network concept may be employed where the operations and functionalities of a network element, a network function, or of another entity of the network, may be performed in different entities or functions, such as in a node, host or server, in a flexible manner. In other words, a "division of labor" between involved network elements, functions or entities may vary case by case.

With regard to Fig. 1 , a diagram illustrating a general architecture of a communication network comprising virtualized network elements or functions and including a communication system is shown where some examples of embodiments are implementable. It is to be noted that the structure indicated in Fig. 1 shows only those parts and links which are useful for understanding principles underlying some examples of embodiments of the invention. As also known by those skilled in the art there may be several other network elements or devices involved e.g. in a communication between endpoints in the hybrid network which are omitted here for the sake of simplicity.

It is to be noted that examples of embodiments are not limited to the number of elements, functions, links and applications as indicated in Fig. 1 , i.e. there may be implemented or instantiated less of or more of the corresponding elements, functions, applications and links than those shown in Fig. 1.

Reference signs 10 and 15 denote a respective endpoint of a communication connection in the hybrid network. For example, the endpoints 10 and 15 are UEs, servers or any other network element or function between which a communication can be established. Reference sign 40 denotes a physical network function. For example, the PNF 40 is an access node like an eNB or the like.

Reference signs 50 and 55 represent virtual network functions. For example, VNF1 50 and VNF2 55 are virtual network nodes of a core network of a communication network, such as a gateway, a management element or the like.

Reference sign 20 denotes an infrastructure for virtual network functions, including for example computer hardware and network parts. For example, the infrastructure is provided by physical hardware resources comprising computing, storage and networking resources. It represents the totality of hardware and software components which build up the environment in which VNFs are deployed, managed and executed.

Reference sign 30 denotes a virtualization layer which is used to generate, on the basis of the resources provided by the infrastructure 20, virtual instances (i.e. the VNFs 50 and 55, for example). That is, the virtualization layer 30 abstracts the hardware resources and decouples the VNF from the underlying hardware.

The PNF 40, the VNF1 50 and the VNF2 55 form a so-called network service (NS). As indicated by dashes lines, logical links are established between the virtual elements of the hybrid network and between the virtual elements and the physical elements (e.g. the PNF 40 and the endpoint 15). On the other hands, physical links are established between the physical elements of the hybrid network (indicated by solid lines).

Fig. 2 shows a diagram illustrating a reference architecture of a management and orchestration system for network function virtualization in a communication network according to some examples of embodiments. For example, the reference architecture according to Fig. 2 is related to an ETSI NFV reference architecture as indicated above.

Reference sign 160 denotes a management entity or function like an NFV orchestrator. The NFV orchestrator 160 is used to manage the virtualized network part of the communication network. For example, the NFV orchestrator 160 conducts on-boarding of new network service (NS) and VNFs, wherein the NS is described by a corresponding descriptor file, orchestrated by NFVO, and wherein the NS may cover one or more VNFs and PNFs. Furthermore, NS lifecycle management (including instantiation, scaling, performance measurements, event correlation, termination) is executed. Moreover, a global resource management, validation and authorization of infrastructure resource requests and a policy management for NS instances is conducted. The NFV orchestrator 160 is responsible, for example, for NS automation and comprises a NS catalog, a VNFA SF catalog, a NFV instances repository and a NVF resources repository for managing the virtualized network part.

Reference sign 150 denotes a management entity or element being responsible for a physical network part of the communication network. For example, the management entity 150 is an OSS/BSS of a network operator of the hybrid network. The OSS/BSS

150 is also responsible for triggering of the NFV orchestrator 160, for example. For example, the OSS/BSS 150 provides service tools like service fulfillment and orchestration. Reference sign 120 denotes a physical network function (PNF), such as a "real" network element or function acting in the communication network as an instance, e.g. for access network or core network.

Reference sign 1 10 denotes a physical security function (PSF). For example, the PSF is an entity or element acting for securing a part of the network, such as a firewall or the like, which protects a NF (e.g. PNF 120), or a network service which may also run in the virtual part of the hybrid network.

Reference sign 200 denotes an element manager (EM) performing management functionality for network functions. Reference signs 190 and 195 denote security element managers which may be part of EM 200, a combined entity or function or separate entities or functions. The SEM 190/195 performs, for example, managing functionalities for the PSF 1 10, a VSF (described below), or both. It is to be noted that the PSF 1 10 (and/or the VSF) can be controlled either directly or via the SEM 190/195, for example.

Reference sign 170 denotes a management entity or function for managing VNF and/or VSF in the hybrid network. For example, the management entity 170 is a VNFA SF manager being responsible for VNFA SF lifecycle management (i.e. instantiation, update, termination) of a VNFA/SF. Also VNFA/SF elasticity management (scaling) and VNFA/SF basic configuration is conducted by the management entity 170. It is to be noted that the VNFA SF manager 170 may also be provided for managing VNFA SF of third parties.

Reference sign 180 denotes a management entity or function for controlling and managing interaction of a VNFA SF with computing, storage and network resources. For example, the management entity 180 is a virtualized infrastructure manager (VIM), which controls and manages the infrastructure compute, storage and network resources within one operator's infrastructure sub-domain. The VIM 180 may also comprise management of virtualization layer-based (e.g hypervisor-based) security features. Moreover, a SDN controller part may be included.

Reference sign 210 denotes a virtualization layer such as a hypervisor (also referred to as virtual machine monitor) which is a piece of computer software, firmware or hardware that creates and runs virtual machines (VM), such as software based or kernel based VMs. It is to be noted that the hypervisor 210 may provide also security functions. The hypervisor 210 is manageable via the VIM 180, for example.

The hypervisor 210 is set on hardware 220 (such as a datacenter hardware) providing compute, storage and network (SDN) resources.

Reference sign 130 denotes a virtual network function (VNF), such as a virtualized network function acting in the communication network as an instance, e.g. for access network or core network. For example, according to some examples of embodiments, a VNF may be composed of multiple VNF components (VNFCs, corresponding to VMs) where the architecture is described by a corresponding descriptor file and is instantiated by the VNF manager 170.

Reference sign 140 denotes a virtual security function (VSF). The VSF 140 is a VNF with a security functionality. A VSF may be composed of multiple VSF Components (VSFCs, corresponding to VMs). For example, the VSF is a function acting for securing a part of the hybrid network, such as a virtual firewall or the like, which protects a NF or a NS (e.g. VNF 130). The architecture of a VSF is described by a corresponding descriptor file and will be instantiated by the VNFA/SF manager 170. Reference sign 100 denotes a management entity or function which is also referred to as security orchestrator (SO). According to examples of embodiments, the SO 100 is configured to perform security-related management tasks inside a communication network comprising virtualized network functions or elements, wherein in the following for illustrative purposes an implementation in an ETSI NFV reference architecture is assumed. However, it is to be noted that examples of embodiments of the invention are not limited to such an implementation example. According to some examples of embodiments, security orchestration is used for conducting interactive management tasks, e.g. for network service design, deployment control and monitoring, and aims at the (at least in part) automation of simple or complex security-related management tasks, for example in a hybrid (i.e. physical plus virtual) telecommunication network environment. That is, orchestration is to be understood as an execution of one or more management tasks related to, for example, designing/planning/monitoring/modifying of security settings, supported by interactive and/or as far as possible automated functions and processing.

Reference sign 105 denotes a security monitor (SMON). The security monitor 105 is an element or function which is capable of monitoring the communication network and is able to recognize security related incidents at or attacks against a network element or function, e.g. VNF or PNF. This is achieved, for example, by using specific algorithms or programs which are able to detect specific data or to recognize a typical behavior of network elements or functions indicating that a (possible) attack is going on or cannot be excluded. The security monitor 105 can be located in a separated element in the network structure, or be a part of another network element or function, such as of the SO 100.

As indicated in Fig. 2, the SO 100 comprises a number of interfaces to other management entities or functions inside the reference architecture. Via these interfaces, which will be described in further detail below, the SO 100 is adapted to perform interactions with the connected management entity partners for controlling at least one of deployment/configuration/management of a security service as described in the following.

According to some examples of embodiments of the invention, the SO is able to provide holistic end-to-end security measures in hybrid networks (see e.g. Fig. 1 ) and to conduct security-related management tasks such as for example the control of the deployment, modification (also termination) and the configuration of security functions in a dynamic hybrid network environment, wherein the tasks can be executed in an (at least partly) automated manner or supported by user input (e.g. from a network or security administrator side for confirmation/modification of setting proposals intended to be established in the security of network services, etc.).

When referring to the architecture indicated in Fig. 2, for example, the SO 100 is from a functional point of view on the same level as the OSS/BSS 150 and the NFV orchestrator 160. While the NFV orchestrator 160 is used to manage the virtualized network, the OSS/BSS 150 is responsible for the physical network part and for triggering the NFV orchestrator 160, e.g. in case of instantiation or termination of network services realized by means of VNFs.

The SO 100, on the other hand, has a complete network view (i.e. physical plus virtualized parts) so as to control deployment of security services, realized by means of SFs, e.g. SFs provided by the hypervisor being accessible via the VIM 180, PSFs and VSFs. An additional task of the SO 100 is to configure the security of NFVI resources realized by means of SDN (see also network part of hardware 220, for example) e.g. on the SDN controller (via VIM 180, for example). Furthermore, the SO 100 is responsible for the management, configuration, adaption and adjustment of security function applications in the communication network in order to maintain consistent security policies for a security service realized by means of the SFs. According to examples of embodiments, management/configuration can be done directly by the SO 100 itself (i.e. by directly controlling the PSF/VSF) or alternatively via a corresponding SEM (e.g. SEM 190/195).

According to some examples of embodiments, the SO 100 is configured to (at least partly) automatically and consistently manage all security services, realized e.g. by means of security functions, in the communication network. These are, for example, depending on the communication network structure, one or more of the physical security functions (PSFs), such as SFs of legacy networks (e.g. PSF 1 10), the virtualized VSF/VM-based security functions or virtual security functions (e.g. VSF 140), and security functions provided in the hypervisor 210 (as indicated, the hypervisor-based SFs are accessible via the VIM 180, e.g. via APIs in the VIM). It is to be noted that according to some examples of embodiments, the SO 100 configures and manages physical security functions and virtual security functions (which are deployed by the NFVO, for example), and deploys, configures, modifies and manages security functions provided by the hypervisor 210 in the hybrid network (via VIM 180, for example).

The topology of the virtualized network is described by means of an information set describing deployment variants of network services to be instantiated or built in the communication network, is provided for example by a so-called Network Service Descriptor (NSD). The NSD consists of information elements which are used by the NFVO, for example, to instantiate the NS which includes one or more of VNFs, PNFs, virtual links and the like. The NSD may also include the Virtual Security Functions. This complete NSD (network topology including security functions) is the result of a cooperation between the network and the security team during the preparation phase. According to the topology description in the NSD the virtualized network is built by the NFV Orchestrator (Network Orchestrator) without involvement of the Security Orchestrator. The NFV Orchestrator integrates the VSFs in the network topology without any knowledge about their security functionality (from its point of view VSFs are just as every other VNFs).

The general construction or building of the VSFs is done by the VNFA SF manager 170. In other words, a VSF can be also considered as a VNF with security functionality. However, the VNF/VSF manager 170 is not aware of this specific security functionality but builds the VSF out of its VSF components as every other VNF. According to some examples, the VNFA/SF manager 170 conducts at least in part the configuration of VSFs, e.g. enforcement of a VSF in a specific security zone or injection of credentials to enable cryptographical protection. The information about the configuration of the VSF is already contained in the VNF/VSF descriptors (VNFDA/SFD), provided via the NSD to the VNFA/SF manager, e.g. by the NFV orchestrator 160.

VSFs may be provided also by third-party vendors. Therefore, the VNFA/SF manager 170 is also configured to manage virtualized third-party security applications. Alternatively, a specific third-party VSF manager can be provided which works in parallel to the VNF Manager 170 (in Fig. 2, this is not specifically indicated). The Security Orchestrator has the end-to-end network security view and is therefore responsible to align security policies in an (as far as possible) automated way inside of the virtualized network and also between the physical and the virtualized network parts. As virtualized networks are assumed to be highly flexible concerning the placement, the addresses and the number of VNFs being assigned to a specific network service, the security configuration and the security policies have to be adapted to these changing scenarios and have automatically to ensure consistent security policies. This applies for both physical and virtual security function. For example, assuming a physical security function, e.g. in front of a datacenter, like a firewall, which has rather fixed setting, those security functions are nevertheless influenced by the dynamism of the virtualized network part. For example, in case a new network service is created or an old one is removed, not only policies for virtual security functions are changed but also the policies of the physical security function have potentially to be adapted. For example, assuming a case where a network service is created comprising in a virtual part a network function being protected by two virtual firewalls as VSFs, not only the virtual firewalls have to be configured but also a physical firewall protecting, for example, a PNF located in front of the virtual part.

The SO 100 may have the following tasks. As one task, a security service central management task is executed which includes also security service lifecycle and initiation of elasticity management. The security service central management is used for managing security based on a security service catalog, a security function catalog, triggering lifecycle management of the security service which includes any one or more of VSFs, PSFs and security functions in the hypervisor, monitoring the status of the security service, and the like.

Another task is security policy central management/automation. The security policy central management is responsible to configure and maintain consistent end-to-end security policies in the hybrid network, wherein the processing related to the security policy central management is executed in an (as far as possible) automated way.

A further task is security baseline management. Security baseline management is responsible to establish a predefined baseline for implementing security, i.e. baseline rules such as for security zoning, traffic separation, traffic protection, storage data protection, virtual security appliances, SW integrity protection, protection of management traffic, wherein in these rules common or specific regulations, standards, guidelines and best practice models for security applications, such as for telecommunication cloud security, are considered. The baseline is generated and stored in advance, for example. Another task is credential management. For example, in a multi-tenant cloud-based environment (such as a NFV infrastructure), crypto-graphical protection is required for manifold use cases like for example traffic protection, storage data protection, SW integrity protection or protection of management traffic. Thus a central credential management in the SO 100 is provided which manages credential provisioning. Since the SO 100 controls also security in the physical network part, it is possible to provide an overall network-wide credential management. That is, according to some examples of embodiments, credential provisioning for VNFs, PNFs or other hybrid network elements or functions, as well as for entities of the management and orchestration architecture, such as management entities or functions like as NFVO, VNFM, VIM is provided by the credential management task.

A further task is trust management. According to some examples of embodiments, decisions in the hybrid network regarding interactions with other VNF or NFVI entities may depend on the degree of trust into these entities. A potential way to achieve a NFVI- wide trust management is to provide a central trust manager. The central trust manager is part of the SO 100, for example. The central trust manager is configured, for example, to evaluate a trust level (a value or parameter) indicating the trust of relevant VNF and NFVI entities and to provide a result of the evaluation (i.e. the trust level), e.g. on demand. Also trust management for virtualization platforms can be provided, e.g. when supporting integrity protected boot of hypervisors. That is, according to some examples of embodiments, trust management for VNFs, PNFs or other hybrid network elements or functions, as well as for entities of the management and orchestration architecture, such as management entities or functions like as NFVO, VNFM, VIM is provided by the trust management task.

As another task, the management of hypervisor security functions is executed. Security functions inside a virtualized network can either be provided as VSFs (a VNF with security functionality) running on top of the hypervisor 210, and/or can be provided inside the hypervisor itself (as part of the NFV infrastructure). According to some examples of embodiments, the NFV infrastructure may be operated by a legally independent NFV infrastructure provider. In this case, it is not reasonable to directly configure them by the SO 100. Therefore, the hypervisor-based security functions are accessible via the VIM 180 (as indicated above) as security features to be configured by means of APIs, for example. Security features in the context of the hypervisor security functions are for example the provisioning of monitoring functions or firewalls. Hypervisor based firewalls can be provided in the hypervisor as well as in form of VSFs on top of the hypervisor.

It is to be noted that firewall functions can also be provided or based on other infrastructure elements or functions, e.g. by a container based system in a shared kernel, for example.

A further task is hardening security status. Hardening security status provides the actual patch status of VNFsA SFs including guest OS as well as of important NFV infrastructure components (for example the hypervisor). According to some examples of embodiments, also an automated patch provisioning and patching processing may be supported.

It is to be noted that the security measures described above can be summarized hereinafter as a "security of communication" which is to be understood in the context of examples of embodiments of the invention in a broad sense and comprises at least one of the described security measures and/or other security measures not explicitly described herein.

As indicated above, there are several interfaces provided which allow the SO 100 to interact with other management entities (both for the physical part and the virtual part of the hybrid network) in the reference architecture for performing the holistic security orchestrator tasks. In the following, these interfaces are described in further detail.

As indicated in Fig. 2, there are interfaces (indicated by arrows) towards the PSF 1 10, the VSF 140 or towards SEM 190/195 managing a PSF and/or a VSFs. That is, the PSFs/VSFs can be either managed by the SO 100 directly or via a (potentially third- party) SEM, wherein the SEM may be implemented as an API function used by the SO. In this context, it is to be noted that according to some examples of embodiments a SEM is configured to manage both of the PSFs and VSFs for the same vendor. Multiple SEMs to manage the PSFs/VSFs of different security vendors are also possible. A further interface is provided towards the OSS/BSS 150 which provides e.g. service tools like service fulfillment/orchestration. This interface provides management access to the physical part of the (hybrid) communication network. For example, according to some examples of embodiments, the interface towards OSS/BSS 150 is required during a preparation phase for creating the complete NSD (including security) (see also Fig. 4).

Furthermore, the interface to OSS/BSS is used in operation when the SO 100 is for example triggered by a service tool (network service orchestrator) to configure PSFs during a network deployment phase. In addition, the interface is usable for requesting confirmation of a modification of the security setting in a network service (described later) and for providing corresponding information to the administrator.

Another interface is the interface towards the NFV Orchestrator (NFVO) 160. This interface provides access to the virtualized part of the communication network. Basically, the interface towards the NFVO 160 has a similar relevance to the SO 100 as the interface towards OSS/BSS 150. For example, according to some examples of embodiments, during a deployment phase, the SO 100 is triggered by the NFV orchestrator 160 to configure the VSFs. Furthermore, according to some examples of embodiments, during a deployment phase, the SO 100 is triggered by the NFVO 160 to validate a security zone policy. A corresponding processing is also executed in a modification phase of security settings of a running network service, as described below.

Another interface is the interface towards the VNF/VSF manager 170. This interface is used for procedures related to credential management and/or trust management. According to some examples of embodiments, this interface is also usable for other procedures and corresponding signaling, such as in connection with hardening and/or other management procedures.

A further interface is the interface towards the VIM 180. As described above, the VIM 180 provides a management access to security functions inside the NFV infrastructure, especially in the hypervisor 210. That is, besides the security functions running as VSFs on top of the hypervisor, the NFV infrastructure may provide also security functions like for example virtual firewalls. These security functions are accessible by the SO 100 by means of the interface between the SO 100 and VIM 180. For executing the management tasks indicated above, several information elements are required by the SO 100. These information elements may be stored in or provided by storage portions as defined in the following.

In a security policy (SP) catalog, Security Policy Descriptors and Security Baseline Descriptors are stored, in addition to their reference guidelines, standards, procedures and pointers of security service descriptor.

In a security service (SS) catalog, security service descriptors, security function package (including VSFD and image, PSFD, etc.), and security rule descriptors are stored.

In a security policy (SP) instances repository, security policy records and security baseline records are stored, as well as their reference guidelines, standards, procedures and pointers of security service record. It is to be noted that an associated NS record (NSR) ID is included in the SPR/SBR.

Furthermore, a security service (SS) instances repository stores security service records, security function records (including VSFR and PSFR), and security rule records.

As indicated above, the interactions between the SO 100 and the connected management entities as shown in Fig. 2 are related to the (as far as possible) automated deployment and configuration of a security service including PSF(s) and VSF(s). In Fig. 3, one type of interaction according to some examples of embodiments is described. Specifically, Fig. 3 shows a workflow diagram illustrating a processing for preparing and designing security according to some examples of embodiments.

As indicated in Fig. 3, there are two options for preparing an overall NSD including the whole network topology with security functions; it is to be noted that according to some further examples of embodiments also security function descriptors and their related security policies are provided in connection with security function related information. In these two options, one refers to a selection of a baseline for implementing security policy, while the other option refers to the creation of a new set of procedures for implementing security policy. That is, in the examples of embodiments according to Fig. 3, the definition of security policy and its implementation for the network service is described, wherein it is assumed that a network administrator and a security administrator interact with the SO 100 and a service tool (provided e.g. by the OSS/BSS 150, e.g. Service Fulfillment, Network Engineering, or Service Orchestrator) to build a security template for the network service.

Specifically, as indicated in Fig. 3, in S100 and S1 10, the network administrator generates a NSD for a E2E service in cooperation with the service tool. Assuming now that the network administrator and the security administrator discuss which type of security policy is to be chosen for the network service. For example, in case the security baseline is chosen, in S120, the SO 100 is informed accordingly. As a response, in S130, the NSD and SFDs according to the baseline are sent to the administrator side.

On the other hand, in case it is chosen to create new security policy for the network service, in S140, an indication is sent to the SO 100 to create a policy for the network service. Furthermore, in S150, it is signaled to the SO 100 which standard, guideline and procedure for the policy are to be defined or chosen.

In S160, the SO 100 generates or obtains a corresponding policy descriptor (for example from a predefined information being stored in advance). For example, the SPD refers to standard, guideline and procedure for its implementation. The security service and related configuration rules are included in the policy as well.

In S170, a corresponding NSD and SFDs are returned to the administrator side. That is, information about a reference VSF is returned.

It is to be noted that the above described alternatives (baseline and new policy) can be either chosen separately or in a combined manner, i.e. both can be considered for selection.

In the following, an implementation example of an (at least partly) automated deployment and configuration of PSFs and VSFs in an establishment of a network service is described in connection with Figs. 4 and 5. It is to be noted that for illustrative purposes the following example is related to examples of embodiments of the invention in which the provisioning of (at least partly) automated E2E security for a hybrid network is integrated in ETSI NFV MANO workflows.

With regard to the workflow indicated in Fig. 4, which shows a workflow diagram illustrating a first part of a processing for deploying network security according to some examples of embodiments, it is assumed that a security policy and its implementation (and/or a security baseline) has been defined for a E2E service, wherein a NSD with security information was generated (e.g. according to examples of embodiments as indicated in Fig. 3).

First, in S200, NSD onboarding (together with VNFA SF onboarding) is conducted between the service tool and the NVFO, and in S210, the NS instantiation is executed between the service tool and the NVFO. Thus, the service tool has triggered the instantiation of the NS by means of the NSD which includes security functions in its topology description.

Next, the NFVO and the VNFM follow defined procedures to instantiate the VNFsA SFs and to connect them to a network service according to the NSD (without knowing about the security functionality of the VSFs), wherein the VSFs are configured via the security orchestrator. In detail, in S220, the NFVO sends to the VNFM an indication to instantiate the VNF(s) and VSF(s), as long as they are not already existent.

In S230, the VNFM informs the VIM to deploy the VNFA SF in question. Furthermore, in S240 and S250, the VNFM conducts a basic configuration for the VNF and VSF, respectively.

After that, in S260, the VNFM acknowledges the instantiation to the NFVO.

In S270, the NFVO send a message to the EM to configure the VNF application level parameters. The EM configures the VNF accordingly in S280. Then, in S290, the configuration is acknowledged to the NFVO.

In S300, the NFVO sends a message to the SO to configure the VSF application level parameters. The SO sends in S310 a corresponding configuration message to the SEM, which configures the VSF accordingly in S320 (alternatively, the SO can configure the VSF directly). Then, in S330, the configuration is acknowledged to the SO and in S340 to the NFVO.

It is to be noted that the processing according to S220 to S340 is to be executed for each VNFA SF instantiated in the hybrid network even though Fig. 4 shows only one VNF and VSF.

In S345 and S346, a signaling related to a validation procedure is executed.

In S350, the NFVO configures connectivity for both VNFs and VSFs based on the network topology description at the VIM.

After S350 of Fig. 4, in S360 of Fig. 5, the NFVO triggers the SO to secure the network service.

In S370, the SO instantiates and gets the SPR (and/or SBR) from a memory and configures security on the security service/functions. That is, the security orchestrator gets the security functions and security rules from the security policy/baseline record and continues to enforce the security on the security functions.

For this purpose, the SO informs the SEM in S380 to configure the PSF, and the SEM conducts configuration of the PSF(s) in S390 (alternatively, the SO can configure the PSF directly). In S400, the configuration of the PSF(s) is acknowledged by the SEM to the SO.

Furthermore, the SO informs in S410 the SEM to configure security on the SFs, and the SEM configures the security on the VSF in S420 and on the PSF in S430. It is to be noted that in the example according to Fig. 5, the configuration is again conducted via the SEM, but as indicated above, the SO can also directly control the SFs (PSFA SF).

In S440, the SEM acknowledges the configuration to the SO, and in S450, the SO acknowledges to the NFVO that the security is completed.

In S460, the NFVO acknowledges the NS instantiation to the service tool. The service tool, in S470, signals to the NFVO in order to get the NSR. The NFVO returns the NSR to the service tool in S480.

In S490, the service tool can now configure connectivity to the PNF(s)/PSF(s) via the EM/SEM. It is to be noted that according to some examples of embodiments S490 can be omitted in case all connectivities are already built in S350 of Fig. 4, for example.

In S495, the service tool builds an external connection via the EM, that is, it connects the service e.g. to the Internet after the security for the service is enforced.

Thus, for virtualized network services as defined e.g. by ETSI NFV, the security of the network service is defined during a preparation phase and then provided by means of the NSD (including the SFD, which is abbreviated hereinafter as NSD). When the network service is deployed by the NFV Orchestrator and the security policies are configured by the Security Orchestrator, network functions and security functions are connected to provide a desired network service.

However, although it can be assumed that usually the security of the network service is thoroughly defined during the preparation phase, not all kinds of security incidents or attacks can be anticipated that may happen during the runtime of a network service. That is, due to unforeseen attacks or due to security gaps being identified only during the operation phase of a network service, the original security level may become insufficient.

Hence, according to examples of embodiments of the invention, measures allowing to modify an active network service (i.e. in operation) are provided. This modification is triggered for example by the indication of security incidents or attacks e.g. by a security monitoring function, and includes basically the insertion or modification of a security setting of the network service, e.g. by inserting one or more new virtual security functions, by modifying existing security functions (PSF VSF), by redirecting paths to existing security functions (PSF/VSF) etc., and a corresponding configuration and adaptation of policies. That is, according to some examples of embodiments, new VSFs (e.g. firewalls, IDS/IPS systems) are inserted at a location in the network topology (i.e. in the network service paths) where a security incident is detected or assumed, i.e. where a detected or assumed security incident can be prevented or mitigated, i.e. at locations where during the initial preparation phase a corresponding VSF was not deemed to be required, i.e. during the original NSD creation. Alternatively or additionally, already existing security functions (which are located at suitable locations in the network topology (i.e. the network service paths) are modified to handle the security incident (e.g. filter adaptation, new security rules for firewalls, supplement of an IDS database for reacting on a new risk situation etc.), or the network topology is modified (i.e. the network service paths are redirected) so as to have a suitable existing security function located in the path. The modification of the security setting can also include the modification of a virtual network function which was not originally intended for security related processing, such as a VNF gateway where an encryption functionality is started.

According to some examples of embodiments, the kind of modification of the network service configuration, i.e. of the original NSD, which includes the insertion of one or more new VSFs, a modification of existing VSFs/PSFs or even VNFs/PNFs, a redirection of network service paths, etc., is dependent on a severity and the consequences of an incident/attack. Also other parameters may be considered, for example, where in the service flow does the attack happen, what type of network element or function is affected, and the like. For example, different levels of impairment of the running network service can be implied: from completely disruptive over a short interruption up to no (noticeable) affection of the running network service.

In detail, according to some examples of embodiments, the security orchestrator - after receiving information about a security incident e.g. from an internal or an external analysis unit (e.g. security monitoring system) - processes an analysis of the security incident (which may be obtained by an own analyzing processing or be provided by an external analyzing entity or function, e.g. in the security monitor) and decides whether countermeasures are necessary (or executes a processing in accordance with a decision from outside, e.g. from the analyzing entity or function). In case the decision requires countermeasures, the security orchestrator starts a processing for modifying the existing or running network service by inserting or modifying the security setting, e.g. by inserting one or more new VSF(s) and/or modifying existing security functions, to mitigate the security threat. That is, the original or existing NSD of the running network service is modified. It is to be noted that there exists various ways and means for the analysis of the security incident and for algorithms to achieve a decision on the appropriate security countermeasures, be it internal in the SO or external from the SO in another entity/function, which are known to persons skilled in the art, so that a detailed description thereof is omitted here.

Once a suitable countermeasure is determined, the security orchestrator generates and provides an updated NSD that now contains information regarding the modified security setting, e.g. the location, the required policies and potentially the templates of new VSF(s) or of modified security functions etc.. As the security orchestrator is the management instance that possesses the best knowledge about the intended security functionality, how to insert/modify it and what the consequences of the insertion/modification on the active network service are, also an indication of how the network service is to be modified is provided. That is, a step-by-step description of how the modification of the network service has to happen is generated, which is referred to hereinafter as an indication of change of the NSD or as ANSD. The ANSD allows to describe, e.g. in a step-by-step manner, the transition from the current network service to the modified network service, i.e. from the original to the updated or modified NSD.

According to examples of embodiments, this is required because the establishment of the NSD modifications is initiated and performed by the NFVO who doesn't possess the necessary security knowledge. It is to be noted that according to some examples of embodiments the security orchestrator is still responsible to configure the security policies on the newly installed VSFs and/or to adapt the security policies on the existing

VNFs, if necessary.

According to some examples of embodiments, the NFVO can be triggered directly by the security orchestrator for starting the network service modification, for example, in case of an automated mode. Alternatively or additionally, the NFVO can be triggered by the network administrator. This is the case when the proposed security modifications are to be confirmed in advance by the administrator, or when further changed security modification settings are decided by the administrator side. For example, when the modification of a network topology is deemed to be critical, the administrator is provided with the possibility to check, confirm, reject or modify/change the proposed modification.

In other words, the insertion of new security functions into a running network service, or the modification of a security function etc. is done either with the administrator manually confirming the security measures, proposed by the security orchestrator (or on the basis of further changed settings), or automatically without involvement of the administrator. It is to be noted that both procedures can be mixed. For example, when usually an automatic modification of the active network service is set, it is possible that the administrator restricts the automation, for example, by indicating links or paths in the network service where the insertion or modification of VSFs is allowed or not. Fig. 6 shows a flow chart of a processing for modifying setting of security of a running network service in a communication network according to some examples of embodiments. Specifically, the example according to Fig. 6 is related to a procedure conducted by a security orchestrator element or function managing security in the communication network such as the management entity or function 100 in the architecture as depicted e.g. in Fig. 2, a security monitoring element or function such as the entity or function 105 in the architecture as depicted e.g. in Fig. 2, and a network function virtualization control element or function such as the management entity or function 160 in the architecture as depicted e.g. in Fig. 2. In S500, a network service is built according to an NSD, which includes also virtual network functions. That is, the network function virtualization control element or function establishes, in cooperation with the security control element or function like the security orchestrator, a network service according to the above described procedures, wherein a security control element or function performs security-related management tasks in the communication network. For example, the network service has a general structure like that indicated in connection with Fig. 1.

In S510 monitoring of the communication network by the security monitoring element or function is executed, wherein, when security related incidents or attacks occurring at network elements or functions involved in the network service are recognized during the operation of the network service, a notification about this security incident/attack at/against the network element or function involved in the network service is forwarded to the security control element or function. According to some examples of embodiments, the security monitoring element or function (such as the security monitor 105) may be an internal element or function of the security orchestrator 100, or may be an external function.

In addition, according to some examples of embodiments, the notification about the security incident at a network element or function involved in the network service is related to at least one of virtual network functions and physical network functions involved in the network service. That is, the security incident may occurring at any network element or function involved in the network service. In S520, an analysis result of the security incident is obtained at the security orchestrator during the operation of the network service. For example suitable processing algorithms and information databases are used for the analysis, wherein the target of the analysis is to recognize the nature and severity of the incident/attack.

For example, according to some examples of embodiments, the analysis result of the security incident is obtained by conducting an own analysis in the security orchestrator on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function. Alternatively, the analysis result is received from an external analysis process, e.g. in the security monitoring element or function, wherein the analysis result may also include a decision that it is required to consider countermeasures.

In S530, on the basis of the analysis results, countermeasures related to the security incident are determined in the security control element or function. The countermeasures are related to the security incident and include at least one of introduction and modification of security settings of the network service during operation thereof, i.e. a modification of the network service during operation.

According to some examples of embodiments, the determination of the countermeasures includes at least one of the following.

At least one new VSF is introduced in a path of the network service including the network element or function affected by the security incident, wherein a type of the at least one new VSF (e.g. IDS/IPS, firewall etc.) to be introduced is selected and a procedure for introducing the at least one new VSF in the network service during operation of the network service is determined (i.e. a step-by-step description how the countermeasure is to be implemented, i.e. how the network service is to be modified when introducing the virtual security function). For informing about the thus determined countermeasures, information indicating the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function are prepared. Alternatively or additionally, at least one existing VSF, PSF, VNF and PNF in a path of the network service including the network element or function affected by the security incident is modified, wherein a kind of modification of the at least one existing VSF, PSF, VNF and PNF is selected and a procedure for effecting the modification of the at least one VSF, PSF, VNF and PNF in the network service during operation of the network service is determined (i.e. a step-by-step description how the countermeasure is to be implemented, i.e. how the network service is to be modified when modifying the security function). For informing about the thus determined countermeasures, information indicating the kind of modification of the at least one VSF, PSF, VNF and PNF in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification are prepared.

Alternatively or additionally, a path of the network service including the network element or function affected by the security incident is changed for being directed to at least one existing VSF/PSF, wherein at least one existing VSF/PSF which is suitable for handling the security incident and to which the path is to be directed is selected. Furthermore, a procedure for effecting the change of the path to the at least one VSF/PSF in the network service during operation of the network service is determined (i.e. a step-by-step description how the countermeasure is to be implemented, i.e. how the network service is to be modified when changing the network service path). For informing about the thus determined countermeasures, the information about the at least one VSF/PSF to which the path is to be changed and the procedure for effecting the change of the path are prepared.

Alternatively or additionally, the network service is decided to be terminated (e.g. in case this is the only suitable or effective countermeasure). In this case, for informing about the thus determined countermeasures, information indicating termination of the network service is prepared.

According to some examples of embodiments, when determining the countermeasures related to the security incident, one or more of the following parameters are considered: a type of attack causing the security incident (e.g. severity of the attack, danger caused by the attack), a type of the network element or function being affected by the security incident (e.g. critical network element or function or not), a location of the network element or function being affected by the security incident (e.g. in which branch of the network service is the network element or function placed, which physical entity/data center is concerned), and an operation state of a path of the network service including the network element or function being affected by the security incident (e.g. is the path currently used by active connections, stateless path, etc.).

Furthermore, according to some examples of embodiments, the countermeasures related to the security incident which are used include one or more of the following measures: a connection to the path of the network service including the network element or function being affected by the security incident is permanently interrupted (e.g. according to the example described in connection with Fig. 8), a connection to the path of the network service including the network element or function being affected by the security incident is temporarily interrupted (e.g. according to the example described in connection with Fig. 1 1 ), at least one new VSF is introduced in the path of the network service including the network element or function being affected by the security incident, at least one VSF or PSF existing in the path of the network service including the network element or function being affected by the security incident is modified, at least a part of the path of the network service including the network element or function being affected by the security incident is redirected to a VSF/PSF, a VNF or PNF (e.g. a VNF gateway) existing in the path of the network service including the network element or function being affected by the security incident is modified (e.g. encryption is enabled), the network element or function being affected by the security incident is deleted (e.g. terminated) from the network service (e.g. according to the example described in connection with Fig. 8), an integrity of the network element or function being affected by the security incident from the network service is checked (e.g. according to the example described in connection with Fig. 1 1 ), the network element or function being affected by the security incident from the network service is rehealed (e.g. according to the example described in connection with Fig. 1 1 ), the path of the network service including the network element or function being affected by the security incident is reconfigured as a honeypot path for learning behavior of the security incident, security related attributes of network elements or functions of the path including the network element or function being affected by the security incident are redefined for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and a replacement path including network elements or functions corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced (or modified etc., which concerns also PSFs) as countermeasure is established (e.g. according to the example described in connection with Fig. 14).

In S540, information indicating the determined countermeasures for a modification of the network service for realizing the countermeasures is generated.

According to some examples of embodiments, the information indicating the determined countermeasures includes a modified network service description (NSD) and a network service change indication (ANSD).

In S550, the information indicating the determined countermeasures (modified NSD, ANSD) is received by the network function virtualization control element or function (e.g. directly from the security control element or function or from the administrator side). For example, according to some examples of embodiments of the invention, in case a confirmation mode is set, the information (NSD, ANSD) is forwarded from the service tool of the network administrator to the NFVO when the countermeasures are confirmed by the network administrator, or a changed information set processed on the administrator side and indicating (further) changed countermeasures are provided. For example, the service tool is configured to process an input from the administrator, e.g. regarding a confirmation of the received information (i.e. the countermeasures proposed by the SO), or regarding a change of the proposed countermeasures, in which case the changed set of information indicating countermeasures is generated (information indicating at least one of an introduction and a modification of the security setting for the network service). Then, the confirmed information or the changed information is sent to the NFVO, for example.

In S560, the received information is used for initiating/executing the processing for modifying the network service for realizing the countermeasures.

Next, examples of embodiments are described for illustrating the above described procedure for modifying a security setting in a running network service. First, with reference to Fig. 7, a diagram illustrating a configuration example of a network service including security setting is shown which represents a starting point for some examples of embodiments. That is, the configuration example of the network service in Fig. 7 shows a structure of a network service which is established e.g. by the above described measures.

The topology in Fig. 7 is formed by six VNFs, i.e. VNF1 131 , VNF2 132, VNF3 133, VNF4 134, VNF5 135, VNF6 136, a VNF representing a database (e.g. a HSS of a communication network) VNF DB 151 , and two VSFs VSF1 141 and VSF2 142. These network functions form e.g. a part of network service established in a hybrid network configuration, i.e. there may be further network elements or functions provided, such as PNF, PSF (not shown). Furthermore, as an initial security setting, VNF1 131 is contained in a DMZ formed by the VSFs 141 and 142 (e.g. firewalls). The paths of the network service formed by the elements/functions indicated in Fig. 7 comprises various links between the VNFsA SFs, as indicated in Fig. 7.

Fig. 8 shows now a diagram illustrating a configuration example of a network service including security setting being modified according to some examples of embodiments.

Specifically, Fig. 8 illustrates a procedure for modifying the security setting of the network service and thus of the NSD in a situation when the recognized attack is of a nature that requires immediate isolation of the attacked network function. For example, it is assumed that a critical database like for example a HSS formed by the VNF DB 151 is determined to be attacked wherein it is detected that data stealing is ongoing. Therefore, the security control element or function determines, as one countermeasure, that the connection is immediately to be cut. This interruption also disrupts the network service, but the criticality of the attack justifies such a robust reaction. As a further countermeasure, a VSF is inserted into the network service, and a fresh version of the database is installed

(alternatively, integrity of the attacked network function (i.e. VNF DB 151 ) is verified. Then the network service will be again available.

It is to be noted that according to some examples of embodiments, in case the analysis results in the necessity for an immediate reaction, such as that described in connection with Fig. 8, the security control element or function is configured to ignore other settings regarding the modification procedure, such as a setting of a confirmation mode requiring a confirmation of a proposed modification by the administrator, or a setting of paths being not allowed to be modified in an automated manner, and switches to an automated mode in order to ensure that the required countermeasures are taken immediately. Specifically, the procedure in the case of Fig. 8 is as follows.

In a first phase, when the attack on the VNF DB 151 , which is not protected by the original NSD, is recognized, e.g. detected by the security monitoring function, the security orchestrator is triggered to decide for suitable countermeasures.

After analysis (own or external), the security orchestrator recognizes that the attack requires immediate reaction because of its nature (e.g. ongoing theft of data from the VNF DB 151 ), so that a disruptive modification of the network service with immediate deletion of the connection to the VNF DB 151 is justified. This is indicated by the crossing in the path from the VNF4 134 to the VNF DB 151 in Fig. 8.

In the next phase, a VSF (VSF3 143) used to protect against an attack as recognized in the analysis is launched (instantiated) and the corresponding security policies to mitigate the attack are configured. Alternatively or additionally, as indicated above, other measures such as modification of existing VSF/PSF etc. can be effected, but in the present example it is assumed that a new VSF is introduced. As the state of the attacked VNF DB 152 is unknown, also a fresh version of the VNF DB (i.e. VNF DB 152) is launched and configured. Then, the (fresh) VNF DB 152 is connected to the network service (i.e. the VNF4 134) wherein the VSF3 143 is interconnected in order to protect now the VNF DB 152. That is, a modified network service is established. Then the network service can be continued for the users.

It is to be noted that the above described disruptive modification of a network service is applied mainly in case of very severe consequences, but preferably not in a situation where the network service is only impaired.

Figs. 9 and 10 show a corresponding workflow diagram illustrating a processing for modifying the security setting of the network service according to some examples of embodiments in accordance with the example of Fig. 8. That is, Figs. 9 and 10 illustrate also the way and thus the ANSD information provided for the modification of the network service in this example. ln S600, the original network service is built, as discussed in the examples described above, for providing a network service configuration as depicted in Fig. 7, for example.

In S610, the security monitor notifies the security orchestrator about a security incident (i.e. the attack against the VNF DB 151 ).

In S620, the security orchestrator obtains an analysis result (e.g. analyzes by itself) the security incident and determines that the above described disruptive modification of a network service is to be applied.

Depending on the configuration of the system, i.e. whether the modification has to be confirmed or can be modified/changed by the administrator or can be executed automatically, one of the following procedures is executed.

In case of a confirmation (with or without modification/changing mode) mode, the security orchestrator sends in S630a an information (i.e. the (modified) NSD and the ANSD) indicating the proposed countermeasures to the service tool, i.e. the administrator, for confirmation, change or rejection. At the service tool, in S640a, the proposed countermeasures are analyzed by the administrator, and if they are acceptable, in S645a, the information (i.e. the (modified) NSD and the ANSD, or further changed NSD and the ANSD) are provided to the NFVO, wherein in S646a the instruction to build the modified network service is sent.

On the other hand, in case of an automated mode, the security orchestrator sends in S645b the information (i.e. the (modified) NSD and the ANSD) to the NFVO, wherein in S646b the instruction to build the modified network service is sent.

Alternatively, according to some examples of embodiments, the processing according to S645b and 646b is preset, in order to avoid a delay caused by a waiting time for confirmation.

In S650, according to the information indicating the countermeasures, the NFVO removes the connectivity to the attacked VNF DB 151 by sending a corresponding instruction to the VIM. Furthermore, in S660, termination (deletion) of the attacked VNF DB 151 is instructed to the VNFM (which informs VIM to terminate the resource for the constituted VMs).

Then, in S670, the NFVO starts the instantiation of a fresh version of the database being attached, i.e. of VNF DB 152, and of a suitable VSF (VSF3 143) at the VNFA SF manager. Alternatively or additionally, as indicated above, also existing VSFs/PSFs can be modified, but in the present example it is assumed that a new VSF is instantiated and introduced. The VNFA SF manager instructs in S680 the VIM to deploy the new network functions (VNF DB 152, VSF3 143), wherein the VIM conducts the basic configuration of the VNF DB 152 and VSF3 143 in S685 and S686, respectively.

In S690, the instantiation of the VNF DB 152 and VSF3 143 is acknowledged by the VNF/VSF manager to the NFVO. In S700, the NFVO configures the application level parameters of the new VNF DB 152 via the EM (S710), which in turn acknowledges the configuration in S720.

In S730, the NFVO instructs the security orchestrator to configure the application level parameters of the new VSF 143. The security orchestrator configures in S740 the application level parameters of the VSF3 143 via the SEM (S750), which in turn acknowledges the configuration in S760. In S770, the configuration is acknowledged to the NFVO.

In S780, the NFVO instructs the security orchestrator to secure the modified network service. The security orchestrator gets in S790 the corresponding SPR (referred to as

ASPR) and configures in S800 the security on the new VSF3 143 via the SEM (S810), which in turn acknowledges the configuration in S820. In S830, the security is acknowledged to the NFVO.

In S840, the NFVO instructs the VIM to add the new connectivity to the new network function VNF DB 152 and VSF3 143.

Depending on the used mode for the modification (confirmation mode or automated mode), an acknowledgement of the modified network service is sent to the administrator (S860a) or to the security orchestrator (S860b). Fig. 1 1 shows a diagram illustrating a configuration example of a network service including security setting being modified according to some further examples of embodiments.

Specifically, Fig. 1 1 illustrates a procedure for modifying the security setting of the network service and thus of the NSD in a situation when the recognized attack is of a nature that requires a quick reaction, but not immediately. For example, it is assumed that a DoS attack is launched and involves one of the network elements or functions of the network service being not protected by the initial NSD, such as the VNF3 133 according to Fig. 1 1. Therefore, the security control element or function, after analysis of the security incident (own or external), decides to instantiate a new VSF (i.e. VSF3 143) and to configure the security policies while the attacked network service part is still active. Alternatively or additionally, as indicated above, other measures such as modification of existing VSF/PSF etc. can be effected, but in the present example it is assumed that a new VSF is introduced. After the VSF is established and running, the former connectivity towards the attacked VNF3 133 is interrupted and the new connectivity including the inserted new VSF3 143 is applied. That is, the new VSF3 143 is interposed in the path of the network service including the attacked VNF3 133. According to some examples of embodiments, depending on the consequences of the attack, also a rehealing of the attacked VNF3 133 may be necessary.

With the above described processing, it is possible to interrupt the network service only shortly (e.g. between some milliseconds to some seconds). That is, depending on the efficiency of lower layer network protocols, the interruption of the network service may or may not be recognizable for network service users.

Specifically, the procedure in the case of Fig. 1 1 is as follows. In a first phase, when the attack on the VNF3 133, which is not protected by the original

NSD, is recognized, e.g. detected by the security monitoring function, the security orchestrator is triggered to decide for suitable countermeasures.

After analysis, the security orchestrator recognizes that the attack requires a quick and robust reaction (e.g. for stopping a DoS attack on the VNF3 133), but not an immediate reaction, so that the security orchestrator proposes the insertion of a new VSF (i.e. VSF3 143). If this proposal is accepted (or when using the automated mode for modification), the NFVO is enabled by a corresponding step-by-step description (ANSD) to launch (instantiate) a VSF used to protect against an attack as recognized in the analysis (i.e. VSF3 143), as proposed by the security orchestrator. After launching, the security orchestrator is informed by the NFVO so that the security policies can be configured by the security orchestrator.

Next, when the new VSF3 143 is established and ready for running, the original connection is of the attacked VNF3 133 is removed or interrupted (temporarily) by the

NFVO. As a consequence the connectivity is shortly interrupted.

It is to be noted that this is usually not critical for a stateless connection, as the short interruption can be compensated by low-level transmission protocols. For a non- stateless connection, an established connections may be lost, but in case of a critical attack that is acceptable. Consequently, according to some examples of embodiments, the selection of a countermeasure by the security orchestrator may also consider the state of the connection on the attacked path of the network service, i.e. select the processing described in connection with Fig. 1 1 in case of a stateless connection.

According to some examples of embodiments, before reconnecting the path with the attacked VNF3 133 via the newly inserted VSF3 143, a processing for analyzing whether the attack have affected VNF3 143 in an inacceptable manner is conducted. If such an affection is determined as a result of the analysis, rehealing or relaunching of the VNF3 133 is conducted, if required.

Immediately after that, the VNF3 133 is connected to the network service (i.e. the VNF2 132) wherein the VSF3 143 is interconnected in order to protect now the VNF3 133. That is, a modified network service is established. Then the network service can be continued for the users.

Since all required elements or functions to be used for the insertion of the new VSF are prepared in advance, only a short interruption is caused (in the region of ms to some second(s)). Hence, the impact on the network service can be minimized. Figs. 12 and 13 show a corresponding workflow diagram illustrating a processing for modifying the security setting of the network service according to some examples of embodiments in accordance with the example of Fig. 1 1. That is, Figs. 12 and 13 illustrate also the way and thus the ANSD information provided for the modification of the network service in this example.

In S600, the original network service is built, as discussed in the examples described above, for providing a network service configuration as depicted in Fig. 7, for example. In S610, the security monitor notifies the security orchestrator about a security incident

(i.e. the attack against the VNF3 133).

In S620, the security orchestrator obtains an analysis result (e.g. analyzes by itself) of the security incident and determines that the above described quick modification of the network service is to be applied.

Depending on the configuration of the system, i.e. whether the modification has to be confirmed or can be changed by the administrator or can be executed automatically, one of the following procedures is executed.

In case of a confirmation mode (with or without modification/changing mode), the security orchestrator sends in S630a an information (i.e. the (modified) NSD and the ANSD) indicating the proposed countermeasures to the service tool, i.e. the administrator, for confirmation, change or rejection. At the service tool, in S640a, the proposed countermeasures are analyzed by the administrator, and if they are acceptable, in

S645a, the information (i.e. the (modified) NSD and the ANSD, or further changed NSD and the ANSD) are provided to the NFVO, wherein in S646a the instruction to build the modified network service is sent. On the other hand, in case of an automated mode, the security orchestrator sends in

S645b the information (i.e. the (modified) NSD and the ANSD) to the NFVO, wherein in S646b the instruction to build the modified network service is sent.

In S950, the NFVO starts the instantiation of a suitable VSF (VSF3 143) at the VNFA SF manager. Alternatively or additionally, as indicated above, other measures such as modification of existing VSF/PSF etc. can be effected, but in the present example it is assumed that a new VSF is introduced. The VNFA SF manager instructs in S960 the VIM to deploy the new network functions (VSF3 143), wherein the VIM conducts the basic configuration of the VSF3 143 in S965.

In S970, the instantiation of the VSF3 143 is acknowledged by the VNFA SF manager to the NFVO.

In S980, the NFVO instructs the security orchestrator to configure the application level parameters of the new VSF3 143. The security orchestrator configures in S990 the application level parameters of the VSF3 143 via the SEM (S1000), which in turn acknowledges the configuration in S1010. In S1020, the configuration is acknowledged to the NFVO. In S1030, the NFVO instructs the security orchestrator to secure the modified network service. The security orchestrator gets in S1040 the corresponding SPR (referred to as ASPR) and configures in S1050 the security on the new VSF3 143 via the SEM (S1060), which in turn acknowledges the configuration in S1080. In S1090, the security is acknowledged to the NFVO.

In S1 100, the NFVO removes the connectivity to the attacked VNF3 133 by sending a corresponding instruction to the VIM. Furthermore, in S1 1 10, rehealing of the attacked VNF3 133 is instructed to the VNFA/SF manager. Rehealing procedure is conducted in S1 1 15. Alternatively, relaunching of the VNF3 133 is instructed.

In S1 120, the NFVO instructs the VIM to add the new connectivity to the network function VNF3 133 and VSF3 143.

Depending on the used mode for the modification (confirmation mode or automated mode), an acknowledgement of the modified network service is sent to the administrator

(S1 140a) or to the security orchestrator (S1 140b).

Fig. 14 shows a diagram illustrating a configuration example of a network service including security setting being modified according to some further examples of embodiments. Specifically, Fig. 14 illustrates a procedure for modifying the security setting of the network service and thus of the NSD in a situation when the recognized attack is of a nature that does not require a quick or immediate reaction, or if only the possibility of an attack is recognized. For example, it is assumed that the security orchestrator or security monitor recognizes that a preventive security measure should be taken for a network element or function, e.g. in order to be protected against a new type of attack. Therefore, for enabling such a preventive security measure, a parallel path is instantiated and configured. In the parallel established path, a new security function (VSF, i.e. VSF3 143) is included as protection element. Now, the establishment of new connections on the original path is stopped and relocated to the parallel new path. After termination of all active connections on the original path, the original path is deleted.

With this procedure, minimal impairment for network service users is achieved, since an interruption of the network service is not required.

Specifically, the procedure in the case of Fig. 14 is as follows.

In a first phase, a VNF (e.g. VNF3 133) that originally has no security protection is analyzed to get potentially under attack. This is e.g. detected by a security monitoring function which triggers the security orchestrator to look for suitable countermeasures.

After analysis (own or external), the security orchestrator proposes the insertion of a new VSF (i.e. VSF3 143) (alternatively or additionally, as indicated above, other measures such as modification of existing VSF/PSF etc. can be effected, but in the present example it is assumed that a new VSF is introduced). If this proposal is accepted (or when using the automated mode for modification), the NFVO is enabled by a corresponding step-by-step description (ANSD) to establish a parallel path which corresponds to the path where the original VNF3 133 is included, wherein the parallel path includes copies of the network functions included in the original path (i.e. VNF2s

132a for VNF2 132, and VNF3a 1331 for VNF3 133), and also the proposed new VSF3 143. In other words, an 'enhanced scaling' is conducted where the path in question is duplicated and a new VSF is inserted. Once the parallel (now protected) path is active, all new connections to be established are moved to this new path. That is, for the original path, no new connections are established. This which leads to a decreasing number of connections on the original path. When all connections on the original path are terminated, the original path is removed (deleted, see crossing in Fig. 14 at path towards VNF3 133.

Since all required elements or functions to be used for the insertion of the new path are established and activated in advance, no interruption is caused. Hence, the new topology with modified security is established without losing active connections.

Figs. 15 and 16 show a corresponding workflow diagram illustrating a processing for modifying the security setting of the network service according to some examples of embodiments in accordance with the example of Fig. 14. That is, Figs. 15 and 16 illustrate also the way and thus the ANSD information provided for the modification of the network service in this example.

In S600, the original network service is built, as discussed in the examples described above, for providing a network service configuration as depicted in Fig. 7, for example. In S610, the security monitor notifies the security orchestrator about a security incident

(i.e. the possibility of an attack against the VNF3 133).

In S620, the security orchestrator obtains an analysis result of (e.g. analyzes by itself) the security incident and determines that the above described preventive modification of the network service is to be applied.

Depending on the configuration of the system, i.e. whether the modification has to be confirmed or can be changed by the administrator or can be executed automatically, one of the following procedures is executed.

In case of a confirmation mode (with or without changing mode), the security orchestrator sends in S630a an information (i.e. the (modified) NSD and the ANSD) indicating the proposed countermeasures to the service tool, i.e. the administrator, for confirmation or rejection. At the service tool, in S640a, the proposed countermeasures are analyzed by the administrator, and if they are acceptable, in S645a, the information (i.e. the (modified) NSD and the ANSD, or a further changed NSD etc.) are provided to the NFVO, wherein in S646a the instruction to build the modified network service is sent.

On the other hand, in case of an automated mode, the security orchestrator sends in S645b the information (i.e. the (modified) NSD and the ANSD) to the NFVO, wherein in

S646b the instruction to build the modified network service is sent.

In S1250, the NFVO starts the instantiation of a suitable VSF (VSF3 143) and of VNFs in the path of the network service where the concerned VNF3 133 is located (i.e. VNF2 132 and VNF3 133) at the VNFA SF manager. The VNFA SF manager instructs in S1260 the VIM to deploy the new network functions (VSF3 143, VNF2 132 and VNF3 133), wherein the VIM conducts the basic configuration of the VSF3 143 in S1265 and the basic configuration of the VNF2a 132a and VNF3a 133a in S1266. In 1270, the instantiation of the VSF3 143, the VNF2a 132a and the VNF3a 133a is acknowledged by the VNFA SF manager to the NFVO.

In S1280, the NFVO configures the application level parameters of the new VNF2a 132a and VNF3a 133a via the EM (S1290), which in turn acknowledges the configuration in S1300.

In S1310, the NFVO instructs the security orchestrator to configure the application level parameters of the new VSF3 143. The security orchestrator configures in S1320 the application level parameters of the VSF3 143 via the SEM (S1330), which in turn acknowledges the configuration in S1340. In S1350, the configuration is acknowledged to the NFVO.

In S1360, the NFVO instructs the security orchestrator to secure the modified network service. The security orchestrator gets in S1370 the corresponding SPR (referred to as ASPR) and configures in S1380 the security on the new VSF3 143 via the SEM (S1390), which in turn acknowledges the configuration in S1400. In S1410, the security is acknowledged to the NFVO.

In S1420, the NFVO instructs the VIM to establish connectivity to the new network functions VNF2a 132a, VNF3a 133a and VSF3 143. ln S1430, the NFVO informs the network (administrator or service tool) to stop the establishment of any new connection to the former path including the VNF3 133. This information triggers also that any new connection is established via the new parallel path including the VNF2a 132a, VNF3a 133a and VSF3 143.

In S1440, it is indicated by the network that no active connection remains on the old path including the VNF3 133. Therefore, in S1450, the NFVO removes the connectivity to the path of VNF3 133 by sending a corresponding instruction to the VIM. Furthermore, in S1460, deletion of the VNF3 133 (and also of the other VNF2 132 on the old path) is instructed to the VNFA SF manager, which conducts a corresponding processing in S1470 and acknowledged deletion in S1480 to the NFVO.

Depending on the used mode for the modification (confirmation mode or automated mode), an acknowledgement of the modified network service is sent to the administrator

(S1500a) or to the security orchestrator (S1500b).

In the following, additional examples of embodiments of the invention are described. For example, as indicated above, in case the automated mode for the modification of the network service (i.e. the NSD) is allowed, operators and administrators of the communication network are provided with the ability to determine on which links or paths of the network service a modification of a running network service is possible or allowed. For example, during the initial preparation phase of the NSD, each link of the network service is assigned with an additional attribute (e.g. a flag or the like) that either allows or prohibits an insertion of a new VSF on this dedicated link. For illustration, when referring to the network service example shown in Fig. 7, the links between VSF2 142, VNF1 131 , VSF1 141 , VNF2 132 and VNF4 134 are indicated to be not allowed for automatic modification by inserting a VSF (instead, confirmation mode is required). On the other hand, the links between VNF2 132, VNF3 133, VNF4 134, VNF5 135, VNF6

136 and VNF DB 151 are indicated to be allowed for automatic modification.

According to a further example of embodiments, while in the above described examples, e.g. in the example of Fig. 14, the path affected by the security incident is deleted, it is also possible to keep the attacked path active, but to reconfigure the network service in a manner that the attacked path is serving as a honeypot (e.g. sandboxing the attacked path). This allows to get more information about the attackers. In parallel, a new protected path is set up and used for the actual network service. According to a further example of embodiments, after analysis of the security incident by the security orchestrator, when it is determined that the current configuration of the network service inhibits an introduction of a suitable VSF for protecting the attacked VNF, a further reconfiguration of the network service for preparing the network service to the introduction of the VSF is conducted. For example, security attributes of the network service are redefined in order to enable the insertion of a VSF.

This is further explained in the following on the basis of the example indicated by Fig. 1 1. Assuming that the link connecting the network function being affected by the security incident (e.g. VNF3 133) is determined by the security orchestrator as being not suitable for introducing a VSF. This is the case, for example, when the link is between two VNFs

(here, VNF3 133 and VNF2 132) is encrypted e.g. because the network elements or function being connected by the link are located in different data centers (referred to as DC1 and DC2, respectively) and the link is therefore (security provisioning) encrypted. Now, in case a VNF on this link is attacked (e.g. VNF3 133), and a determination of countermeasures results in the decision to introduce a VSF in this link, the encryption usually prevents the insertion of a VSF, that is, the VSF is not able to inspect the traffic because of encryption.

Therefore, according to examples of embodiments, the security orchestrator, knowing the NSD and the selected resources, decides to assign or to re-assign security related attributes like the location of the two VNFs (VNF3, 133 and VNF2 132) in the modified NSD, thus forcing the two VNFs into the same data center (e.g. DC1 ). In other words, the security orchestrator changes the location of both VNFs and hence the interconnecting link in the same data center. As a result, encryption is not longer required and the new VSF can be inserted into the new link.

According to further examples of embodiments, an additional check is made in order to determine whether encryption is required by standardization or other strict security requirements for the link in question. In case the result of this additional check is affirmative, the processing is not conducted. According to further examples of embodiments, a learning algorithm is implemented in the security control element or function (the SO) which allows to consider the result of the modification of the running network service when setting up a new network service. That is, for example a basic setting of security to be used for the establishment of a new network service is adapted so as to consider also the countermeasures forming the basis of the modification of the security settings of the network service. In other words, a default NSD used for establishing a network service and stored in the SO is modified in accordance with the modification of the NSD of the running network service. Thus, the network services can be continuously improved by taken into account new threads.

Furthermore, it is to be noted that in above described examples of embodiments one VSF is introduced in one path of the network service. According to further examples, more than one VSF are introduced in more than one path of the network service, wherein also other measures like modification of existing security functions and/or redirection of network paths can be effected at the same time when modifying the network service.

Fig. 17 shows a flow chart of a processing for managing and orchestrating security in a communication network according to some examples of embodiments, especially for modifying a security setting of a network service according to some examples of embodiments. Specifically, the example according to Fig. 17 is related to a procedure conducted by a security orchestrator element or function managing security in the communication network, such as the management entity or function 100 in the architecture as depicted e.g. in Fig. 2.

In S1600, during an operation of a network service established in the communication network comprising virtualized network parts (such as the network shown in Fig. 1 ) and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service is received and processed.

According to some examples of embodiments, the notification about the security incident at a network element or function involved in the network service is obtained from a security monitoring element or function (such as the security monitor 105) which monitors the communication network and recognizes security related incidents (or attacks) in the communication network occurring at network elements or functions involved in the network service. For example, the security monitoring element or function may be an internal element or function of the security orchestrator 100, or may be an external function. In addition, according to some examples of embodiments, the notification about the security incident at a network element or function involved in the network service is related to at least one of virtual network functions and physical network functions involved in the network service. That is, the security incident may occurring at any network element or function involved in the network service.

In S1610, an analysis result of the security incident is obtained during the operation of the network service. For example, suitable processing algorithms and information databases are used for the analysis, wherein the target of the analysis is to recognize the nature and severity of the incident/attack.

For example, according to some examples of embodiments, the analysis result of the security incident is obtained by conducting an own analysis in the security orchestrator on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function. Alternatively, the analysis result is received from an external analysis process, e.g. in the security monitoring element or function, wherein the analysis result may also include a decision that it is required to consider countermeasures.

In S1620, on the basis of the analysis results, countermeasures related to the security incident are determined. The countermeasures are related to the security incident and include at least one of introduction and modification of security settings of the network service during operation thereof, i.e. a modification of the network service during operation. According to some examples of embodiments, the determination of the countermeasures includes at least one of the following.

At least one new VSF is introduced in a path of the network service including the network element or function affected by the security incident, wherein a type of the at least one new VSF (e.g. IDS/IPS, firewall etc.) to be introduced is selected and a procedure for introducing the at least one new VSF in the network service during operation of the network service is determined (i.e. a step-by-step description how the countermeasure is to be implemented, i.e. how the network service is to be modified when introducing the virtual security function). For informing about the thus determined countermeasures, information indicating the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function is prepared.

Alternatively or additionally, at least one existing VSF, PSF, VNF and PNF in a path of the network service including the network element or function affected by the security incident is modified, wherein a kind of modification of the at least one existing VSF, PSF,

VNF and PNF is selected and a procedure for effecting the modification of the at least one VSF, PSF, VNF and PNF in the network service during operation of the network service is determined (i.e. a step-by-step description how the countermeasure is to be implemented, i.e. how the network service is to be modified when modifying the security function). For informing about the thus determined countermeasures, information indicating the kind of modification of the at least one VSF, PSF, VNF and PNF in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification is prepared. Alternatively or additionally, a path of the network service including the network element or function affected by the security incident is changed for being directed to at least one existing VSF/PSF, wherein at least one existing VSF/PSF which is suitable for handling the security incident and to which the path is to be directed is selected. Furthermore, a procedure for effecting the change of the path to the at least one VSF/PSF in the network service during operation of the network service is determined (i.e. a step-by-step description how the countermeasure is to be implemented, i.e. how the network service is to be modified when changing the network service path). For informing about the thus determined countermeasures, the information about the at least one VSF/PSF to which the path is to be changed and the procedure for effecting the change of the path is prepared.

Alternatively or additionally, the network service is decided to be terminated (e.g. in case this is the only suitable or effective countermeasure). In this case, for informing about the thus determined countermeasures, information indicating termination of the network service is prepared. According to some examples of embodiments, when determining the countermeasures related to the security incident, one or more of the following parameters are considered: a type of attack causing the security incident (e.g. severity of the attack, danger caused by the attack), a type of the network element or function being affected by the security incident (e.g. critical network element or function or not), a location of the network element or function being affected by the security incident (e.g. in which branch of the network service is the network element or function placed, which physical entity/data center is concerned), and an operation state of a path of the network service including the network element or function being affected by the security incident (e.g. is the path currently used by active connections, stateless path, etc.).

Furthermore, according to some examples of embodiments, the countermeasures related to the security incident which are used include one or more of the following measures: a connection to the path of the network service including the network element or function being affected by the security incident is permanently interrupted (e.g. according to the example described in connection with Fig. 8), a connection to the path of the network service including the network element or function being affected by the security incident is temporarily interrupted (e.g. according to the example described in connection with Fig. 1 1 ), at least one new VSF is introduced in the path of the network service including the network element or function being affected by the security incident, at least one VSF or PSF existing in the path of the network service including the network element or function being affected by the security incident is modified, at least a part of the path of the network service including the network element or function being affected by the security incident is redirected to a VSF/PSF, a VNF or PNF (e.g. a VNF gateway) existing in the path of the network service including the network element or function being affected by the security incident is modified (e.g. encryption is enabled), the network element or function being affected by the security incident is deleted (e.g. terminated) from the network service (e.g. according to the example described in connection with Fig. 8), an integrity of the network element or function being affected by the security incident from the network service is checked (e.g. according to the example described in connection with Fig. 1 1 ), the network element or function being affected by the security incident from the network service is rehealed (e.g. according to the example described in connection with Fig. 1 1 ), the path of the network service including the network element or function being affected by the security incident is reconfigured as a honeypot path for learning behavior of the security incident, security related attributes of network elements or functions of the path including the network element or function being affected by the security incident are redefined for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced (or modified etc., which concerns also PSFs) as countermeasure is established (e.g. according to the example described in connection with Fig. 14).

In S1630, information indicating the determined countermeasures for a modification of the network service for realizing the countermeasures is generated.

According to some examples of embodiments, the information indicating the determined countermeasures includes a modified network service description (NSD) and a network service change indication (ANSD).

In S1640, the information indicating the determined countermeasures (NSD, ANSD) is provided for initiating the modification of the network service for realizing the countermeasures.

For example, according to some examples of embodiments of the invention, in case a confirmation mode is set, the information (NSD, ANSD) is forwarded to a service tool of a network administrator of the communication network (e.g. ST in OSS/BSS 150), from where the information (NSD, ANSD) is sent/provided to the network (i.e. the NFVO 160) when the countermeasures are confirmed by the network administrator (or a changed set of information may be provided).

Alternatively or additionally, according to some further examples of embodiments, information indicating paths of the network service being allowed to be automatically modified in case of a security incident are received and stored in advance (e.g. when the network service is initially established). When the security incident is then analyzed (see S1610), it is also determined on the basis of this information whether countermeasures related to the security incident concern a path for which an automatic modification mode is allowed. In case the check is affirmative, the information (NSD, ANSD) is sent to the NFVO 160 directly.

The information (NSD, ANSD) indicating the determined countermeasures, which is provided to the NFVO 160, for example, causes, according to one example of embodiments, for example a modification of the network service in the following way (corresponding e.g. to the processing described in connection with Figs. 8 to 10).

When the corresponding security incident is detected, the connection to the path of the network service including the network element or function being affected by the security incident is immediately interrupted. Then, a new virtual security function to be introduced is instantiated or an existing virtual security function is modified. Security policies of the new or modified virtual security function are configured. Furthermore, a new version of the network element or function being affected by the security incident is installed, or at least the integrity of the network element or function being affected by the security incident is checked. The network element or function being affected by the security incident (after the integrity check) is re-connected to the network service, or the new version of the network element or function being affected by the security incident is connected to the network service, via the new or modified virtual security function. Then, processing with network service is continued or restarted.

Alternatively, the information (NSD, ANSD) indicating the determined countermeasures, which is provided to the NFVO 160, for example, causes, according to a further example of embodiments, for example, a modification of the network service in the following way (corresponding e.g. to the processing described in connection with Figs. 1 1 to 13).

When the corresponding security incident is detected, first, a new virtual security function to be introduced is instantiated or an existing virtual security function is modified. Security policies of the new or modified virtual security function are configured. Then, the connection to the path of the network service including the network element or function being affected by the security incident is interrupted. In a further processing, the network element or function being affected by the security incident is analyzed, and on the basis of the analyzing result, the network element or function being affected by the security incident is rehealed or relaunched. Next, the network element or function being affected by the security incident is reconnected via the new or modified virtual security function to the network service. Hence, processing with network service can be continued or restarted.

As a further alternative, the information (NSD, ANSD) indicating the determined countermeasures, which is provided to the NFVO 160, for example, causes, according to a further example of embodiments, for example, a modification of the network service in the following way (corresponding e.g. to the processing described in connection with Figs. 14 to 16).

When the corresponding security incident is detected, first, a new virtual security function to be introduced is instantiated or an existing virtual security function is modified. Security policies of the new or modified virtual security function are configured. In addition, a new virtual network element or function corresponding to the network element or function being affected by the security incident is instantiated. The new virtual network element or function is connected via the new or modified virtual security function to the network service, in parallel to the path including the network element or function being affected by the security incident. An establishment of new connections to the path of the network service including the network element or function being affected by the security incident is stopped, while at the same time an establishment of new connections is started to the path of the network service including the new virtual network element or function and the new or modified virtual security function. When, after a corresponding check, it is determined that no further active connection remains on the path of the network service including the network element or function being affected by the security incident, the connection to the path of the network service including the network element or function being affected by the security incident is interrupted (and the corresponding network elements or functions may be terminated or the like).

According to some further examples of embodiments, it is further checked, e.g. during the analyzing or the determination of countermeasures, whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function (for example, as described above, when the path includes an encrypted passage whose traffic cannot be read by the VSF, measures have to be taken for allowing the VSF to be introduced in the path in a functional manner). That is, when the result of the check is negative (i.e. the path in the present form is not suitable for introducing the VSF), a processing for preparing the path of the network service including the network element or function being affected by the security incident for introducing the at least one virtual security function is conducted. The preparation includes assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service.

In addition, according to some further examples of embodiments, security policies of the at least one virtual security function being introduced as countermeasure are configured by the SO 100, and security policies of existing security functions (PSF, VSF) of the network service are adapted accordingly.

Fig. 18 shows a diagram of a network element or function like a managing entity serving as the SO according to some examples of embodiments, which is configured to implement a procedure for managing security in a communication network as described in connection with some of the examples of embodiments. It is to be noted that the network element, like the managing entity or function 100 of Fig. 2, which is configured to act as a SO, may include further elements or functions besides those described herein below. Furthermore, even though reference is made to a network element, management entity or function, the element, entity or function may be also another device or function having a similar task, such as a chipset, a chip, a module, an application etc., which can also be part of a network element or attached as a separate element to a network element, or the like. It should be understood that each block and any combination thereof may be implemented by various means or their combinations, such as hardware, software, firmware, one or more processors and/or circuitry.

The management entity or function shown in Fig. 18 may include a processing circuitry, a processing function, a control unit or a processor 1001 , such as a CPU or the like, which is suitable for executing instructions given by programs or the like related to the control procedure. The processor 1001 may include one or more processing portions or functions dedicated to specific processing as described below, or the processing may be run in a single processor or processing function. Portions for executing such specific processing may be also provided as discrete elements or within one or more further processors, processing functions or processing portions, such as in one physical processor like a CPU or in one or more physical or virtual entities, for example. Reference sign 1002 denotes input/output (I/O) units or functions (interfaces) connected to the processor or processing function 1001. The I/O units 1002 may be used for communicating with other management entities or functions, as described in connection with Fig. 2, for example, such as the OSS/BSS 150, the NFVO 160, the VIM 180, the EM/SEM, the security monitor 105 and the like. The I/O units 1002 may be a combined unit including communication equipment towards several management entities, or may include a distributed structure with a plurality of different interfaces for different entities. Reference sign 1004 denotes a memory usable, for example, for storing data and programs to be executed by the processor or processing function 1001 and/or as a working storage of the processor or processing function 1001. It is to be noted that the memory 1004 may be implemented by using one or more memory portions of the same or different type of memory.

The processor or processing function 1001 is configured to execute processing related to the above described security procedure. In particular, the processor or processing circuitry or function 1001 includes one or more of the following sub-portions. Sub-portion 1005 is a processing portion which is usable as a portion for processing and analyzing information regarding a security incident at a network element or function of the network service. The portion 1005 may be configured to perform processing according to S1600 and S1610 of Fig. 17. Furthermore, the processor or processing circuitry or function 1001 may include a sub-portion 1006 usable as a portion for determining countermeasures for the security incident. The portion 1006 may be configured to perform a processing according to S1620 of Fig. 17. In addition, the processor or processing circuitry or function 1001 may include a sub-portion 1007 usable as a portion for generating and providing information indicating the countermeasures. The portion 1007 may be configured to perform a processing according to S1630 and S1640 of Fig. 17.

As described above, according to examples of embodiments, for managing security in a hybrid communication network, a management entity or function referred to as security orchestrator is provided. For example, according to examples of embodiments, the SO is implemented as SW package structured according to the described tasks and with the defined interfaces. The SW performing the SO tasks can be implemented according to the workflow diagrams described above.

Specifically, according to examples of embodiments, a mechanism is proposed allowing a holistic end-to-end security view in a communication network (e.g. in accordance with an ETSI NFV environment) and enabling modification of security settings in a network service being in operation (i.e. running network service). Thus, a flexible and (at least partly) automated end-to-end security for a network service in communication networks implemented e.g. at least in part in a telecommunication cloud is achievable.

Consequently, a flexible and (at least partly) automated solution for network security in telecommunication cloud solutions (e.g. in an ETSI NFV environment) can be provided. Thus, by means of the proposed (at least partly) automated security management of hybrid networks, which includes also physical network parts, cloud-based advantages of flexibility and (at least in part) automation can be maintained. Furthermore, it is possible to react flexibly to unforeseen security incidents or attacks. Unforeseen means in this context that these kinds of incidents/attacks were not anticipated during the preparation phase where the security measures for the network service were designed. Therefore, new VSFs into a running network service are included. Flexibly means that depending on the severity and the consequences of the attack, the security orchestrator controlling provision and triggering of the insertion of the appropriate security functions and security measures, reacts in a way that is optimized for the kind of attack (i.e. disruptive to non- disruptive reactions). Hence, it is possible to control the degree of interference of a running network service when inserting security functions.

Consequently, according to examples of embodiments, the security level of network service can be improved and adapted also when already running, which also allows security modifications of an active network service that was initially (during the NSD preparation phase) not secured at all, at a later point of time.

According to another example of embodiments, there is provided an apparatus comprising means for receiving and processing, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service, means for obtaining, during the operation of the network service, an analysis result of the security incident, means for determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and means for providing information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

Furthermore, according to some other examples of embodiments, the above defined apparatus may further comprise means for conducting at least one of the processing defined in the above described methods, for example a method according that described in connection with Fig 17.

It should be appreciated that

- an access technology via which traffic is transferred to and from an entity in the hybrid communication network may be any suitable present or future technology, such as WLAN (Wireless Local Access Network), WiMAX (Worldwide Interoperability for Microwave Access), LTE, LTE-A, Bluetooth, Infrared, and the like may be used; additionally, embodiments may also apply wired technologies, e.g. IP based access technologies like cable networks or fixed lines.

- embodiments suitable to be implemented as software code or portions of it and being run using a processor or processing function are software code independent and can be specified using any known or future developed programming language, such as a high- level programming language, such as objective-C, C, C++, C#, Java, Python, Javascript, other scripting languages etc., or a low-level programming language, such as a machine language, or an assembler.

- implementation of embodiments is hardware independent and may be implemented using any known or future developed hardware technology or any hybrids of these, such as a microprocessor or CPU (Central Processing Unit), MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS

(Bipolar CMOS), ECL (Emitter Coupled Logic), and/or TTL (Transistor-Transistor Logic).

- embodiments may be implemented as individual devices, apparatuses, units, means or functions, or in a distributed fashion, for example, one or more processors or processing functions may be used or shared in the processing, or one or more processing sections or processing portions may be used and shared in the processing, wherein one physical processor or more than one physical processor may be used for implementing one or more processing portions dedicated to specific processing as described,

- an apparatus may be implemented by a semiconductor chip, a chipset, or a (hardware) module including such chip or chipset; - embodiments may also be implemented as any combination of hardware and software, such as ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field- programmable Gate Arrays) or CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components.

- embodiments may also be implemented as computer program products, including a computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to execute a process as described in embodiments, wherein the computer usable medium may be a non-transitory medium. Although the present invention has been described herein before with reference to particular embodiments thereof, the present invention is not limited thereto and various modifications can be made thereto.

Claims

1. A system including

a network function virtualization control element or function configured to manage at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts,

a security control element or function configured to execute security-related management tasks in the communication network comprising virtualized network parts, and

a security monitoring element or function configured to monitor the communication network and to recognize security related incidents in the communication network occurring at network elements or functions involved in the network service,

wherein the security monitoring element or function is further configured, during an operation of the network service, to notify the security control element about a security incident at a network element or function involved in the network service,

the security control element or function is further configured, during the operation of the network service, to obtain an analysis result of the security incident and

to determine countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and the network function virtualization control element or function is further configured to receive and process information indicating the determined countermeasures and to initiate a modification of the network service for realizing the countermeasures.

2. The system according to claim 1 , wherein the security control element or function is further configured to determine, as the countermeasures related to the security incident, at least one of

introducing at least one virtual security function in a path of the network service including the network element or function affected by the security incident, selecting a type of the at least one virtual security function to be introduced and determining a procedure for introducing the at least one virtual security function in the network service during operation of the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function modifying at least one existing virtual security function, physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident, selecting a kind of modification of the at least one existing virtual security function, physical security function, virtual network function and physical network function and determining a procedure for effecting the modification of the at least one virtual security function, physical security function, virtual network function and physical network function in the network service during operation of the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the kind of modification of the at least one virtual security function physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification,

changing a path of the network service including the network element or function affected by the security incident for being directed to at least one existing virtual security function or physical security function, selecting the at least one existing virtual security function or physical security function to which the path is to be directed and determining a procedure for effecting the change of the path to the at least one virtual security function or physical security function in the network service during operation of the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the at least one virtual security function or physical security function to which the path is to be changed, and the procedure for effecting the change of the path, and

terminating the network service, wherein the network function virtualization control element or function is further configured to receive and process, as the information indicating the determined countermeasures, the indication to terminate the network service.

3. The system according to claim 1 or 2, wherein the security control element or function is further configured

to obtain the analysis result of the security incident by conducting an own analysis on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function, or to receive and process the analysis result from an external analysis process.

4. The system according to any of claims 1 to 3, wherein the security monitoring element or function is an internal element or function of the security control element or function or a separate element or function of the communication network and capable of communicating with the security control element or function.

5. The system according to any of claims 1 to 4, wherein the security monitoring element or function is configured to monitor virtual network functions and physical network functions involved in the network service and to notify the security control element or function about a security incident at the virtual network functions and physical network functions.

6. The system according to any of claims 1 to 5, wherein the security control element or function is further configured to forward information indicating the determined countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service to a service tool of a network administrator of the communication network, wherein the service tool is further configured

to process an input regarding a confirmation of the received information, or to process an input regarding a change of the received information for generating a changed set of information indicating countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service, and

to send the confirmed information or the changed information indicating the determined countermeasures and at least one of an introduction and a modification of the security setting for the network service.

7. The system according to any of claims 1 to 6, wherein the security control element or function is further configured

to receive and store information indicating paths of the network service being allowed to be automatically modified in case of an security incident,

to check, when obtaining the analysis result of the security incident, whether countermeasures related to the security incident concern a path allowed to be automatically modified, and in case the check is affirmative, send the information indicating the determined countermeasures to the network function virtualization control element or function.

8. The system according to any of claims 1 to 7, wherein the information indicating the determined countermeasures includes a modified network service description and a network service change indication generated by the security control element or function.

9. The system according to any of claims 1 to 8, wherein the security control element or function is further configured to consider, when determining countermeasures related to the security incident, at least one of

a type of attack causing the security incident,

a type of the network element or function being affected by the security incident, a location of the network element or function being affected by the security incident, and

an operation state of a path of the network service including the network element or function being affected by the security incident.

10. The system according to any of claims 1 to 9, wherein the security control element or function is further configured to use, as countermeasures related to the security incident, at least one of

interrupting permanently a connection to the path of the network service including the network element or function being affected by the security incident,

interrupting temporarily a connection to the path of the network service including the network element or function being affected by the security incident,

introducing at least one new virtual security function in the path of the network service including the network element or function being affected by the security incident, modifying at least one virtual or physical security function existing in the path of the network service including the network element or function being affected by the security incident,

redirecting at least a part of the path of the network service including the network element or function being affected by the security incident to at least one virtual or physical security function,

modifying at least one virtual or physical network function existing in the path of the network service including the network element or function being affected by the security incident, deleting the network element or function being affected by the security incident from the network service,

checking an integrity of the network element or function being affected by the security incident from the network service,

rehealing the network element or function being affected by the security incident from the network service,

reconfiguring the path of the network service including the network element or function being affected by the security incident as a honeypot path for learning behavior of the security incident,

redefining security related attributes of network elements or functions of the path including the network element or function being affected by the security incident for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and

establishing of a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced as countermeasure.

1 1. The system according to any of claims 1 to 10, wherein the security control element or function is further configured to conduct at least one of configuring security policies of the at least one virtual security function being introduced as countermeasure and adapting security policies of existing security functions of the network service.

12. The system according to any of claims 1 to 1 1 , wherein the network function virtualization control element or function is further configured, on the basis of information indicating the determined countermeasures to initiate a modification of the network service including

immediately interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, installing a new version of the network element or function being affected by the security incident or checking integrity of the network element or function being affected by the security incident, re-connecting the network element or function being affected by the security incident or connecting the new version of the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and

restarting or continuing processing with network service.

13. The system according to any of claims 1 to 1 1 , wherein the network function virtualization control element or function is further configured, on the basis of information indicating the determined countermeasures to initiate a modification of the network service including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

analyzing the network element or function being affected by the security incident, rehealing or relaunching the network element or function being affected by the security incident on the basis of the analyzing result,

re-connecting the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service.

14. The system according to any of claims 1 to 1 1 , wherein the network function virtualization control element or function is further configured, on the basis of information indicating the determined countermeasures to initiate a modification of the network service including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, instantiating a new virtual network element or function corresponding to the network element or function being affected by the security incident,

connecting the new virtual network element or function via the new or modified virtual security function to the network service in parallel to the path including the network element or function being affected by the security incident,

stopping establishment of new connections to the path of the network service including the network element or function being affected by the security incident and starting establishment of new connections to the path of the network service including the new virtual network element or function and the new or modified virtual security function,

checking whether any active connection remains on the path of the network service including the network element or function being affected by the security incident, and

if the result of the check is negative, interrupting the connection to the path of the network service including the network element or function being affected by the security incident.

15. The system according to any of claims 1 to 14, wherein the security control element or function is further configured

to check whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function, and when the result of the check is negative,

to prepare the path of the network service including the network element or function being affected by the security incident for introducing the at least one virtual security function by assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service.

16. The system according to any of claims 1 to 15, wherein

the network function virtualization control element or function is included in a network function virtualization orchestrator implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing,

the security control element or function is included in a security orchestrator implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing, and the security monitoring element or function is included in a security monitor implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing.

17. A method including

managing, by a network function virtualization control element or function, at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts,

executing, by a security control element or function, security-related management tasks in the communication network comprising virtualized network parts, and

monitoring, by a security monitoring element or function, the communication network and recognizing security related incidents in the communication network occurring at network elements or functions involved in the network service,

wherein the method further includes, during an operation of the network service, notifying about a security incident at a network element or function involved in the network service,

obtaining an analysis result of the security incident

determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and

receiving and processing information indicating the determined countermeasures and initiating a modification of the network service for realizing the countermeasures.

18. The method according to claim 17, further including

determining, as the countermeasures related to the security incident, at least one of

introducing at least one virtual security function in a path of the network service including the network element or function affected by the security incident, selecting a type of the at least one virtual security function to be introduced and determining a procedure for introducing the at least one virtual security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function are received and processed,

modifying at least one existing virtual security function, physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident, selecting a kind of modification of the at least one existing virtual security function, physical security function, virtual network function and physical network function and determining a procedure for effecting the modification of the at least one virtual security function, physical security function, virtual network function and physical network function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the kind of modification of the at least one virtual security function physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification are received and processed,

changing a path of the network service including the network element or function affected by the security incident for being directed to at least one existing virtual security function or physical security function, selecting the at least one existing virtual security function or physical security function to which the path is to be directed and determining a procedure for effecting the change of the path to the at least one virtual security function or physical security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the at least one virtual security function or physical security function to which the path is to be changed, and the procedure for effecting the change of the path are received and processed, and

terminating the network service, wherein, as the information indicating the determined countermeasures, the indication to terminate the network service is received and processed.

19. The method according to claim 17 or 18, further including

obtaining the analysis result of the security incident by conducting an own analysis on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function, or

receiving and processing the analysis result from an external analysis process.

20. The method according to any of claims 17 to 19, wherein the monitoring of the communication network and recognizing of security related incidents in the communication network occurring at network elements or functions involved in the network service is executed internally in the security control element or function or by a separate element or function of the communication network communicating with the security control element or function.

21. The method according to any of claims 17 to 20, further including monitoring virtual network functions and physical network functions involved in the network service and notifying about a security incident at the virtual network functions and physical network functions.

22. The method according to any of claims 17 to 21 , further including

forwarding information indicating the determined countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service to a service tool of a network administrator of the communication network,

processing an input regarding a confirmation of the received information, or processing an input regarding a change of the received information for generating a changed set of information indicating countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service, and

sending the confirmed information or the changed information indicating the determined countermeasures and at least one of an introduction and a modification of the security setting for the network service.

23. The method according to any of claims 17 to 22, further including

receiving and storing information indicating paths of the network service being allowed to be automatically modified in case of an security incident,

checking, when obtaining the analysis result of the security incident, whether countermeasures related to the security incident concern a path allowed to be automatically modified, and

in case the check is affirmative, sending the information indicating the determined countermeasures to the network function virtualization control element or function.

24. The method according to any of claims 17 to 23, wherein the information indicating the determined countermeasures includes a modified network service description and a network service change indication generated by the security control element or function.

25. The method according to any of claims 17 to 24, further including considering, when determining countermeasures related to the security incident, at least one of

a type of attack causing the security incident,

a type of the network element or function being affected by the security incident, a location of the network element or function being affected by the security incident, and

an operation state of a path of the network service including the network element or function being affected by the security incident.

26. The method according to any of claims 17 to 25, further including using, as countermeasures related to the security incident, at least one of

interrupting permanently a connection to the path of the network service including the network element or function being affected by the security incident,

interrupting temporarily a connection to the path of the network service including the network element or function being affected by the security incident,

introducing at least one new virtual security function in the path of the network service including the network element or function being affected by the security incident, modifying at least one virtual or physical security function existing in the path of the network service including the network element or function being affected by the security incident,

redirecting at least a part of the path of the network service including the network element or function being affected by the security incident to at least one virtual or physical security function,

modifying at least one virtual or physical network function existing in the path of the network service including the network element or function being affected by the security incident,

deleting the network element or function being affected by the security incident from the network service,

checking an integrity of the network element or function being affected by the security incident from the network service,

rehealing the network element or function being affected by the security incident from the network service,

reconfiguring the path of the network service including the network element or function being affected by the security incident as a honeypot path for learning behavior of the security incident, redefining security related attributes of network elements or functions of the path including the network element or function being affected by the security incident for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and

establishing of a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced as countermeasure.

27. The method according to any of claims 17 to 26, further including conductin at least one of configuring security policies of the at least one virtual security function being introduced as countermeasure and adapting security policies of existing security functions of the network service.

28. The method according to any of claims 17 to 27, further including

initiating a modification of the network service on the basis of information indicating the determined countermeasures, the modification including

immediately interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, installing a new version of the network element or function being affected by the security incident or checking integrity of the network element or function being affected by the security incident,

re-connecting the network element or function being affected by the security incident or connecting the new version of the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and

restarting or continuing processing with network service.

29. The method according to any of claims 17 to 27, further including

initiating a modification of the network service on the basis of information indicating the determined countermeasures, the modification including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

analyzing the network element or function being affected by the security incident, rehealing or relaunching the network element or function being affected by the security incident on the basis of the analyzing result,

re-connecting the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service.

30. The method according to any of claims 17 to 27, further including

initiating a modification of the network service on the basis of information indicating the determined countermeasures, the modification including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the virtual security function,

instantiating a new virtual network element or function corresponding to the network element or function being affected by the security incident,

connecting the new virtual network element or function via the new or modified virtual security function to the network service in parallel to the path including the network element or function being affected by the security incident,

stopping establishment of new connections to the path of the network service including the network element or function being affected by the security incident and starting establishment of new connections to the path of the network service including the new virtual network element or function and the new or modified virtual security function,

checking whether any active connection remains on the path of the network service including the network element or function being affected by the security incident, and

if the result of the check is negative, interrupting the connection to the path of the network service including the network element or function being affected by the security incident.

31. The method according to any of claims 17 to 30, further including checking whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function, and when the result of the check is negative, and

preparing the path of the network service including the network element or function being affected by the security incident for introducing the at least one virtual security function by assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service.

32. The method according to any of claims 17 to 31 , wherein the method is implemented by

a network function virtualization control element or function included in a network function virtualization orchestrator implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing,

a security control element or function included in a security orchestrator implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing, and

a security monitoring element or function included in a security monitor implemented in an apparatus including at least one processing circuitry and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus to conduct a corresponding processing.

33. An apparatus comprising

at least one processing circuitry,

and

at least one memory for storing instructions to be executed by the processing circuitry, wherein

the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus at least: to receive and process, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service,

to obtain, during the operation of the network service, an analysis result of the security incident,

to determine countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and to provide information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

34. The apparatus according to claim 33, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least to determine, as the countermeasures related to the security incident, at least one of

introducing at least one virtual security function in a path of the network service including the network element or function affected by the security incident, selecting a type of the at least one virtual security function to be introduced and determining a procedure for introducing the at least one virtual security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function are provided,

modifying at least one existing virtual security function, physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident, selecting a kind of modification of the at least one existing virtual security function, physical security function, virtual network function and physical network function and determining a procedure for effecting the modification of the at least one virtual security function, physical security function, virtual network function and physical network function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the kind of modification of the at least one virtual security function physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification are provided,

changing a path of the network service including the network element or function affected by the security incident for being directed to at least one existing virtual security function or physical security function, selecting the at least one existing virtual security function or physical security function to which the path is to be directed and determining a procedure for effecting the change of the path to the at least one virtual security function or physical security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the at least one virtual security function or physical security function to which the path is to be changed, and the procedure for effecting the change of the path are provided, and terminating the network service, wherein, as the information indicating the determined countermeasures, the indication to terminate the network service is provided.

35. The apparatus according to claim 33 or 34, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to obtain the analysis result of the security incident by conducting an own analysis on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function, or

to receive and process the analysis result from an external analysis process.

36. The apparatus according to any of claims 33 to 35 , wherein the notification about the security incident at a network element or function involved in the network service is obtained from a security monitoring element or function configured to monitor the communication network and to recognize security related incidents in the communication network occurring at network elements or functions involved in the network service, the security monitoring element or function being an internal or external function.

37. The apparatus according to any of claims 33 to 36, wherein the notification about the security incident at a network element or function involved in the network service the security monitoring element or function is related to at least one of virtual network functions and physical network functions involved in the network service.

38. The apparatus according to any of claims 33 to 37, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to forward information indicating the determined countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service to a service tool of a network administrator of the communication network, wherein the information indicating countermeasures is provided when the countermeasures are confirmed by the network administrator.

39. The apparatus according to any of claims 33 to 38, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to receive and store information indicating paths of the network service being allowed to be automatically modified in case of an security incident,

to check, when obtaining the analysis result of the security incident, whether countermeasures related to the security incident concern a path allowed to be automatically modified, and

in case the check is affirmative, to send the information indicating the determined countermeasures to a network function virtualization control element or function.

40. The apparatus according to any of claims 33 to 39, wherein the information indicating the determined countermeasures includes a modified network service description and a network service change indication generated by a security control element or function managing at least one virtual network function involved in the network service.

41. The apparatus according to any of claims 33 to 40, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to consider, when determining countermeasures related to the security incident, at least one of

a type of attack causing the security incident,

a type of the network element or function being affected by the security incident, a location of the network element or function being affected by the security incident, and

an operation state of a path of the network service including the network element or function being affected by the security incident.

42. The apparatus according to any of claims 33 to 41 , wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to use, as countermeasures related to the security incident, at least one of interrupting permanently a connection to the path of the network service including the network element or function being affected by the security incident,

interrupting temporarily a connection to the path of the network service including the network element or function being affected by the security incident,

introducing at least one new virtual security function in the path of the network service including the network element or function being affected by the security incident, modifying at least one virtual or physical security function existing in the path of the network service including the network element or function being affected by the security incident,

redirecting at least a part of the path of the network service including the network element or function being affected by the security incident to at least one virtual or physical security function,

modifying at least one virtual or physical network function existing in the path of the network service including the network element or function being affected by the security incident,

deleting the network element or function being affected by the security incident from the network service,

checking an integrity of the network element or function being affected by the security incident from the network service,

rehealing the network element or function being affected by the security incident from the network service,

reconfiguring the path of the network service including the network element or function being affected by the security incident as a honeypot path for learning behavior of the security incident,

redefining security related attributes of network elements or functions of the path including the network element or function being affected by the security incident for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and

establishing of a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced as countermeasure.

43. The apparatus according to any of claims 33 to 42, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to conduct at least one of configuring security policies of the at least one virtual security function being introduced as countermeasure and adapting security policies of existing security functions of the network service.

44. The apparatus according to any of claims 33 to 43, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to provide, as information indicating the determined countermeasures, information causing a modification of the network service including

immediately interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, installing a new version of the network element or function being affected by the security incident or checking integrity of the network element or function being affected by the security incident,

re-connecting the network element or function being affected by the security incident or connecting the new version of the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and

restarting or continuing processing with network service.

45. The apparatus according to any of claims 33 to 43, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to provide, as information indicating the determined countermeasures, information causing a modification of the network service including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

analyzing the network element or function being affected by the security incident, rehealing or relaunching the network element or function being affected by the security incident on the basis of the analyzing result,

re-connecting the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service.

46. The apparatus according to any of claims 33 to 43, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to provide, as information indicating the determined countermeasures, information causing a modification of the network service including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, instantiating a new virtual network element or function corresponding to the network element or function being affected by the security incident,

connecting the new virtual network element or function via the new or modified virtual security function to the network service in parallel to the path including the network element or function being affected by the security incident,

stopping establishment of new connections to the path of the network service including the network element or function being affected by the security incident and starting establishment of new connections to the path of the network service including the new virtual network element or function and the new or modified virtual security function,

checking whether any active connection remains on the path of the network service including the network element or function being affected by the security incident, and

if the result of the check is negative, interrupting the connection to the path of the network service including the network element or function being affected by the security incident.

47. The apparatus according to any of claims 33 to 46, wherein the at least one memory and the instructions are further configured to, with the at least one processing circuitry, cause the apparatus at least

to check whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function, and when the result of the check is negative, and

to prepare the path of the network service including the network element or function being affected by the security incident for introducing the at least one virtual security function by assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service.

48. The apparatus according to any of claims 33 to 47, wherein the apparatus is implemented in a security control element or function included in a security orchestrator configured to execute security-related management tasks in the communication network comprising virtualized network parts.

49. A method including

receiving and processing, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service,

obtaining, during the operation of the network service, an analysis result of the security incident,

determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and providing information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

50. The method according to claim 49, further including

determining, as the countermeasures related to the security incident, at least one of

introducing at least one virtual security function in a path of the network service including the network element or function affected by the security incident, selecting a type of the at least one virtual security function to be introduced and determining a procedure for introducing the at least one virtual security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the selected type of the at least one virtual security function and the procedure for introducing the at least one virtual security function are provided,

modifying at least one existing virtual security function, physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident, selecting a kind of modification of the at least one existing virtual security function, physical security function, virtual network function and physical network function and determining a procedure for effecting the modification of the at least one virtual security function, physical security function, virtual network function and physical network function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the kind of modification of the at least one virtual security function physical security function, virtual network function and physical network function in a path of the network service including the network element or function affected by the security incident and the procedure for effecting the modification are provided,

changing a path of the network service including the network element or function affected by the security incident for being directed to at least one existing virtual security function or physical security function, selecting the at least one existing virtual security function or physical security function to which the path is to be directed and determining a procedure for effecting the change of the path to the at least one virtual security function or physical security function in the network service during operation of the network service, wherein, as the information indicating the determined countermeasures, the at least one virtual security function or physical security function to which the path is to be changed, and the procedure for effecting the change of the path are provided, and terminating the network service, wherein, as the information indicating the determined countermeasures, the indication to terminate the network service is provided.

51. The method according to claim 49 or 50, further including

obtaining the analysis result of the security incident by conducting an own analysis on the basis of the notification about the security incident at a network element or function involved in the network service received from the security monitoring element or function, or

receiving and processing the analysis result from an external analysis process.

52. The method according to any of claims 49 to 51 , further comprising

obtaining the notification about the security incident at a network element or function involved in the network service from a security monitoring element or function configured to monitor the communication network and to recognize security related incidents in the communication network occurring at network elements or functions involved in the network service, the security monitoring element or function being an internal or external function.

53. The method according to any of claims 49 to 52, wherein the notification about the security incident at a network element or function involved in the network service is related to at least one of virtual network functions and physical network functions involved in the network service.

54. The method according to any of claims 49 to 53, further including

forwarding information indicating the determined countermeasures and information indicating at least one of an introduction and a modification of the security setting for the network service to a service tool of a network administrator of the communication network, wherein the information indicating countermeasures is provided when the countermeasures are confirmed by the network administrator.

55. The method according to any of claims 49 to 54, further including

receiving and storing information indicating paths of the network service being allowed to be automatically modified in case of an security incident,

checking, when obtaining the analysis result of the security incident, whether countermeasures related to the security incident concern a path allowed to be automatically modified, and

in case the check is affirmative, sending the information indicating the determined countermeasures to a network function virtualization control element or function.

56. The method according to any of claims 49 to , wherein the information indicating the determined countermeasures includes a modified network service description and a network service change indication generated by a security control element or function managing at least one virtual network function involved in the network service.

57. The method according to any of claims 49 to 56, further including considering, when determining countermeasures related to the security incident, at least one of

a type of attack causing the security incident,

a type of the network element or function being affected by the security incident, a location of the network element or function being affected by the security incident, and

an operation state of a path of the network service including the network element or function being affected by the security incident.

58. The method according to any of claims 49 to 57, further including

using, as countermeasures related to the security incident, at least one of interrupting permanently a connection to the path of the network service including the network element or function being affected by the security incident,

interrupting temporarily a connection to the path of the network service including the network element or function being affected by the security incident,

introducing at least one new virtual security function in the path of the network service including the network element or function being affected by the security incident, modifying at least one virtual or physical security function existing in the path of the network service including the network element or function being affected by the security incident,

redirecting at least a part of the path of the network service including the network element or function being affected by the security incident to at least one virtual or physical security function,

modifying at least one virtual or physical network function existing in the path of the network service including the network element or function being affected by the security incident,

deleting the network element or function being affected by the security incident from the network service,

checking an integrity of the network element or function being affected by the security incident from the network service,

rehealing the network element or function being affected by the security incident from the network service,

reconfiguring the path of the network service including the network element or function being affected by the security incident as a honeypot path for learning behavior of the security incident, redefining security related attributes of network elements or functions of the path including the network element or function being affected by the security incident for enabling introduction of the at least one virtual security function to be introduced as countermeasure, and

establishing of a replacement path including network elements or function corresponding to the network elements or functions of the path including the network element or function being affected by the security incident and the at least one virtual security function to be introduced as countermeasure.

59. The method according to any of claims 49 to 58, further including

conducting at least one of configuring security policies of the at least one virtual security function being introduced as countermeasure and adapting security policies of existing security functions of the network service.

60. The method according to any of claims 49 to 59, further including

providing, as information indicating the determined countermeasures, information causing a modification of the network service including

immediately interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, installing a new version of the network element or function being affected by the security incident or checking integrity of the network element or function being affected by the security incident,

re-connecting the network element or function being affected by the security incident or connecting the new version of the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and

restarting or continuing processing with network service.

61. The method according to any of claims 49 to 59, further including

providing, as information indicating the determined countermeasures, information causing a modification of the network service including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function, configuring security policies of the new or modified virtual security function, interrupting the connection to the path of the network service including the network element or function being affected by the security incident,

analyzing the network element or function being affected by the security incident, rehealing or relaunching the network element or function being affected by the security incident on the basis of the analyzing result,

re-connecting the network element or function being affected by the security incident via the new or modified virtual security function to the network service, and restarting or continuing processing with network service.

62. The method according to any of claims 49 to 59, further including

providing, as information indicating the determined countermeasures, information causing a modification of the network service including

instantiating a new virtual security function to be introduced or modifying an existing virtual security function,

configuring security policies of the new or modified virtual security function, instantiating a new virtual network element or function corresponding to the network element or function being affected by the security incident,

connecting the new virtual network element or function via the new or modified virtual security function to the network service in parallel to the path including the network element or function being affected by the security incident,

stopping establishment of new connections to the path of the network service including the network element or function being affected by the security incident and starting establishment of new connections to the path of the network service including the new virtual network element or function and the new or modified virtual security function,

checking whether any active connection remains on the path of the network service including the network element or function being affected by the security incident, and

if the result of the check is negative, interrupting the connection to the path of the network service including the network element or function being affected by the security incident.

63. The method according to any of claims 49 to 62, further including checking whether a path of the network service including the network element or function being affected by the security incident is suitable for introducing the at least one virtual security function, and when the result of the check is negative, and

preparing the path of the network service including the network element or function being affected by the security incident for introducing the at least one virtual security function by assigning or re-assigning security related attributes concerning at least one of an encryption used on the path or a location of virtual network elements or functions of the network service.

64. The method according to any of claims 49 to 63, wherein the method is implemented in a security control element or function included in a security orchestrator configured to execute security-related management tasks in the communication network comprising virtualized network parts.

65. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to execute a process comprising

managing, by a network function virtualization control element or function, at least one virtual network function involved in a network service established in a communication network comprising virtualized network parts,

executing, by a security control element or function, security-related management tasks in the communication network comprising virtualized network parts, and

monitoring, by a security monitoring element or function, the communication network and recognizing security related incidents in the communication network occurring at network elements or functions involved in the network service,

wherein the method further includes, during an operation of the network service, notifying about a security incident at a network element or function involved in the network service,

obtaining an analysis result of the security incident

determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and

receiving and processing information indicating the determined countermeasures and initiating a modification of the network service for realizing the countermeasures.

66. A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to execute a process comprising

receiving and processing, during an operation of a network service established in a communication network comprising virtualized network parts and including at least one virtual network function, a notification about a security incident at a network element or function involved in the network service,

obtaining, during the operation of the network service, an analysis result of the security incident,

determining countermeasures related to the security incident, the countermeasures including a modification of the network service during operation by at least one of introducing and modifying a security setting for the network service, and providing information indicating the determined countermeasures for initiating a modification of the network service for realizing the countermeasures.

67. A computer program product for a computer, including software code portions for performing the steps of any of claims 17 to 32 or any of claims 49 to 64 when said product is run on the computer.

68. The computer program product according to claim 67, wherein

the computer program product includes a computer-readable medium on which said software code portions are stored, and/or

the computer program product is directly loadable into the internal memory of the computer and/or transmittable via a network by means of at least one of upload, download and push procedures.