Network virtualisation: security challenge or security lifesaver?

It’s been a long time coming, but traditional networks are now transitioning to virtualised network functions and controllers. Telcos, MNOs and hosting companies are all deploying SDN and NFV technologies, as part of an overall shift from relatively inflexible hardware-based architectures to nimbler, faster, more scalable virtualised deployments.

They will impact the way networks are designed, built and managed, making it easier and faster to adjust key performance characteristics, implement new connections and new routes.

One of the benefits of SDN is that it centralises the operation and maintenance costs of the virtual network, enabling unified monitoring of all data traffic, whether on networks or in the cloud.

> See also: A match made in heaven: why analytics and SDN are perfect partners

Virtual machines can be quickly provisioned in datacentres, new in-line services built into the network, or new connections added between site locations or the cloud.  SDN also allows security services and policies to be controlled, automated, and provisioned to every device on the network from a single point.

Meanwhile, NFV enables network functions to be implemented in software that can run on generic computing hardware – so the functions can be deployed anywhere in the network without having to install new hardware or physical appliances. This enables rapid provisioning and deployments in minutes, not weeks, saves costs and boosts flexibility, while maintaining protection and functionality.

Centralised strengths – and weaknesses

But these new architectures also mean new security challenges for the organisations deploying them, too.

As SDN and NFV redefine the network into a virtualised environment, with centralised controller and management capabilities determining where to execute the virtualised network functions, the traditional approach to network security need to be extended and modified.

For example, that centralisation of network capabilities can also be a weakness – for example, if the SDN controller or server itself is compromised, the attacker has the virtualised network at his mercy.

Data on the network can be intercepted, malware injected onto the network, traffic can be rerouted, and more. There is also the issue of how the controller would deal with an outage, a DoS attack or unexpected traffic flows. Does it have the throughput and performance to deal with the issue?

However, these issues can be addressed by applying appropriate layers of security protections. The primary consideration is securing access to the SDN controller, and verifying connections between the controller and nodes using encrypted VPNs to communicate with routers and switches.

This prevents malicious data reaching the controller. High availability is also an important issue: data must flow freely, so the security solution must have maximum availability and throughput. The security management engine should also give a comprehensive, single view of the network to enable rapid identification of, and response to any threats.

Delivering strong security in SDN & NFV environments

To create a strong, secured NFV environment, protections need to be applied at three layers: the NFV platform itself; in the virtualized network zones; and with the business applications.

The NFV platform, which includes the physical nodes in the data center, the networks connecting them and the management systems, is protected using high-capacity, carrier-grade security appliances.

To protect the virtualised network zones, virtual security appliances are deployed, to separate network tenancy zones and segregate traffic, taking advantage of the inherent high performance, lower cost, and flexibility of virtualised environments.

> See also: A bird's eye view of software-defined networking

At the application level, virtualised functions that support business applications – such as a mobile network operator’s packet core, or subscriber services – are run in the virtualised network security zones. Additional security checks such as authentication can also be deployed in this layer.

Ultimately, SDN and NFV is all about virtualising large-scale IT resources to deliver the critical network functions that organisations need, without requiring the presence of specialised physical appliances.

This allows organisations to use commercial-off-the-shelf platforms to run their virtualised networks, reducing costs and complexity while also enabling rapid deployment, scalability and easier management to support their future needs. And by using the right virtualised security solutions, SDN and NFV also enables them to enjoy these advantages without compromising the protection of their networks or data.

Sourced from John Vestberg, CTO of Clavister

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics