Throw a rock at the Internet and network security advice comes pouring out. But try searching for advice on NFV and SDN security, and suddenly information slows to a trickle.
Yet security concerns should be front-and-center with these new technologies. “Proposed network function virtualization (NFV) and software defined network (SDN) architectures introduce fundamentally new platforms and virtualized environments, open-source software, and proprietary security solutions,” says Phil Marshall, chief research officer, Tolaga. “Extensive testing must be conducted to ensure that SDN and NFV solutions are secure for the use cases in which they are implemented.”
SDN and NFV are inexorably morphing from buzzwords to applicable tech as data traffic skyrockets, forcing data center upgrades. “Enterprises and service providers are upgrading data centers to support huge increases in traffic and handle the massive waves of attacks they face every day,” says Jeff Wilson, principal analyst for security, Infonetics Research. “As a result, we foresee a growth spike in virtual appliance revenue starting in 2016 due to the deployment of the next generation of network infrastructure using SDN and NFV over the next 18 months.”
New deployments demand due diligence, including a sound security strategy, lending weight to Marshall’s advice. Virtualization isn’t a new concept for network engineers, but Andre Kindness, principal analyst serving infrastructure & operations at Forrester, outlines the situation: “While server virtualization topped 80% in 2012, the adoption of storage and network virtualization lags. Vendors have indicated that network virtualization accounts for less than 1% of the business.”
Yet the case for NFV has never been stronger. Kindness again: “Historically, networks were designed, deployed, and managed by network administrators who more closely resembled craftspeople than industrialists. Thus, any change to the network can take days if not months to do since little has been documented or standardized, which means an enormous amount of time is spent on continually learning what was done instead of already having a baseline knowledge of the system.” Most network engineers can relate.
So we have new technologies designed to ‘untangle the wires’ and data usage spikes that mandate change. It’s a perfect storm for SDN/NFV adoption. This means that firms considering these technologies should heed the advice of Scott Hogg, CTO for Global Technology Resources, Inc. (GTRI), who writes in an op-ed piece published in Network World: “As enterprises look to adopt SDN, the top-of-mind issue is the concern for security.”
Build in security from the get-go
“SDN is an approach to networking that separates the control plane from the forwarding plane to support virtualization [and forms] a new paradigm for network virtualization,” writes Hogg. “Most SDN architecture models have three layers: a lower layer of SDN-capable network devices, a middle layer of SDN controller(s), and a higher layer that includes the applications and services that request or configure the SDN.”
“Even though many SDN systems are relatively new and SDN is still in the realm of the early adopters,” cautions Hogg, “we can be sure that as the technology matures and is more widely deployed, it will become a target for attackers.”
Firms should bake security into their plans from the beginning. “The transition from conventional to software-defined networking is a significant one, so IT must rethink how the network will operate once the control plane is separated from the data plane and centralized in a controller,” writes Greg Ferro, network architect and blogger, on Dark Reading. “Security pros must demand a voice in the SDN adoption process.”
Programmability > paradigm shift
“Few companies are making the move to SDN in one fell swoop,” writes Ferro. But he adds that they will move “to improve service delivery, gain deeper visibility into applications using the network, and achieve higher levels of automation. Enterprise SDN deployments today tend to be tied to private cloud infrastructures and based on OpenStack or VMware vCloud, where SDN is used as the networking component. Programmability is SDN’s forte and key to a successful private cloud.”
“SDN and NFV brought a paradigm shift to the ICT industry,” says Jess Li, principal architect, CTO group, marketing and solutions, strategy & platforms, ZTE. “More network resources will be COTS servers rather than purposely built hardware, and more network functions will be deployed in data center environments instead of telcos.”
The layered architecture benefits of SDN, forwarding, control, and applications rely on centralized control and network programmability, she says. “But they also raise security concerns - any security vulnerabilities related to SDN and NFV open architecture and its software-centric implementation will be exploited just as much as a legacy network, if not more.”
“SDN has many benefits but also poses new threats, particularly with the emergence of open-source and virtualized environments,” says Shahid Ahmed, managing director, Accenture. “It’s critical to consider threats, risk exposure, operational impact, performance, scale, and compliance in the SDN-based data centers of the future.”
Open-source software is a double-edged sword, says Ahmed. “Open source is a threat and opportunity - the threat is that open-source opens up network in ways that legacy proprietary physical hardware do not. [But] at the same time, an open-source platform reduces both opex and capex costs and enables Internet economics - for example, the cost of launching new service is [typically] negligible.”
Steep and muddy learning curve
Comments from experts like these show that deploying NFV/SDN will be a steep - and likely slippery - slope for telcos. The benefits are quantifiable and as Jeff Wilson from Infonetics puts it: “Not since the Beatles [arrived in the USA] to perform on The Ed Sullivan Show has there been so much hysteria - yet few understand SDN and its components. SDN fanatics theorize that enterprises will embrace this technology/solution because it will open the door for other teams outside networking to harness the network’s power, allow the network to automatically flex and efficiently match services to the business’ demand, or be an avenue for lowering capital expenditures by moving to white-box switches.”
All of that may be true, but does this require a steep learning curve for operators used to thinking of security in the traditional telco world of proprietary boxes, or is simply just applying familiar tools and policies in a new way?
“This is going to be a steep learning curve,” declares Ahmed. “Many enterprise networking practices can be leveraged by carriers for their own SDN environments: software engineering, IP networking, open-source, change control and change management skills will be needed. A massive retooling and re-skilling effort will be needed by the carrier.”
“There is certainly a learning curve to plan and deploy security over a SDN/NFV architecture,” says Li from ZTE. “SDN/NFV will evolve as it is adopted into the network, and so will security issues and vulnerabilities. The best defense is to apply currently known effective security solutions over the new SDN/ NFV platform, then adapt and augment as new security issues and vulnerabilities are identified or exploited.”
“With the [current] emphasis on virtual networks, virtual services, and the dynamic growth of high-speed workloads, the monolithic model that operators have been working with for years is rapidly changing,” says Symantec’s Wilkinson. “As the network collapses into a virtualized environment, the roles of individual specialists (servers, networks, storage) will collapse in to a common role. As software assisted administration - i.e. SDN and NFV - improves, communication between application owners and business strategists and those that manage the day-to-day needs of the application may become fuzzy.”
The ability of SDN and NFV to move forward and gain acceptance might not be so much a function of the technology as much as a gap in the number of skilled analysts that bridge three things: the business requirements, the security needs of IT, and the audit requirements of the compliance teams, says Wilkinson. “These skills will be in high demand, and could create a bottleneck that can slow the adoption of SDN and NFV.”
“We can only try to anticipate what the attackers may try to target with SDNs,” writes Hogg. “The deployments are new, the protocols are new, the controller software is new, and the history of past SDN attacks is unknown.”
Before an organization embarks on an SDN deployment project, they should consider how they will secure the system during the early design stage. “Don’t leave security until the final clean-up phase,” cautions Hogg. “Like most things, setting it up right from the start will save organizations many problems down the road.”
This article first appeared on Telecom Asia Security Insights May 2015 edition